LinkedIn users are being urged to watch out for suspicious emails because the professional networking website is one of the most popular brands targeted by cyber criminals in phishing attacks.
According to cybersecurity researchers at Check Point, who analyzed phishing emails sent during the first three months of this year, over half of all phishing attacks (52%) attempted to leverage LinkedIn.
The phishing emails are designed to look like they come from LinkedIn, but if the recipient clicks the link, they’re sent to a login page designed to look like LinkedIn, and if they enter their email address and password, they’ll be handing them to the attacker, who can use that information to log in to the victim’s LinkedIn account.
The attacks aren’t particularly sophisticated. But by targeting a commonly used service like LinkedIn, there’s a good chance that some of the recipients won’t spot that what they’re interacting with is a phishing attack.
“These phishing attempts are attacks of opportunity, plain and simple. Criminal groups orchestrate these phishing attempts on a grand scale, with a view to getting as many people to part with their personal data as possible. Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn,” said Omer Dembinsky, data research group manager at Check Point Software.
While LinkedIn was the most commonly spoofed brand for phishing attacks during the reporting period, it’s far from the only known company that cyber criminals are attempting to leverage in attacks. Some of the other brands cyber criminals spoof in phishing emails include DHL, Google, Microsoft, FedEx, WhatsApp, Amazon and Apple.
In many cases, the aim, like the LinkedIn attacks, is to steal usernames and passwords, although researchers warn that, in some cases, malicious links and attachments are used to deliver malware.
Cyber criminals send out mass-phishing campaigns because, unfortunately, they tend to work – people are clicking malicious links and downloading attachments. But there are often tell-tale signs that an email could be a malicious phishing message.
“Employees should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users, in particular, should be extra vigilant over the course of the next few months,” said Dembinsky.
LinkedIn provides users with the ability to use multi-factor authentication, which, if applied, can provide an extra barrier against phishing attacks.
“Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification,” a LinkedIn spokesperson told ZDNet in an email.
o look like they come from LinkedIn, but if the recipient clicks the link, they’re sent to a login page designed to look like LinkedIn, and if they enter their email address and password, they’ll be handing them to the attacker, who can use that information to log in to the victim’s LinkedIn account.
April 21, 2022
By Danny Palmer