Think before you link

The consequences of not thinking before linking can be professionally catastrophic; new guidance from CPNI will help users of professional networking sites navigate the risk.

Note – for obvious reasons the identity of the individuals has been disguised.

Consequences of linking before thinking

It’s easy to link before you think, at least it was for David. When Penny from an international consulting firm asked to connect on his professional networking site, he accepted. She was offering an auspicious business proposition, and he felt reassured by their mutual online contacts.

One month and many messages later, Penny suggests they switch to email communication. They exchange information on international events, and Penny exacts from David details of his expertise and insights. David is invited to an all-expenses-paid overseas trip, and he readily agrees. At the first meeting David is given a gift and a transaction is agreed: in return for his reports on geo-political events, he will be given a handsome fee. Following intervention by the Security Services, David is spared from further entanglement. However, he is not spared his employment, nor his security clearance, and he is vilified by work colleagues.

Industrial scale targeting

David is – or was – a civil servant, and he is not alone: MI5 estimates he is one of 10,000 British officials to have been targeted by hostile states on sites such as LinkedIn. And it is not just government personnel, or ex-government personnel, who are being targeted: it is professionals from every walk of life. Hostile state actors are posting malicious social media profiles on an ‘industrial’ scale to gain snippets of information from individuals relating to their work, and the industries they work in. The information hostile states gather through malicious approaches can be utilised to seek an advantage over, or even damage, the UK’s economic, technical and trading position in the world.

During the first six months of last year alone, almost 38 million fake profiles were removed on professional networking site LinkedIn.

Flattery will get you everywhere

It is easy to think that you would not be duped like David, but approaches can be very beguiling. Behavioural Science research undertaken by CPNI to inform the campaign, reveals strong parallels with romance and financial scams online. In a similar vein, the perpetrator will ground their approach in an assessment of the individual’s behaviours and circumstances, to tailor and target their messaging. And they will use a combination of charm and flattery to entice someone into a relationship with them.

Fake-out factors

However, on the positive side, there are determining factors that will help users of online professional networking sites recognise the hallmarks of a fake profile. Perpetrator profiles are a smorgasbord of fake names, photos and job descriptions. CPNI advises people to make a judgement call – “if it doesn’t look and feel right, it probably isn’t”–and to always question the legitimacy of the contact. Just because they present a company name and share contacts with you, does not mean that they are bona fide.

The four Rs

CPNI advice centres on a four-step approach:

• Recognise – look out for the hallmarks of a fake profile, check out the individual requesting the contact and the company they say they work for
• Realise – be cognisant of the threat and the ramifications of connecting with a malicious actor
• Report – if you suspect a malicious report,act on it. Report it to your security manager, professional networking site or to CPNI direct
• Remove – remove the connection from your professional network

CPNI has made two videos, ‘Glitch’ and ‘Linked’, which take the viewer through the four steps above and is encouraging organisations to run the campaign for their own workforce. The campaign materials and videos can be downloaded from the CPNI website: https://www.cpni.gov.uk/security-campaigns/think-you-link

Force multiplier effect

By following CPNI protective security advice, employees can have a force multiplier effect; increasing their own levels of awareness and protection helps embed a strong security culture in the organisation. Furthermore, the greater the awareness people have of their digital footprint and the risk of clicking on unknown links in social media and in emails, the more alert they will be to spear-phishing attempts. Understanding the consequences of compromise can also contribute to people reducing their vulnerability to scams and criminality in general.

CPNI quote: “Over the years we have honed our unique position of being able to utilise experience and intelligence from our parent organisation combined with our Behavioural Science and Technical experts to deliver practical solutions to mitigate the threats we face. By following the behaviours advocated by the campaign, individuals and organisations will play a vital role in protecting themselves as well as our sensitive assets and information from malicious actors.”

In summary

Don’t forget for every David, there’s a Penny out there; you are more interesting than you think.

Author: Head of Personnel and People Security & Insider Threat Research Centre, CPNI.  www.cpni.gov.uk