Published: June 10, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Just to prove they mean business, the threat actor behind the LinkedIn data scraping event released two million user profiles for free on the dark web. The remaining five million user profiles are being auctioned by the hacker for an unknown amount they hinted would be a “four-digit ($$$$) minimum price.” LinkedIn says the data being sold was scraped together using information that’s already publicly available and not the result of yet another data breach. Some of that information includes full names, email addresses, workplace, job title, phone numbers, and other data that’s work related. In the wrong hands, this data can lead to highly targeted, highly effective spear phishing attacks.
Data Scraping and Spear Phishing
Data scraping is the process of gathering bits of data available from various sources, from data breaches to social media and other publicly posted platforms like LinkedIn profiles. Bad actors cobble together complete profiles on users that are valuable to those looking to exploit that information for their own gain. For LinkedIn members, this could mean harmful spear phishing attacks are on the way.
Spear phishing uses gathered information from many sources, including data scraping, for targeted email phishing attacks. These emails can target a specific individual or an organization and appear to be from a trusted source. The goal of spear phishing is often one of two main objectives: steal data for malicious purposes including fraudulent funds transfers and other theft, or install malware on a targeted user’s device. This can result in spreading ransomware and other viruses throughout a company’s data systems.
Protecting Against Spear Phishing Attacks
Educate employees of all levels to spot spear phishing and other email attacks before it’s too late. Training staffers to recognize and report attacks is invaluable since they are often the first line of defense against attackers.
Be wary of all emails, especially from those from senders you don’t know. Those addressing an individual by name and/or job title should also be scrutinized, especially if they stress urgent actions like a wire transfer are needed.
Never open attachments or follow links in an email without first verifying the sender. Place a phone call using a known and trusted phone number, a new and separate email message, or paying a visit to the sender’s desk to confirm.
Avoid posting too much information on company social media sites like LinkedIn. Being vague about job titles and responsibilities can help avoid spear phishing.
Establish verification procedures, both internally and with business banks, which require a phone call or personal meeting before a large wire transfer can be done.
Use 2FA (two factor authentication) or MFA (multifactor authentication) for vendors and employees alike. Establishing these protocols helps ensure only those who are legitimately whom they say they are can help keep bad actors from sneaking in.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com