By Neil Patrick
Inadequate cyber security has enabled an explosion of online fraud. Yesterday the BBC reported that online fraud and computer misuse is now the largest category of crime happening in the UK today. There were over 5 million cases reported in the last year and probably many more which went undetected.
Social media is the new hunting ground for criminals and fraudsters. And they are exploiting it with virtual impunity because the platforms are simply not doing enough to counter this threat to users.
Worse, police resources are just not large or capable enough to combat a problem which is often conducted from outside their jurisdictions. So we have to take care of ourselves and do our bit to protect our online friends as well.
Criminals are lurking even in places we’d not expect to find them. Like Linkedin. Here, fake or misleading profiles are used to create aliases that are then used to commit fraud on unsuspecting victims.
Security specialists Symantec recently investigated LinkedIn. Its investigation uncovered dozens of fake accounts on the social network, across a variety of industries.
I was shocked. Not that they found some. But that they found so few. I’d expect them to do better than this because even my cursory review suggests there are not dozens of these but thousands.
Depending on the nature of the fraud intended, the fake profile will vary. Some aim to acquire sensitive intelligence information from government employees. Others have more humble crimes in mind such as phishing or email scams. But one which has had fatal consequences is sexploitation. This has already resulted in at least one suicide by the victim.
I don’t know how extensive Symantec's project was, but it took me about 5 minutes to uncover a whole heap of fake profiles without any of Symantec’s technology or resources. And I was shocked to see that the first fake profile I found had over 500 connections and a whole host of endorsements.
Meet Amber Grace Fowler and her friends:
'Amber' has absolutely nothing about herself on her profile. She's not on the staff list at the estate agents she claims to work at. She has a Twitter account which is locked. All this says to me the account is fake, nonetheless the account has over 500 connections, and numerous endorsements for all sorts of things and ALL of course from (dumb) men.
This is what I call a Linkedin honeytrap. This particular fraud involves tricking unwary men into making a connection with the fake account. They are then seduced into committing sexual acts in front of a webcam, not realising they are dealing with an organised criminal gang. The footage is recorded by the criminals and then they have all they need to proceed to blackmail the victim.
You might think that anyone stupid enough to get caught like this deserves all they get. That you’d never be lured into such a trap. But it’s happening all the time. So much so that the government have invested in this film which warns of the dangers:
An increasingly common tactic is to set up a fake profile as a recruiter. Posing as recruiters, the fake accounts enable hackers to see your personal network and gain the trust of those in it.
By making these connections, criminals can entice users to give up personal details, direct them to malware-laden websites and, if they can get their email addresses, launch phishing campaigns - targeted emails that aim to steal personal information.
Linkedin is simply not doing enough to combat this problem. When challenged about it, they said:
"We investigate suspected violations of our Terms of Service, including the creation of false profiles, and take immediate action when violations are uncovered.
We have a number of measures in place to confirm authenticity of profiles and remove those that are fake. We encourage members to utilise our Help Center to report inaccurate profiles and specific profile content to LinkedIn."
Linkedin’s processes are clearly not working well enough to eliminate this problem. They say they ‘encourage members to report inaccurate profiles’. I’ve not once seen a message from them about this. It’s clearly something they’d rather not talk about more than they must, because it reflects badly on their platform.
So we should follow some basic common sense rules to avoid being scammed:
- Treat all invitation requests from people you don’t know as suspicious until you are satisfied they are genuine. Look for them on other social media sites. Google them. See who else they are connected with. Only accept the invitation when you are satisfied they are genuine.
- If you are still not sure, cut and paste their profile summary into Google. This way you can see if it has been lifted from someone else’s (a common trick).
- Understand if your work makes you potentially a high risk person. This includes if you are employed by a large organisation, including government agencies; if you have a position of seniority and influence; if you are a high net worth individual.
- Review the settings on your Linkedin connections. In your profile privacy settings, you may choose to make your connections not visible to anyone else.
- Treat invitations to connect from alleged recruiters with caution. Few recruiters that are genuine actively seek to connect with jobseekers. They just don’t need to because they can see all they need to without actually being connected with you.
- When you encounter a suspicious profile report it to LinkedIn. They do take such things seriously and they will take action. I know because I’ve done it.
And if you need any more encouragement to improve your LinkedIn profile, this has to be it. Often the first suspicious aspect of a fake profile is scantiness of information (or clothes). Putting up information which is verifiable and credible about yourself is one way to distance yourself from those you really don't want to know or resemble.
PS. If you are or know Amber Grace Fowler and that her profile is genuine, please let me know and I will amend this post accordingly. Otherwise I shall do my duty and report the account to Linkedin.