LinkedIn faced a dilemma last month. A hacker on the dark web offered up the personal details of 700 million users of the popular social networking application—employment histories, email addresses, comments on posts, and the geolocation records attached to all of them.
But LinkedIn didn’t respond to this revelation as if the information came from a data breach, leak, or hack. Instead, the online service simply pointed to the fact that the details included information that LinkedIn users added to their own profiles. “We want to be clear that this is not a data breach and no private member data was exposed,” LinkedIn said in an update. “Our initial investigation has found that this data was scraped from LinkedIn and other various websites, violates LinkedIn terms of service.”
The source of the data notwithstanding, its availability on the dark web poses serious problems for more than 90% of LinkedIn’s user base. If cybercriminals did purchase the personally identifiable details up for sale, it could become easier for them to attempt business email compromise: targeted social engineering and spearphishing scams that appear to come from a colleague, contact, or CEO.
These messages will usually ask the recipient to review an invoice, approve a charge, or execute a wire transfer. But any attachments or links instead download infected strains of ransomware or redirect users to illicit websites. The more legitimate a phishing email looks—the more realistic details of a recipient’s life or work that it includes—the more likely the scam will succeed.
The first step is beefing up your security awareness training to help identify and avoid business email compromises. Then, carefully review the personal details you share online to protect your digital identity.
Security awareness training matters because it empowers users with valuable knowledge, opening their eyes to how cybercriminals will attempt to trick them. This type of ongoing education can serve as the first line of defense against fraud, ransomware, data breaches, and other cybersecurity issues.
The tactical goal of security awareness training is to make users stop, read, and think carefully before responding to or clicking on any links in an email, even when it looks legitimate.
If you are asked to send sensitive information via email, always obtain a second level of confirmation from the recipient by calling them or inquiring in person. If you’re asked to provide account logins, security codes, usernames, or passwords, consider that a red flag.
Never click on links or attachments in messages unless you are absolutely positive about the sender’s identity, the link it directs to, and the contents of the attachment. Again, obtain a second level of confirmation from the recipient.
This crucial step applies not just to emails but to questionable text messages you may receive on your smartphone which includes a link you’re being urged to click on. Don’t click it if you’re not sure.
If you are hit with a spearphishing attempt, don’t respond with arguments or ripostes. You stand to gain nothing, and many times you can cause yourself more harm—responding only confirms to the spammer that you and your email address are real. Instead, document the suspicious message and contact a trusted member of your company’s IT support team. Or consider reporting email scams and phone scams to the FTC, IRS, or FBI via their websites.
Reviewing the amount of personal information you share online isn’t quite as clear-cut. Many people consider LinkedIn the “safest” of all social media applications since it focuses on professional achievements and business connections. But hackers have still figured out how to exploit the platform, infiltrating its messaging tool and scraping available details before deploying them toward nefarious ends. Below are three more steps to consider when it comes to what you share online:
This starts with creating strong passwords and never using the same logins across multiple sites. Multi-factor authentication, which requires you to enter your password and then verify your identity by entering a unique code you receive via text message or email, is equally important. And the secure password generators included in many all-in-one password management solutions can randomly create long, complicated login credentials you’d never remember—and then remember them for accounts like LinkedIn while you are responsible for one master password.
Consider opting out of advertiser tracking with large platforms like Google, Amazon, Microsoft, and Apple. Browser plug-ins and online tools can help reduce the collection of your consumer data and the micro-targeting that follows. Turn off Location Services on your mobile device or only enable it on an app-by-app basis. And consider the best web browser for you: the non-profit Mozilla Firefox is currently the gold standard when it comes to default data protection, while Apple Safari offers a basic level of reduced surveillance compared to the most popular browsers, Google Chrome and Microsoft Edge or Internet Explorer.
At CMIT Solutions, we understand the risks of business email compromise, spear phishing, and other digital dangers. We’ve helped thousands of clients with security awareness training while reinforcing their cybersecurity through 24/7 monitoring of laptops, desktops, servers, networks, and mobile devices.
We work hard to identify new threats and help our clients avoid them, positioning businesses across North America for sustained success. If you want to protect your digital identity, enhance cybersecurity protection, and take a more serious look at the health of your IT infrastructure, contact CMIT Solutions today.