Opus’ own ‘Ethical Hacker’ shares advice on social media requests from strangers
We all know that LinkedIn is a fantastic social media tool that helps you grow and maintain your professional network, keep in touch with colleagues and connect with new contacts that you’d like to speak to. However, when considering whether to accept a connection request from a stranger, have you ever stopped to think if this stranger could be a ‘hacker’ or a ‘bot’?
We caught up with Dave Higgs, our information security lead at Opus to find out why you need to be vigilant when accepting requests from strangers and what checks you can make to ensure your contact is legitimate.
Why be vigilant?
“It’s great to have a far reaching network on LinkedIn, especially for those who are connecting with each other to do business”, Dave comments, “But, you should still be vigilant when accepting connections from people you don’t know, as there are Bots, Fraudsters and Hackers out there that are spreading misinformation or trying to gather information in order to exploit companies, their employees and customers.”
The issue is very real it seems, just recently a BBC article entitled ‘How your personal data is being scraped from social media‘ reported how hacker Tim Liner compiled a database of 700 million LinkedIn users from all over the world, which he sold for around $5,000.
In Dave’s experience, hackers are definitely targeting businesses and its employees and suppliers looking for the weakest points of entry. Dave explains, “As a hacker, you would use fake social media accounts to conduct OSINT (open source intelligence) research on your target.”
The risk being that if you then fall victim to a hacker on social media, it allows them to see more information about you than they would be able to see normally which could then be used to map and target an organisation for an attack.
It’s not just LinkedIn that you need to be vigilant with, Dave adds “information on other social media accounts like Facebook is particularly useful to a hacker when it comes to guessing/cracking passwords and so on, for example, do you have information about family members or personal information about important dates on your social media that you use to construct passwords? This is also why it’s important to use two-factor authentication on whatever accounts you can, and have a password manager”, stresses Dave.
How do you decide whether to connect with a stranger on LinkedIn or not?
The connection looks genuine and it looks like someone you might want to speak to about a business opportunity, after all they have the right job title and work in an industry you really want to crack. But, how do you decide whether to accept the connection request or not?
We asked Dave, as an ‘ethical hacker’ himself what his quick checklist is when he decides if the connection is genuine or could potentially be a hacker. “When I receive a request from someone I don’t know, I look at their profile and go through the following:”
- Does their job role align with what I do or want to do?
- How many connections do they have?
- What is their employment / education history?
- Do they have a bio and what do they say in it?
- Have they written any posts or commented on others posts? If so how many posts, how far back to they go, do their comments look genuine and are they creating meaningful exchanges with other connections?
“In my experience the last point is usually the biggest ‘Tell’ on a fake account.”
Why go through this process?
“Bots and hackers continually spin up new accounts or are managing a lot of accounts so are usually unauthentic and floored in some way,” explains Dave.
“For example, they could have few connections but lots of posts that are just sharing pages or videos with no added opinions or generic comments that are just “wow” or “look at this”, or lots of connections but posts that only go back a few months – both might be suspicious. Likewise, if a contact uses poor grammar and/ or doesn’t have a bio, are they who you think they are?”
Learn to use your gut instinct for when something doesn’t feel right
It seems that being your own private detective and taking the time to keep one step ahead of a potential security threat is crucial. Dave wants to make sure his connections are aware of the possible dangers in accepting invitations from people you don’t know on social media. He feels that if you start to use the process he outlines, then you will start to build up a very good gut instinct when something doesn’t feel right.
Do you want to make your business more secure and compliant?
At Opus we are passionate about educating people about the security risks such as the one we’ve outlined here with social media. Opus can provide you with valuable consultation services to guide you on your security journey and tools to keep all your essential data and systems secure and compliant.
Whatever you are looking for when it comes to security, Opus is here to support you with advice, training and consultation to help you identify and mitigate risks that could impact the operation of your organisation.
About Dave Higgs
Dave has over 10 years’ experience in solution design, architecture and implementation. He sits on Opus Information Security Team as information security lead and is an Ethical Hacker.