The nature of LinkedIn’s professional environment facilitates communication among individuals from various backgrounds across industries. However, threat actors have been known to exploit the business networking platform for malicious aims, including intelligence gathering, identity theft and spear phishing. A number of fake profiles identified on the site have been observed targeting individuals in diverse sectors, particularly those with roles in government, cyber security and education. This type of social engineering attack is geared towards gaining personal information about a victim in order to steal their identity or exploit them for financial gain.
Tactics, Techniques and Procedures (TTPs)
Intelligence gathering via fake LinkedIn profiles is a favored strategy as it has proved much more efficient than physically dispatching spies worldwide. A common tactic uses profiles supposedly of women in headhunting firms with experience in HR management, consulting, national policy or academia, or who have a background working for a foreign think tank. Upon contact through these profiles, perpetrators seek to establish a relationship with victims and gauge their overall value in terms of the personal and professional information they could provide. High-value individuals are sometimes offered all-expense trips in exchange for travel to foreign countries or speeches.
In one instance, a LinkedIn user who maintains a LinkedIn newsletter grew suspicious after a few curiously similar profiles joined his follower count within a short period of time: all profiles presented themselves as women, had abstract banner images, listed one previous job and three known languages, and claimed to have a master’s degree.Employing some basic search terms, he eventually discovered hundreds of profiles that raised similar red flags (Figure 1). He suspects many of these profiles aimed to acquire resumes, thereby accumulating troves of personal information, or served as a means of advertising for their represented companies.
Figure 1 – August 31, 2021, Duplicate LinkedIn Profiles (Source: Bruce Johnston)
An investigation conducted by the Stanford Internet Observatory uncovered more than 1,000 LinkedIn profiles whose user accounts displayed profile pictures likely generated by artificial intelligence. The investigation was conducted after one of the researchers received a message purportedly from “Keenan Ramsey,” (Figure 2), whose profile picture was noticeably missing a left earring and some strands of hair and had perfectly centered eye alignment (Figure 3).
Figure 2 – Suspect Profile Header (Source: Stanford Internet Observatory/NPR)
Figure 3 – Suspect Profile Picture (Source: Stanford Internet Observatory/NPR)
On further investigation into this profile, the researcher was unable to find any trace of a “Keenan Ramsey” working at the reported place of employment or any records of her obtaining a degree from New York University, as listed in her profile.
NPR, which published the Stanford Internet Observatory findings, additionally contacted 28 universities listed in 57 of the likely fake profiles uncovered in the investigation. Twenty-one universities responded, who reported they were unable to find “any records of the supposed graduates.”
In this particular case, many of the artificially generated profiles appeared to be used for digital telemarketing—automated profiles would send messages to users, and those who responded were redirected to a real salesperson.
In Kroll’s investigative experience, fake profiles have also been used for impersonation and identity theft. Users have found their profiles entirely duplicated by perpetrators who had sent invitations to connect, then turned around to re-connect with all the victim’s publicly listed contacts. Perpetrators are known to have used their newly adopted identity and reputation to engage in communication with the victim’s contacts to gain information or send malicious links. Additionally, in order to make initial contact with a potential victim, actors will pose as a friend of a friend by connecting with several of the target’s connections in order to appear more legitimate. Victims may be more likely to accept the request if they see the perpetrator has connections to people in their own network.
Attackers also connect with individuals to collect email addresses, telephone numbers and public information, such as interests, titles and reporting structures, to aid in spear phishing attempts . There have also been instances where an attacker looking to target a specific organization will pose as a candidate for a security position in order to gain a better understanding of the tools and protocols the organization has in place. This can aid an attacker in preparing a more catered approach when targeting their victim.
Best Practices for LinkedIn-Related Interaction
- Connect with caution. As with all social media platforms, only befriend or connect with individuals you know personally. Should you consider connecting with an unknown contact, the following steps are suggested:
- Review the user’s profile picture
- Fake profiles may use stock photos, images of famous people or artificially generated headshots.
- Google Chrome features the ability to search the web for an image’s source. This can be done by right clicking the profile picture in question and selecting “Search image with Google Lens.” If the image is found in several stock libraries and sources across the web, the profile is likely fake.
- Look for vague or strangely worded bios
- Online services offer AI-generated LinkedIn summaries that may be used by perpetrators.
- Check for complete and consistent work and educational history
- Confirm a profile’s listed company exists, through a web search
- Malicious profiles may attempt to spark conversation by falsely claiming to have attended the same school or have worked for the same company as you.
- Check for spelling errors, incomplete sections and low activity
- Check a profile’s connection count
- A low follower count should raise suspicion. Many fake profiles have shown to have less than 100 connections. However, hackers have been able to purchase connections to hit the 500+ mark.
- Be cautious when responding or interacting with messages received on LinkedIn
- Be aware of messages from individuals promising easy money or side employment
- Refrain from clicking links or downloading documents received on LinkedIn
- Never share personal banking details or credit card numbers
- Do not automatically give your resume to a contact made on LinkedIn.
- If you receive a suspicious email associated with LinkedIn, do not click on any links. Instead, open LinkedIn directly on your browser or mobile device to check your notifications. Fake notification emails are commonly associated with phishing attempts.
- Do not share your telephone number, email address or birthday publicly on LinkedIn. Lock down your privacy settings to only display work history and education.
- Remove connections with unknown profiles. Even with a hidden contact list, connections still gain credibility and insight through a connection with you.
- Report suspicious profiles
Kroll experts have observed a rise in social engineering attacks, with a notable increase in vishing and smishing attacks. These attacks aim to gain the trust of victims to exploit them financially or to impersonate the victims and steal their identity. It is important to be vigilant on social media platforms by verifying the identity of your connections and vetting their profiles. If you think you’ve had your identity compromised by a threat actor, our Kroll experts are available to assist 24x7 via our hotlines or our contact us page.