How Military Members Can Steer Clear of Spear-Phishing on LinkedIn

Spear-phishers may use LinkedIn profiles to target military members, veterans and contractors with security clearances. Here's what you need to know to protect yourself.
Advertising Disclosure.

Advertiser Disclosure: Opinions, reviews, analyses & recommendations are the author’s alone. This article may contain links from our advertisers. For more information, please see our Advertising Policy.

woman scrolling social media on phone

Social and professional networking sites like LinkedIn can connect service members and military veterans with valuable opportunities – but they can also be dangerous. Military service members on the site are a priority target for cyber attacks, according to Peter Warmka, founder of Counterintelligence Institute. He worked for the CIA for over 20 years. Now, he educates people about how hackers manipulate human behavior. 

What to Know About Social Media Spear-Phishing

Service members’ LinkedIn profiles can clue foreign agents into their military responsibilities, including their access to valuable information. Anyone with a security clearance should be especially vigilant online, Warmka said, because agents seek out these profiles for “spear-phishing” attacks. 

Phishing is a technique in which a cyber attacker masquerading as a “legitimate business or reputable person” attempts to acquire sensitive information from a target, according to the National Institute of Standards and Technology’s Computer Cybersecurity Resource Center. 

Phishing attacks are often broad. Spear-phishing attacks target specific individuals, Warmka said. Ambitious attackers may also engage in “whaling” attempts to elicit information from high-level staff. 

Without realizing it, spear-phishing targets can give away information to agents impersonating authority figures, tech support or industry consultants.

“People have been conditioned to think that phishing comes in the form of these more basic attacks via email,” Warmka said. “People never see [spear-phishing] happening because they really aren’t aware of it.”

Foreign-state actors who set up spear-phishing attacks may have some information on their targets already from their social media profiles and from previous data breaches.

One such security breach occurred at the U.S. Office of Personnel Management in 2013 and 2014 revealed security-clearance information on more than 22 million people. OPM investigates security clearance applicants’ international relationships and financial status to pinpoint areas foreign agents may try to exploit. 

Another breach at Equifax in 2017 revealed credit information on more than 147 million people. Warmka said a foreign intelligence service could use details from OPM and Equifax to identify financially distressed targets and pressure or blackmail them into providing information. 

Fake Profiles Pose Cybersecurity Threats 

On LinkedIn, spear-phishers seeking to infiltrate military conversations can easily create a profile that service members could relate to based on the careers or education listed on their profiles, Warmka said. 

Through correspondence, spear-phishers can seek further information or send malware that could help them access their targets’ technology systems or credentials.  

In his presentation at the Cyber Defense Summit on Oct. 5, “Confessions of a CIA Spy – The Art of Human Hacking,” Warmka told attendees he created a fake profile in 2019 to see how many people would connect with him.

According to the avatar’s profile, she was an executive recruiter from New York. More than half the people she reached out to added her as a LinkedIn connection, amounting to more than 500 potential targets in just 15 days. 

She used highly flattering messages to entice her targets — including some senior-level security staff – to request that she forward a suspicious attachment to them. 

By 2020, Warmka said, she had around 22,000 connections.

In blog posts, Paul Rockwell, LinkedIn Trust and Safety Vice President, said the site is taking a proactive approach to preventing fake profiles and removing foreign nation-state agents from the site

The site said it removed 21.6 million fake accounts between January and June in 2019.

How to Spot a Fake LinkedIn Profile

Before you add any unfamiliar LinkedIn connections to your network, Warmka said you should first take a close look at their profiles. 

Here’s what Warmka said to do to protect yourself: 

  1. Look for signs that the contact’s profile is written awkwardly.  Many LinkedIn professionals speak multiple languages, and English may not be their primary fluency. While anyone’s profile may have English spelling or grammar issues, if you have a security clearance you should take the time to see if the rest of the profile is believable and consistent.
  2. Paste a section of a well-written summary into the LinkedIn search bar to see if it is copied from someone else’s page.
  3. Do a reverse Google Image Search for the contact’s LinkedIn photo’s URL to see if the picture belongs to someone else. You can also search for your own photo to see if anyone is reusing it.
  4. Do a Google search to see if the contact’s name and other information appear on multiple social media sites. If this is their only profile, it may be a fake one. 

Note:

Contact LinkedIn’s abuse team if you identify a fake profile or if someone attempts to send you phishing or scam messages.

“Minimize the Target” to Protect Your Information on LinkedIn

In addition to vetting profiles, Warmka recommends that service members, military veterans and cleared personnel take steps to reduce foreign-state actors’ curiosity. 

“The more people that know personal information about you, the more vulnerable we become,” Warmka said. 

“There are 3.96 billion users of social media,” Warmka said. “Potentially, these people could have access to your personal information if you’re putting it out there without any sort of privacy setting. Everything is hackable. They could recruit someone who works for LinkedIn.”

Here are some tips:

  • Don’t post your security clearance on LinkedIn. 

If you have a security clearance, Warmka said you shouldn’t advertise that on LinkedIn. If you need to talk about your clearance to network in your industry, Warmka said you should network in well-known, secure industry environments. “I believe it is much safer for individuals [with clearances] to trust sites such as ClearanceJobs or USAJobs. I would be very careful in using any other lesser-known sites, which could be set up by threat actors.”  

  • Keep personal and professional details general. 

Be careful about what information is publicly visible on their profiles to minimize their value as targets. Warmka suggests turning off settings that make your job duties visible to the public and removing all references to your deployed or overseas locations. 

  • Edit your advertising settings. 

Visit LinkedIn’s advertising settings page to further close the loop and prevent data leaks. The less data you share, the less information about you can circulate. LinkedIn shares personal information about its subscribers with a broad network of partners and advertisers. Even if LinkedIn remains secure forever, any one of the sites it shares information with could have a data breach, revealing details about your experiences or interests.

  • Adjust your data visibility and data privacy settings. 

LinkedIn allows you to define the visibility and privacy of your data, reducing the amount of information that is shared with the site and its users. At a high visibility level, the site can even tell strangers when you are mentioned in the news if you set it up to do so. If you’re deployed or working in a high-security field, Warmka said you should modify these settings to limit access, instead.

  • Leave your personal devices at home when traveling to some countries. 

Warmka said military members, veterans and cleared personnel should take extra precautions when traveling to China or Russia. While you may not be able to stay off the internet altogether during your trip, you can minimize hacking by leaving your computer and cell phone in the United States. 

“You definitely don’t have any privacy when it comes to your usage of the internet or social media in those places compared to the United States,” Warmka said.

If necessary, he said, he recommends purchasing temporary devices to use while visiting. He also said you should refrain from logging into social media until you’ve returned to the United States and can use your regular devices again.

Get Instant Access
FREE Weekly Updates! Enter your information to join our mailing list.

About Kat Friedrich

Kat Friedrich is a contributing writer for Military Wallet. During her journalism career, she has edited four magazines, three of which covered energy technology. She has written and edited books for YouthBuild, University of Wisconsin-Madison and Energy Points. Previously a mechanical engineer, Friedrich completed a graduate degree in science and environmental journalism at the University of Wisconsin-Madison. When she's not writing about news, benefits and programs for the military community, she reports on urban innovation for Smart Cities Dive.

Reader Interactions

Leave A Comment:

Comments:

About the comments on this site:

These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.

The Military Wallet is a property of Three Creeks Media. Neither The Military Wallet nor Three Creeks Media are associated with or endorsed by the U.S. Departments of Defense or Veterans Affairs. The content on The Military Wallet is produced by Three Creeks Media, its partners, affiliates and contractors, any opinions or statements on The Military Wallet should not be attributed to the Dept. of Veterans Affairs, the Dept. of Defense or any governmental entity. If you have questions about Veteran programs offered through or by the Dept. of Veterans Affairs, please visit their website at va.gov. The content offered on The Military Wallet is for general informational purposes only and may not be relevant to any consumer’s specific situation, this content should not be construed as legal or financial advice. If you have questions of a specific nature consider consulting a financial professional, accountant or attorney to discuss. References to third-party products, rates and offers may change without notice.

Advertising Notice: The Military Wallet and Three Creeks Media, its parent and affiliate companies, may receive compensation through advertising placements on The Military Wallet; For any rankings or lists on this site, The Military Wallet may receive compensation from the companies being ranked and this compensation may affect how, where and in what order products and companies appear in the rankings and lists. If a ranking or list has a company noted to be a “partner” the indicated company is a corporate affiliate of The Military Wallet. No tables, rankings or lists are fully comprehensive and do not include all companies or available products.

Editorial Disclosure: Editorial content on The Military Wallet may include opinions. Any opinions are those of the author alone, and not those of an advertiser to the site nor of  The Military Wallet.