Social and professional networking sites like LinkedIn can connect service members and military veterans with valuable opportunities – but they can also be dangerous. Military service members on the site are a priority target for cyber attacks, according to Peter Warmka, founder of Counterintelligence Institute. He worked for the CIA for over 20 years. Now, he educates people about how hackers manipulate human behavior.
What to Know About Social Media Spear-Phishing
Service members’ LinkedIn profiles can clue foreign agents into their military responsibilities, including their access to valuable information. Anyone with a security clearance should be especially vigilant online, Warmka said, because agents seek out these profiles for “spear-phishing” attacks.
Phishing is a technique in which a cyber attacker masquerading as a “legitimate business or reputable person” attempts to acquire sensitive information from a target, according to the National Institute of Standards and Technology’s Computer Cybersecurity Resource Center.
Phishing attacks are often broad. Spear-phishing attacks target specific individuals, Warmka said. Ambitious attackers may also engage in “whaling” attempts to elicit information from high-level staff.
Without realizing it, spear-phishing targets can give away information to agents impersonating authority figures, tech support or industry consultants.
“People have been conditioned to think that phishing comes in the form of these more basic attacks via email,” Warmka said. “People never see [spear-phishing] happening because they really aren’t aware of it.”
Foreign-state actors who set up spear-phishing attacks may have some information on their targets already from their social media profiles and from previous data breaches.
One such security breach occurred at the U.S. Office of Personnel Management in 2013 and 2014 revealed security-clearance information on more than 22 million people. OPM investigates security clearance applicants’ international relationships and financial status to pinpoint areas foreign agents may try to exploit.
Another breach at Equifax in 2017 revealed credit information on more than 147 million people. Warmka said a foreign intelligence service could use details from OPM and Equifax to identify financially distressed targets and pressure or blackmail them into providing information.
Fake Profiles Pose Cybersecurity Threats
On LinkedIn, spear-phishers seeking to infiltrate military conversations can easily create a profile that service members could relate to based on the careers or education listed on their profiles, Warmka said.
Through correspondence, spear-phishers can seek further information or send malware that could help them access their targets’ technology systems or credentials.
In his presentation at the Cyber Defense Summit on Oct. 5, “Confessions of a CIA Spy – The Art of Human Hacking,” Warmka told attendees he created a fake profile in 2019 to see how many people would connect with him.
According to the avatar’s profile, she was an executive recruiter from New York. More than half the people she reached out to added her as a LinkedIn connection, amounting to more than 500 potential targets in just 15 days.
She used highly flattering messages to entice her targets — including some senior-level security staff – to request that she forward a suspicious attachment to them.
By 2020, Warmka said, she had around 22,000 connections.
In blog posts, Paul Rockwell, LinkedIn Trust and Safety Vice President, said the site is taking a proactive approach to preventing fake profiles and removing foreign nation-state agents from the site.
The site said it removed 21.6 million fake accounts between January and June in 2019.
How to Spot a Fake LinkedIn Profile
Before you add any unfamiliar LinkedIn connections to your network, Warmka said you should first take a close look at their profiles.
Here’s what Warmka said to do to protect yourself:
- Look for signs that the contact’s profile is written awkwardly. Many LinkedIn professionals speak multiple languages, and English may not be their primary fluency. While anyone’s profile may have English spelling or grammar issues, if you have a security clearance you should take the time to see if the rest of the profile is believable and consistent.
- Paste a section of a well-written summary into the LinkedIn search bar to see if it is copied from someone else’s page.
- Do a reverse Google Image Search for the contact’s LinkedIn photo’s URL to see if the picture belongs to someone else. You can also search for your own photo to see if anyone is reusing it.
- Do a Google search to see if the contact’s name and other information appear on multiple social media sites. If this is their only profile, it may be a fake one.
Contact LinkedIn’s abuse team if you identify a fake profile or if someone attempts to send you phishing or scam messages.
“Minimize the Target” to Protect Your Information on LinkedIn
In addition to vetting profiles, Warmka recommends that service members, military veterans and cleared personnel take steps to reduce foreign-state actors’ curiosity.
“The more people that know personal information about you, the more vulnerable we become,” Warmka said.
“There are 3.96 billion users of social media,” Warmka said. “Potentially, these people could have access to your personal information if you’re putting it out there without any sort of privacy setting. Everything is hackable. They could recruit someone who works for LinkedIn.”
Here are some tips:
- Don’t post your security clearance on LinkedIn.
If you have a security clearance, Warmka said you shouldn’t advertise that on LinkedIn. If you need to talk about your clearance to network in your industry, Warmka said you should network in well-known, secure industry environments. “I believe it is much safer for individuals [with clearances] to trust sites such as ClearanceJobs or USAJobs. I would be very careful in using any other lesser-known sites, which could be set up by threat actors.”
- Keep personal and professional details general.
Be careful about what information is publicly visible on their profiles to minimize their value as targets. Warmka suggests turning off settings that make your job duties visible to the public and removing all references to your deployed or overseas locations.
- Edit your advertising settings.
Visit LinkedIn’s advertising settings page to further close the loop and prevent data leaks. The less data you share, the less information about you can circulate. LinkedIn shares personal information about its subscribers with a broad network of partners and advertisers. Even if LinkedIn remains secure forever, any one of the sites it shares information with could have a data breach, revealing details about your experiences or interests.
- Adjust your data visibility and data privacy settings.
LinkedIn allows you to define the visibility and privacy of your data, reducing the amount of information that is shared with the site and its users. At a high visibility level, the site can even tell strangers when you are mentioned in the news if you set it up to do so. If you’re deployed or working in a high-security field, Warmka said you should modify these settings to limit access, instead.
- Leave your personal devices at home when traveling to some countries.
Warmka said military members, veterans and cleared personnel should take extra precautions when traveling to China or Russia. While you may not be able to stay off the internet altogether during your trip, you can minimize hacking by leaving your computer and cell phone in the United States.
“You definitely don’t have any privacy when it comes to your usage of the internet or social media in those places compared to the United States,” Warmka said.
If necessary, he said, he recommends purchasing temporary devices to use while visiting. He also said you should refrain from logging into social media until you’ve returned to the United States and can use your regular devices again.