Fake LinkedIn invitations are one of the most effective methods of getting a human to click a malicious link.

This type of attack, a phishing attack (or a more targeted, spear phishing attack) works because who doesn’t want to increase their LinkedIn number up to that magical 500+. Plus, LinkedIn is maybe the most reputable of all the social media networks, so that reputation is exploited.

Additionally, LinkedIn is a business-oriented social media site, therefore, most use occurs on a computer attached to a corporate network.  And that’s more valuable to a thief than a lone, personal computer.

The Attack

You receive an email, “Let’s connect!”

It looks like a real, and safe, LinkedIn invitation.

Click on “View Profile” > goes to a fake site > where a virus / malware / etc is waiting >  that’s then installed onto your computer > now the attacker has a way into your machine > and potentially the corporate network it’s attached to.

The Defence

I rely on 2 things – my gut, and LinkedIn’s security (note this method is not 100% fail-safe.)

1 – hmm, I have never heard of this human, and something about the name / company makes my gut say wait….

2 – I open a new browser, go to LinkedIn > Invitations > is the same name on my list there?

If yes: click around to verify identity, check for connections in common, and lots of Googling.

If no: delete the email

***

Don’t be shy to ask for more clarification, proof of identity, reply with “do I know you, and how?”

And always listen to your gut, the best defence against social engineering