Networking with the enemy: why LinkedIn connection requests should be handled with care
Mon 26 November 2018 - 9:38 amManagement
Are you a busy corporate type who can’t remember how you managed to forge new connections back in the analogue era when broadening your circle meant exchanging business cards after an industry lunch? Or a digital native for whom the words ‘business networking’ and LinkedIn are synonymous?
Australians have taken to the Microsoft-owned LinkedIn platform with gusto in recent years. Launched in the US in 2002, the site now has eight million registered users in Australia; 4.2 million of whom log in every month, according to Social Media News.
But while the site offers unparalleled opportunities to search for jobs, spruik your wares, position yourself as a thought leader and rub virtual shoulders with others in your industry, bigger isn’t always better, when it comes to creating a cyber-network of contacts.
In fact, the reverse. Accepting connection requests without any form of introduction from strangers with whom you’ve have no prior contact, online or in real life, can be fraught with danger.
I’d like to connect so I can hack your company systems and hijack your career
Not just because of the chance you’ll be peppered with irritating spam about the webinar they’re running or the services they’re spruiking, or having to bat off invitations to discuss an exciting but unspecified business opportunity.
Out-of-the-blue connection requests can be the first step in a social engineering campaign; the object of which can be to harvest your credentials, part you from your own or your employer’s cash or steal sensitive corporate data to which you have access.
The term ‘social engineering’ refers to the use of deception to manipulate individuals into breaching security practices or divulging personal or confidential information which the perpetrator can use for financial gain.
The practice has become more prevalent in recent times, as hackers and cyber-criminals twig to the fact that individuals are often the weakest link in an organisation’s security strategy.
A skilfully orchestrated social engineering campaign can be easier and cheaper than attempting to hack increasingly well protected corporate systems and databases.
And skilful they can be. Forget the classic Nigerian scam email, replete with spelling and grammatical errors, exhorting you to take immediate action or miss out on pocketing your share of a seven-figure sum – today’s social engineering attacks can be highly personalised, oh-so-plausible and months in the making.
How do they work?
Social engineers begin the process by getting to know their target. Frequently referred to as ‘Facebook for business’, LinkedIn can provide a wealth of personal and business information to assist them in this endeavour.
The site can be a highly effective ‘in’ for a couple of reasons. Most users have an implicit faith that accounts are, by and large, legitimate and that’s particularly the case if someone purports to work in a similar or related industry to their own. It can’t hurt to click Accept – can it?
Famous last words. Fraudsters and cyber-criminals are experts in the arts of social validation and credibility building; done in the hope future victims will let their guard down sufficiently to create an opportunity for them to pounce.
Consider the amount of information a new connection might conceivably garner about you, over time – the projects you’re working on, the conferences you attend, your stance on current industry issues and the contacts you interact with regularly, inside and outside your company.
Building a comprehensive profile of you, personally and professionally, is key to pulling off stage two of the operation: the sting.
It’s more likely to be successful if it’s credible and compelling and today’s savvy cyber-criminals are prepared to put significant time and effort into laying the groundwork to ensure you do fall for their beautifully timed and believable gambit.
It might come in the form of a phishing email with a malicious link, or a whaling email if you’re high up the food chain at your place of toil.
The term ‘whaling’ is used to refer to the targeting of a senior executive, typically via an email that’s official in appearance and which contains personalised or sensitive business information requiring immediate action, such as the authorisation of an urgent payment.
For added verisimilitude, phishing and whaling emails may be followed up by a phone call confirming the request.
Playing it safe
Taking an old-fashioned Stranger Danger approach to virtual networking can protect your reputation and reduce your chance of becoming ‘that person’ – the employee who compromised corporate data or cost their employer big bucks by falling victim to a social engineering scam.
Only accepting connection requests from individuals you’ve met, talked to or know by reputation is the best way to ensure your LinkedIn network is an asset, not a potential liability that can compromise your reputation and cost you and your employer dear.
Sylvain Lejeune is Vice President Sales Asia Pacific and Japan at WatchGuard Technologies.