Fake LinkedIn invitations are one of the most effective methods of getting a human to click a malicious link.
This type of attack, a phishing attack (or a more targeted, spear phishing attack) works because who doesn’t want to increase their LinkedIn number up to that magical 500+. Plus, LinkedIn is maybe the most reputable of all the social media networks, so that reputation is exploited.
Additionally, LinkedIn is a business-oriented social media site, therefore, most use occurs on a computer attached to a corporate network. And that’s more valuable to a thief than a lone, personal computer.
The Attack
You receive an email, “Let’s connect!”
It looks like a real, and safe, LinkedIn invitation.
Click on “View Profile” > goes to a fake site > where a virus / malware / etc is waiting > that’s then installed onto your computer > now the attacker has a way into your machine > and potentially the corporate network it’s attached to.
The Defence
I rely on 2 things – my gut, and LinkedIn’s security (note this method is not 100% fail-safe.)
1 – hmm, I have never heard of this human, and something about the name / company makes my gut say wait….
2 – I open a new browser, go to LinkedIn > Invitations > is the same name on my list there?
If yes: click around to verify identity, check for connections in common, and lots of Googling.
If no: delete the email
***
Don’t be shy to ask for more clarification, proof of identity, reply with “do I know you, and how?”
And always listen to your gut, the best defence against social engineering
