Why Scammers Target LinkedIn Users – and How to Stop Them

Security tips for the four most common types of LinkedIn scams: Internet Scambusters #436

LinkedIn, the social networking site that connects business people, professionals and academics, is potentially a prime target for scammers.

Users may be relatively well-off but there’s no reason to believe they’re any more scam-savvy than anyone else!

So, in this week’s issue, we highlight the four most common types of LinkedIn scams, offer our own security tips, and show you the way to get more help from the service itself.

On to today’s main topic…

Why Scammers Target LinkedIn Users – and How to Stop Them

Although it’s small fry by Facebook and Twitter standards, the social media marketing and networking site LinkedIn is still a big fish for scammers and spammers (misspelled intentionally) — because most of its members are professionals, businesspeople and academics.

That usually means they’re relatively prosperous and on the lookout for opportunities, both mouthwatering attractions for crooks.

As one technology consultant at security vendor Sophos recently pointed out: “By using this mechanism, the criminals know they’re talking to people who aren’t 13-year-olds, but people with money in their pockets.”

LinkedIn, which has an estimated 60 million members worldwide, has taken strenuous action both to halt the scammers and to enable members to select privacy levels that offer a high degree of protection.

Even so, as any savvy Internet user knows, you can’t keep the scammers out, especially when they pose as legitimate members wanting to link up with people supposedly with the same interests as them.

With that in mind, here are the four main types of scams you might encounter on the social network site, together with tips, including guidance from LinkedIn themselves, on how to avoid getting caught.

Data Theft Malware

Towards the end of 2010, crooks aimed a new data theft program at LinkedIn users by sending a spoof email requesting recipients to accept a new contact or notifying them of new messages on their accounts.

According to network specialists Cisco, anyone who clicked on the link in the email, got a brief message saying, “Please waiting… 4 seconds” before being taken to their browser home page.

That action may merely have puzzled the users, but during those four seconds a malware program known as ZeuS installed itself on their PCs, embedded itself in their browsers, and stole confidential information — including details of bank accounts and passwords.

Since many users would have received this spammed message at work, Cisco said the malware was probably also aimed at stealing commercial banking information, making it potentially extremely dangerous.

Action: As with any other type of spam, or even email messages that seem legitimate, you can avoid this malware infection by not clicking on links. Instead, go to linkedin.com via your web browser’s address bar and check contact and message details there.

LinkedIn and Plaxo Spam

The ZeuS attack was just one example of the heavy spamming that targets professionals at the likes of LinkedIn and another popular social network site, Plaxo.

Some of them link to malware sites but the majority peddle phony pharmaceuticals, where the biggest risk is that you’ll get nothing for your money, while you’ve handed over your credit card details to an identity thief.

Again, these messages are often disguised as contact requests but either contain a link to the scammers’ website or blatantly contain an ad in the body of the message itself.

It’s important to point out that such spam messages may not originate or travel within the LinkedIn system. They can be sent out at random to anyone and everyone with the knowledge that some recipients are bound to be LinkedIn members.

Action: As above — don’t click on those links! And never respond to spam messages.

Bogus Jobs and Advance Fee Scams

Once scammers and spammers are inside the system — and it’s relatively easy for anyone to join up — they can send targeted messages (see also the next item) or post bogus jobs intended to harvest personal info for identity theft.

LinkedIn is pretty fast at clamping down on these abuses, which, in the past, have included ads for bogus mystery shoppers and Nigerian 419 and advanced fee scams, but it’s smart to be aware of them.

Need to know more about these particular scams? See these earlier Scambusters reports.

The Nigerian Advance Fee Scheme

How to Spot Bogus Documents and Fake Check Scams

Mystery Shoppers Scams: 7 Ways Crooks Try To Fool You

LinkedIn as a Source for Spear Phishing

As we wrote in an earlier report, Whaling? These Scammers Target Big Phish, spear phishing is a specialized form of information theft that targets specific individuals, especially senior business people (referred to as “whaling”).

Since many of them use LinkedIn, what better source of information for names and job titles?

For instance, anyone registered on LinkedIn can search the site by company name, and it returns a list of employees from that company who are members.

In one case we tried, using the name of a well-known technology company, we learned the firm had many thousands of global employees using the site, which then proceeded to list the first 100, their location and their job titles. Paying subscribers can view more — up to 700 at a time.

You can also send a message directly to any one of them, if you have a paid subscription, though LinkedIn won’t give you their email address.

Action: Hiding your personal details is an option on LinkedIn but that seems to defeat the aim of the site, which, after all, is to network, though you may consider using just the initial of your last name or even just your job title.

Just be aware that your information is there for all to see and follow our guidance about not clicking links.

And if you’ve posted your photo, ask yourself this question: Why did you do that? It’s just one more theft-worthy piece of data. It’s not likely to enhance your employability or contactability, is it?

More Tips on Avoiding LinkedIn Scams

  • Post as little information about yourself as you need to achieve your aims in being a member.
  • Be wary about unsolicited contact requests from people you don’t know. Go to LinkedIn.com and search on their name. Check them carefully, along with the names of others they’re linked to. If in doubt, don’t link.
  • Never pay for job applications or provide confidential information about yourself to a prospective employer until you’ve thoroughly checked them out.
  • Use LinkedIn’s privacy controls. With these you can turn off your activity broadcasts, decide who can see your activity, control what information others see about you and select who can view your connections.To do this, on your “Home” page, click your name at the top right of the screen and select “Settings.” Privacy controls are listed towards the bottom of the page.
  • Check out LinkedIn’s own “Top 10” security tips, Account Security and Privacy Best Practices.

If you suspect a scam on the site, report it to abuse AT linkedin.com and if you have other security concerns, you can contact the site’s customer service department.

As everyone knows by now, social networks have become prime targets for scams of all types, but especially for identity theft and spam.

The guidance we’ve provided here, though aimed at LinkedIn users, applies to most of the others too. Use it and protect yourself.

Time to close — we’re off to take a walk. See you next week.