Skip to main content

LinkedIn with Fraudsters? The rise of social media based cyber-fraud

LinkedIn, one of the largest social networks in the world boasting over 400 million users, holds huge value in allowing users to connect and discover new business opportunities.

However, at the same time it can be used by hackers to steal employee personal data, to conduct email phishing campaigns and to commit various types of fraud.

Dell Computer reported that hackers, thought to operate out of Iran, created dozens of fake LinkedIn accounts posing as corporate recruiters to entice employees at telecoms, government agencies, and defense contractors to give up sensitive information including business emails. Symantec's investigation also uncovered dozens of fake LinkedIn accounts across a variety of industries used by hackers to target employees.

From LinkedIn to payment fraud

Once hackers have successfully stolen employees’ personal data, including reporting structures, titles and emails they are able to conduct email phishing campaigns. By using company emails, hackers can pose as a senior executive, often the CFO, controller or CEO, and issue a communication directing a lower-level employee to urgently execute a financial transaction to a fraudster’s account.

Hackers can also send bogus emails to employees impersonating legitimate suppliers. Vendor’s emails are spoofed by adding, removing, or subtly changing characters that makes it difficult to identify the perpetrator’s e-mail address from the legitimate address. The scheme is usually detected only when employees are asked to verify the transaction. According to FBI’s Internet Crime Complaint Center (IC3 ) the average dollar loss per victim is approximately $55,000 however, they have received complaints reporting losses that exceeded $800,000.

Emails can also be used to infect employees’ computers with malware. For example, the Carbanak cyber gang stole $1 billion from more than 100 financial institutions worldwide by sending employees emails with a link that, once clicked, triggered the download of malware that was used to identify employees responsible for ATM software. Next the hackers installed a remote access tool (RAT) on their computers, collected snapshots of their screens, and then used this information to dispense money remotely and transfer money to fake accounts. All of this was accomplished by initially sending supposedly legitimate emails to bank employees.

The risk of social media banking

As banks continue to compete for the best customer experience, they are becoming more forward thinking by using social media platforms to engage their customers and enhance their service offerings. For example, Turkey’s DenizBank offers their customers access to their accounts via Facebook. Kotak Mahindra Bank, one of the largest private sector banks in India, launched Kaypay, a multi-social payment app that allows customers to transfer money through social media channels.

Banks that use social media banking services are more vulnerable to brand hijacking where hackers can blatantly copy and misuse company logos and website content. Fraudsters can impersonate a business' online presence and deceive unsuspecting visitors into believing they are visiting the real organisation's website, opening them up to the risk of divulging personal information.

What’s a business to do?

Organisations that want to protect their assets and reputation need to invest in employee training to raise awareness of the risks of using social media. Employees should be instructed to adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they don’t know personally. When evaluating inquiries originating from LinkedIn, they should seek confirmation that the individual is legitimate by directly contacting the individual's purported employer. In addition, user behaviour, while using corporate networks and applications, should be monitored to detect potential takeover of their accounts, so that suspicious activity can be identified before the damage is done.

Companies have competing priorities when it comes to social media and LinkedIn. They want to reach customers, recruit new talent and drive up online visibility. But they also have a driving need to protect their data - especially in regulated industries like banks where a data breach could cost them not only customer loyalty, but also countless dollars.

Hagai Schaffer, Cyber Fraud and Risk Management VP Marketing and Product Management, Bottomline Technologies

Image source: Flickr/Jason Howie