Hackers would like to join your LinkedIn network - and you'd probably accept them
Is that LinkedIn contact really who they say they are?
For many LinkedIn is a handy way of keeping up with old colleagues and maybe even finding a new job -- and many think that the bigger their network of contacts, the better.
So if a contact request comes in from a recruiter, even one they had never heard of before, many might think there would be little harm in accepting.
But what if that wasn't a recruiter, but rather a hacker using a fake profile in order to gain access to you, your contact details, and the rest of your network? In connecting you've potentially put yourself and your company at risk of being hacked, breached, or otherwise targeted by cybercriminals.
Certainly people are often more than willing to accept a request from a complete stranger to join their network on LinkedIn.
In fact, according to a survey of 2,000 people by cybersecurity researchers at Intel Security, nearly one quarter (24 percent) say they've connected to someone they don't know on LinkedIn, thus potentially allowing hackers to access to a wealth of information which could be used for spear-phishing, malware drops, and other nefarious means.
"We're opening ourselves up to the world without any real consideration with regards to who we're allowing on our network," Raj Samani, CTO of EMEA for Intel Security, told ZDNet.
Once provided with access to a person's network, malicious actors are able to gather data and research potential targets for attacks, potentially even eventually connecting up to senior executives and CEOs.
If a hacker successfully gains access to the contact details of an executive, they could potentially use the trust associated with someone in a senior position to carry out fraud and other criminal activities.
By adding an unknown contact to your network, you could help a cybercriminal close in on their real target because if people see you've connected to them, others are more likely to follow suit because of what Samani describes as "social validation" -- and it isn't just a form of narcissism.
"What they're using here is the concept that if Raj is connected to them, they must be trustworthy, so I should connect. Then following this, the vast majority of cyberattacks are actually targeting people with spear-phishing," he said, adding that these sorts of networks have given hackers an easy way of targeting individuals then through that, the corporate network.
"In the past, if you wanted to carry out an attack, you'd have to do a lot of research but now everyone is putting these things on social networks."
As a result, individuals need to be more careful about who they connect with.
"We don't want people to start not accepting connections at all, because that's bad, but just take some simple measures with regards to what you do when you get a connection request. If I received a connection request in my inbox, I probably wouldn't click on the link, but I'd look at the person: do I know them? Yes I do, that's fine, or actually I don't know them but we've got mutual connections who I trust the judgement of," said Samani.
"You wouldn't allow people into your house if you didn't trust them, so why would you allow them into your digital world?" he added.
He also suggests that the corporate employer has to take some responsibility, especially now that personal and professional online personas are becoming ever more intermixed.
"We've grown up with the concept of acceptable use policy whereby we'll tell people what they can and can't do online. But we're now in an era of social computing. In other words, there's a blur between personal and business use. So in these particular environments organisations telling people what is and isn't acceptable in regards to what you post is probably a good start," he said, also suggesting that education about cybercriminal activity is a sensible idea.
"Explain to people about the types of attacks and what criminals do, how they may go after you personally," he explained.