Remember when you were a kid on Halloween? You were so excited to trick-or-treat that you couldn’t even finish your dinner. With your Halloween costume on, you were ready to go out with your friends and get all the candy you could. Think about the advice you likely heard from your parents before leaving the house. Perhaps it was something like “only go to the houses of people you know,” or “stay in your own neighborhood.” The one I recall clearly was “don’t eat any suspicious candy, no matter how good it looks” and “let us check your candy before you eat it.” What was the point of all that advice from our parents? The point is this: not everyone in the world has your best interests in mind, and a little diligence can help keep the fun times fun. Even though we heard the advice, it was also tempting not to follow it. Of course, it doesn’t do anyone any good to live your life in irrational fear, but it is good to be a little skeptical and diligent, especially when it comes to social media or trick-or-treating. Social media is also territory for social engineering. Many of the same cautions we hear regarding social engineering can apply to social media, as well. Recently, a friend of mine had her LinkedIn account duplicated. Someone made a fake account to appear as my friend, when my friend already had a real account on LinkedIn. The duplicate account looked very convincing, but there were two things that quickly caught my attention: there was no profile picture, and I was already connected to that person. So rather than just assuming there must be a good reason for reconnecting, accepting the invite and moving on with my day, I did a search on LinkedIn for this person’s name. Sure enough, there were two accounts for this person. The real one and the fake one. A scary part of this example was that there must have been at least 30 people connected with this fake account. Many of these people who connected with the fake account are also people I know, and most should have known better. But who am I to judge. After all, I just accepted a fake Facebook request a few months before. It’s true. I also experienced this same exploit on Facebook with another friend when I received a friend request from someone I was already friends with on Facebook. Thinking my friend must have accidentally unfriended me and was just reconnecting, I accepted the friend request. Then almost immediately after accepting the request, I received a chat request from the fake profile. I realized right at that moment the mistake I had made, and I knew I should have known better. I quickly unfriended the fake profile and immediately notified my friend. So, when this same tactic came up on LinkedIn, I knew better this time and I spotted it right away. We’re all human. The human part is where we can sometimes get into trouble on social media. We are social creatures who need interaction with others, even without all the technology around us all the time. Sometimes, it can be very tempting to just go ahead and accept that invite. For example, if I get a connection request on LinkedIn from someone I don’t know, I get this nagging feeling that I just want to see more about who it is. Then I start to rationalize with my own rule about not connecting with people I don’t know (which I admit I have broken more than once). I can only explain the urge as this curiosity for an interesting connection, and it’s even more tempting when the person requesting to connect has connections that I know. Another trap is the ”What’s In It For Me?” trap. We all have personal and professional motivations, and those motivations can have an effect on who we want to connect with. Maybe it’s someone from that target account you’d love to get into. Maybe it’s a recruiter who specializes in a professional area you really want to move to but to which you have limited access. Maybe it’s something as simple as you’re single and the person asking to connect is attractive. Whatever it is, do the research before connecting. If you don’t know the person but still want to take the risk of connecting, at least hop on your favorite search engine to investigate who this person is. Do they have a legitimate website? Do they know people you know? Can you reach out to a mutual contact and ask who this person is? What’s the big deal about all this, though? I mean, what’s the big deal if I connect with a fake profile? What’s the worst that can happen? Well, that’s a good question, and I’m not sure there’s a clear answer. The answer could be ‘nothing,’ or it could be much more, such as what happened to this couple. Consider what you are you sharing on social media. How personal is it? Is there information people can use to perform a social engineering attack on you or maybe on someone else you may know? If you’re in IT, for example, do you have listed on your profile the types of assets you’re proficient on because that’s what you have at your company? If you’re sharing information on social media about a customer you work with, can someone use that info to contact you and say I was referred to you by that customer and now I’ve immediately gained your trust? There are thousands of scenarios here. (This article provides more on this topic). Consider this guideline regarding suspicious things online, especially when on social media or with email. There are three questions to ask yourself: who, what and why.
- Do I know who this is coming from?
- Do I know what it is they are sending me (particularly in the case of email or messaging)?
- Do I know why they want to connect or send me something?
If you can answer all three questions, your risk is much lower. However, many people are okay with answering one or two of the questions and moving on. Take the example from earlier where I received a LinkedIn request from someone I know and was already connected to. The “who” and the “what” in this case are simple, but the “why” was odd. I knew we were already connected. So, why was I receiving this request? Then I reached out via an already established form of communication I have with that friend – email. This leads me to the second part of this: to use established forms of communication for validation. That means if I receive a suspicious request from someone I know, for example, I can use a trusted form of communication I already have with them to validate the request, such as email, text message, or phone. How about a second example? Let’s take malware. It may scan your address book and send itself out to your friends and colleagues. Since you would know who sent you the email or information, you may be tempted to open it. Maybe it looks like they sent you some vacation photos. You know who sent it and what it is, but you’re stuck on the “why” part. A quick email through established communication methods may result in your friend letting you know they did not send you any pictures, and you may have just saved yourself an infection. As I’m writing this, I looked at my LinkedIn and I have a request sitting there from someone I don’t know. What strikes me as odd is their first name is in all caps. They are also connected with a few people I am connected with, but only a few. So, I’ll ask the three questions: who, what, and why. I don’t know the “who” or the “why”... delete. I see LinkedIn requests here and there from profiles I can tell are fake, but what struck me was when I recently had seven in one day. Here are some thoughts on how to handle connection requests on LinkedIn, especially when it comes to people you do know. Take a moment to click on their profile. Does the profile look legitimate? Does it look complete? Is the person connected with a lot of people, and more importantly, are they connected to people you know? Does their profile have a lot of “skills and endorsements” from other people? If you don’t know what that is, take a quick look at your own LinkedIn profile page. Scroll down to a section called “skills and endorsements.” See all the people in there who have endorsed you for skills (hopefully)? A legitimate profile will be more likely to have a lot of endorsements because this person’s profile is connected with a lot of other legitimate people they know. A profile with a picture can also be a good sign, as well. You may also hear people advise that even if you don’t want to be on LinkedIn or other social media, it can be good to make a profile anyway. Why? Because if you don’t, someone else could pose as you more easily. It’s much easier to catch a duplicate when there are two profiles for the same person, but it’s much harder to spot a fake profile when the real person has not created their own profile. The last thing I’d want to do is scare people off of social media. Just remember to use some due diligence. Be careful with whom you share your phone number, your email, information about your kids, your account numbers, where you let your kids go after school, and where they trick-or-treat. Just use some of that same due diligence with what you’re doing on LinkedIn and elsewhere online. May you get all treats, and no tricks.
