What If Your LinkedIn Connection Request Isn’t From Who You Think It Is?
Not everyone you might encounter on LinkedIn may be who they say they are. Some companies have put up advisories warning people not to deal with LinkedIn accounts from people supposedly belonging to their workforce. And while the problem has been there for a while, recent warnings from tech giant Google’s cybersecurity experts should give us pause before clicking on that “Connect” button.
One of the latest stories comes from Singapore, where its state investment fund Temasek warned the public about LinkedIn profiles impersonating its employees. In its 19 March 2022 statement, reported on Today Online, the company said that these fake accounts are usually hard to tell from their real counterparts. They also made it clear that while Temasek employees have LinkedIn profiles, “employees will never conduct Temasek business on such platforms”. A red flag they identified is that many of these fake profiles use generic email domains often used for personal accounts. They urged users to check whether email domains used by these profiles are indeed used by the company.
A cursory search for “fake LinkedIn profiles” on LinkedIn itself will point to recent posts from companies such as this one for the tech company SourceSage, posted as this piece is being written. It is the same warning, the same red flags, and even offers a way for users to verify if the profile is indeed one of an actual employee. However, the most brazen recent example of how fake Linkedin profiles made victims of many job seekers, including some from the Southeast Asian region, was the Madbird scandal, which was uncovered by the BBC. A fake design firm with fake employees tricked dozens of job seekers into signing up with the company. It all unravelled when someone noticed that things were not what they seemed: on Google Maps, the address the company used, with matching building photo, showed a residential neighbourhood.
The fake LinkedIn profile problem is not new, but cybersecurity watchdogs have been better at spotting it lately. Around the same time as Temasek’s revelations, Google’s Threat Analysis Group warned of a surge in fraudulent LinkedIn-related activity. These involve spoofed emails supposedly coming from the platform and fake LinkedIn job search results, which are often tied to spoofed company profiles. Either way, clicking on links on these emails or results will make users and other entities vulnerable to phishing attacks. This is thanks to a sophisticated “financially motivated threat actor” named Exotic Lily, the group said.
As the Temasek statement said, it is hard to tell fake LinkedIn profiles from real ones. Recent research confirms this finding. A study conducted by Jason Mink of the University of Illinois Urbana-Champaign and several others, which was reported by the UK website New Scientist, found that as much as 43% of its 286 participants couldn’t tell real from fake profiles generated by artificial intelligence. Two major factors explain this: people just couldn’t tell them apart at first glance, and more importantly, there is some social pressure attached to clicking the “Connect” link.
So what to do about these fake LinkedIn profiles? There are several guides on the web and on LinkedIn itself written by experts on how to spot them, including red flags such as profile photos and incomplete or shady profile content. It takes a bit of practice to undo the habit of assuming that a profile on LinkedIn is indeed what it says it is, but it is worth the extra time. It all boils down to that classic piece of advice: “think before you click”.
Fake LinkedIn profile activity has been surging in recent months, says cybersecurity experts from Google.
The latest warning about these fake profiles came from Singapore state investment firm Temasek, which urged people to be careful about dealing with profiles that spoofed real company employees.
A recent study found that it was difficult for many participants to tell fake LinkedIn profiles from real ones, but with practice and knowledge of red flags, users can figure out how to do it.