SHRM has partnered with Security Management Magazine to bring you relevant articles on key workplace topics and strategies.
In the fast-paced world of social media networking, it can be easy to click "accept" on most friend and connection requests. However, taking a bit of extra time to verify that the proposed connection is who they say they are pays off when protecting your fledgling personal brand.
Peter Warmka, founder of the Counterintelligence Institute in Orlando, warns that malicious actors are more than willing to take advantage of an employee's desire to network and boost their professional reputation. They will use social engineering to gain additional insights and information about their target, craft a campaign and launch a spearphishing initiative aimed at exploiting a person's vulnerabilities, traits and motivations. In addition, Warmka warned that social media messaging platforms are even more effective than email in landing a spearphishing campaign.
Social media platforms have added benefits that lend malicious actors some credibility at a glance. For instance, they allow people to build fake profiles that share things in common with the target, and the photos and credentials in the profile can trick users into believing the direct message they received is genuinely from a fellow professional.
The goal of connecting could be to access the employee's network or collect dirt on him or her for cyberextortion, Warmka said. The malicious actor could be trying to gain access to credentials or implant malicious code in the user's device. In some cases, bad actors could be trying to get a better picture of the user's location or schedule so they could launch a physical attack.
To reduce malicious actors' access to your information, Warmka recommended switching around the classic intelligence phrase "Trust, but verify" to a more apt "Verify, then trust."
When assessing users' profiles to verify their authenticity, Warmka had a few tips:
- Never click "accept" without verification, even for people you think you recognize or who have connections in common with you.
- Review profiles like you are hiring that person. Does something not seem quite right? Dig a little deeper.
- Conduct a reverse image search. Drop the person's profile picture into a search function that will trawl the Internet to find whether this same photo was used elsewhere. It could have been used on the person's authentic company site or with publications he or she wrote. Or you might find that the image is a stock photo that a malicious actor used to appear more legitimate.
- Verify that the language used in any messages seems natural. If the person is purporting to be American or a natural English speaker, does his or her language use support that, or does it seem stilted, like it was run through an online translator?
- Most people with LinkedIn profiles will have other entries online to help verify their details, such as a company profile, where he or she lives, publications he or she have produced, etc. These backup traces help to add to the contact's credibility. If you only find a single LinkedIn profile for a person's name, that should be a red flag, Warmka said.
- Does the profile look too good to be true? Does that professional have so many training courses and certifications listed, plus the perfect set of previous roles that align with yours? If you are a member of any of the same associations or share any certifications with this person, check those databases to verify that he or she really have the bona fides he or she claims to.
- Don't feel bad about rejecting connection requests. Even when you are on a mission to build up your professional profile and reputation, it's worth having fewer followers if you can keep malicious actors out of your professional network.
Claire Meyer is managing editor at Security Management. Connect with her on LinkedIn or contact her at email@example.com.
This article is adapted from Security Management Magazine with permission from ASIS © 2022. All rights reserved.