LinkedIn Fake Profile, Scams, And Social Media Phishing
In recent months, the social media industry has been abuzz with artificial intelligence (AI). People in general appear to be fascinated by the possibilities and promises that AI holds. But there are also others who are apprehensive of how AI can be wielded for dark and sinister purposes.
Imagine how easy it has become to misuse AI tools and social media platforms:
Step 1: Create an account on a social media platform
Step 2: Use an AI image generator to create a unique profile picture of a person that doesn’t exist
Step 3: Use any AI writer tools to create profile information.
Step 4: Start social engineering, phishing, and scamming.
LinkedIn, which is often thought of as a professional social networking platform, is not immune to such inauthentic accounts and behaviors. And unfortunately, it is very easy to pose as a “fake” employee of a company on LinkedIn. We learned about this when we found a large number of profiles with fake affiliations on our own company page.
In this blog post, I share our company’s experience dealing with dubious LinkedIn profiles. This blog post will cover the following topics:
It started when we noticed that there were a number of LinkedIn profiles claiming to be the Director of IT at Jones IT. We knew that in the past, LinkedIn accounts with AI-generated profile photos were used for marketing or pushing cryptocurrencies. There were also instances of fake profiles listing major corporations as their employers so that they could apply for high-profile job openings. So, in the beginning, we weren’t overly concerned about these fake accounts since they were quite common.
But it got concerning really fast when a number of people in our business network started receiving messages from these fake accounts. When we looked at our company page on LinkedIn, we found around 23 fake Directors of IT, a Technical Advisor, and a Sales Manager, all claiming to be employees of Jones IT. On doing a bit of research, we found out that other small and medium-sized companies were also experiencing similar problems with fake LinkedIn accounts.
Unfortunately, at present, there is no employment verification process on LinkedIn. It doesn’t give company page administrators the functionality to remove fake or incorrectly associated profiles. This means that individuals can easily associate themselves with any company page, be it in error or with malicious intent, and there is very little the company can do about it.
What Have We Done So Far
The first thing we did was to report the fake accounts to LinkedIn. After the mandatory automated and canned responses, we were directed to file another complaint using the report of inaccurate employment or education information form. Later on, we were also asked to provide a list of the Names and URLs of the profiles of our employees so that the fake profiles could be removed. And finally, we received the standard “We'll investigate your report further and act based on our results.” response.
After multiple rounds of emails and providing the requested information twice, there are still fake profiles, although fewer now, on our company page. Our ability to report the profiles is also limited because due to the privacy and profile settings of some fake accounts, we are not able to capture their profile URLs.
The issue we encountered is a common occurrence and LinkedIn is aware of it. In their transparency report for the period of January to June 2022, LinkedIn claims to have removed around 22 million fake accounts as well as detected and removed more than 87 million spam and scams.
You can read more about LinkedIn’s transparency report here: Community Report.
Despite being aware of the issue and the potential harm it can pose to its users and organizations, LinkedIn’s response has been somewhat muted. We found their process for the removal of fake accounts to be slow and tedious, but more importantly, it lacked transparency.
This blog post is also part of our attempt to mitigate some of the risks associated with these fake profiles. Through this post, we want to educate our audience about the dangers of fake profiles and what you can do to protect yourself against the risks associated with them.
First, let’s establish if these profiles are indeed fake and have malicious intent.
Could these simply be cases of mistaken entries?
Yes, in some cases a LinkedIn user may make a mistake when adding their work experience/association. They may select the wrong company from the dropdown list and if the page for their company is not created, the system adds them to the next closest page.
However, it is unlikely that LinkedIn users who actively use their accounts will not notice the mistake in their work experience or company association. In our case, some of these profiles have reached out to other LinkedIn users within and outside our network. So, their intent is certainly malicious.
Fake profiles can pose a number of risks to businesses. The following are the most important ones:
Phishing
Fake or wrongly linked profiles can gain unjustified credibility, simply by association with a brand. Once the association is established, the malicious user can target the company’s vendors, service providers, and job seekers with phishing messages. These messages are more likely to be opened and read since a cursory glance at their profile will confirm the sender's purported association with the brand.
Catfishing
Catfishing is a common tactic used by criminals on social media platforms. In the present context, catfishing can be used for data theft, credential harvesting, and corporate espionage. Malicious actors use their fake LinkedIn accounts to befriend targeted users and then manipulate them to elicit sensitive information about their work and organization.
Brand Impersonation
Fake profiles can also be used by malicious actors to propagate fake offers, discounts, or gifts to scam your customers into sensitive financial information or credentials. Such scams can severely undermine an organization's credibility, resulting in loss of customers and business opportunities.
Social Engineering
Fake LinkedIn profiles can be used to conduct reconnaissance and collect information that can help malicious actors craft their social engineering attacks. Based on the user’s activities on LinkedIn, the threat actors can choose which social engineering techniques, such as quid pro quo, scareware, honeytrap, etc. would be most effective in manipulating their target.
I have talked about social media risks to businesses in an earlier blog, which can be accessed here: Social Media Security Risks To Businesses And Best Practices
Here are a few red flags and tests that can help you determine if a LinkedIn profile is fake:
1. Profile Photo
The profile photos used in fake accounts are often a dead giveaway. You can easily find if the photo is a stock or stolen image by running a reverse Google image search.
Even if the image is AI-generated, close scrutiny will quickly reveal its source as such images still have many imperfections. Here’s an excellent article that goes over the details of how to spot AI-generated images: How to recognize fake AI-generated images.
2. Profile Content
When you are looking at profile content, it can be difficult to distinguish between fake and poorly written ones. It is not always obvious which is which.
So, what should you look for?
Look for inconsistencies in dates, education, or work experience, poorly written or incomplete profiles as well as too good-to-be-true education and work history. Any red flags you find do not necessarily mean that the profile is fake, but any suspicious content should give you pause and you should investigate further.
Another check that you can perform is built into the LinkedIn profile. In a LinkedIn member’s profile, you can click the “More” button and then select the “About this profile” option. This brings up a pop-up window showing when the profile was created and last updated and whether the user has a verified phone number or email associated with their account. Fake profiles are often recently created.
3. Network - Connections And Followers
Real profiles have connections that are consistent with their location, education, and work experience. The consistency in the number of connections and the number of followers with the experience and claimed expertise of the profile is a good indicator of whether it is fake or not. If a person claims to have worked at an organization but has no connections from that organization, then that is a definite red flag.
4. Profile Activity
The final and most important check is the activity of the profile on the platform. As we saw earlier, using AI tools profiles can be created with little effort but profile activity and engagement takes concerted effort and a considerable amount of time. Profile activity is therefore much harder to fake. So, most fake profiles have little to no activity- no content sharing, no interaction with posts, and no comments.
If there are patterns of inconsistencies across the profile photo, content, and network, as well as a lack of activity, then it is highly likely that the profile is fake.
Here are LinkedIn security best practices to keep you and your network safe from fake profiles:
Curate your connections. Always verify the profile of people you connect with.
Use a unique, strong password for your account.
Enable two-factor authentication (2FA) for your account. Here’s LinkedIn’s guide to setting up 2FA for your account: Turn two-step verification on and off.
Understand LinkedIn Account and Privacy Settings and apply the strictest settings to share as little information as possible.
Learn about social media security risks and best practices.
Adhere to your organization’s social media usage policy.
Learn about social engineering techniques and how to protect against them.
Conclusion
Although LinkedIn is commonly considered an understated social platform for professional content, it is not immune to cybercrime. Like any other social media platform, LinkedIn also poses security risks to both individuals and organizations. While being on LinkedIn is a business imperative, an organization’s social media presence needs to be monitored and networking curated to adequately manage the risks.
Further Reading
Here’s a list of related blog posts for further reading on the topic:
If you liked the blog, please share it with your friends