Just when you think you and your employees have learned how to recognize and avoid a social engineering attack, the criminals have come up with another way to trick you out of your cash and your sensitive data: the fake LinkedIn profile.
A fake LinkedIn account on its own doesn’t do much. But as part of a broader phishing scheme, that fake profile can make it look like a legitimate person is behind a call or email. If it fools you into giving away banking information, login credentials, payroll records, or other sensitive data, it’s the key that unlocks a criminal’s ability to conduct funds transfer fraud or introduce ransomware into your network.
At Xantrion, we’ve spotted these fake profiles recently:
- An impostor claiming to be the HR director at a construction firm
- Someone claiming to be – and using an actual photo of – a principal at a wealth management firm
- A nonexistent person claiming to work for a wealth management firm that doesn’t actually have an employee by that name
This is a big problem, and it’s growing. Last year alone, LinkedIn took down about 2 million fake accounts. Watch out for these warning signs:
- A model-perfect photo (it was probably stolen from a stock photo site)
- Information that’s incomplete and/or lacking specificity and detail
- Suspicious or limited work history
- Education that doesn’t match experience or vice-versa
- Small number of connections
- Most or all connections also look fake or questionable
- An obviously fake name (excessively generic, a celebrity, etc.)
- Poor spelling and grammar
If you spot a LinkedIn account you believe is fake, don’t give it the benefit of the doubt.
Weed out impostors who claim to be employees. Search LinkedIn regularly for everyone who lists you as a current or former employer. If you spot someone who’s never actually worked for you, report the profile immediately and ask for it to be taken down.
Don’t help criminals pad their fake profiles with links to real people. Stop automatically accepting connection requests from people you don’t know. If they also aren’t connected to anyone else you know and their profile looks suspicious, decline the request and report it.
LinkedIn doesn’t currently have any kind of mechanism to require or even allow an employer to verify that someone who claims to work for them actually does. Until they do, it’s up to all of us to keep each other safe.