LinkedIn Phishing. It’s real.

Just finished re-messaging all my contacts! So my LinkedIn account was hacked. They changed the primary email in the account, locked me out and went phishing on my own contacts. Not only did they send a message with a fraudulent link, they actually interacted with some of my connections… Just when you thought you’ve seen it all…

While some use LinkedIn broadly, I really cherish my connections and only accept meaningful business invitations to connect. I rarely engage with cold inMails or Sponsored Messages that, needless to say, are becoming more tiresome by the minute. I’m probably old school and still think of LinkedIn as a trusted business network? Well, not so trusted anymore.

We’ve learnt to detect phishing via email and social media trolls. We’ve learnt to identify awkward links and decipher robots’ incoherent writing. We are now gaining expertise in fake news and Russian disinformation campaigns. But luckily, when you receive a private message from one of your contacts within your trusted business network… Nope, that’s now compromised, too. You should trust LinkedIn as much as you trust Facebook, Twitter or Instagram. It’s just another platform with as many flaws as the rest.

And I dare any LinkedIn moderator to beep one more time on the matter. Although they were quick to block the account, it was very disappointing to know that there was “nothing” they could do to contain the situation. We all know by now that once an email, message, tweet or snap is sent, it’s gone! We know those cannot be “retrieved”. But what about mass-messaging one’s contacts to alert them of the phishing and tell them not to open the link? Both the bad and the good messages would show together in the conversation, most likely preventing the user from tapping on the previous link. “No can do”. So the hacker can mass-message my contacts, somehow, but LinkedIn can’t do it? “No can do”. What about blocking/blacklisting the fraudulent links so those cannot connect outside LinkedIn? Those were sent to the support team as well… “No can do”.

Solution: message all your contacts one-by-one to alert them of the problem. I’m sure anyone can get to hundreds of them before they follow the link, right?! I guess I should shut up and be thankful that LinkedIn blocked the account quickly enough before the hacker messaged over a thousand contacts??? Unbelievable. Disappointing. Unreal for today’s technology.

Unacceptable to say the least, knowing now that this has been going on for a while. Just google “LinkedIn phishing” and see for yourself. How does a company like LinkedIn not have a protocol to be deployed when this happens to a user? How are they not ready to mitigate the risk? Some of these phishing links go to Google Drives where users might also compromise their Google accounts. You can’t open/download a Google shared file unless you login to your Google account. If you are following the link it’s because you trusted the sender and the link. If you trusted the link, you may well go ahead and login to your Google account… You see where I’m going? The extent of the damage can be very severe. And while people might not use LinkedIn to store private information, many do trust Google to keep their confidential information secured.

Long story short, I ended up messaging all my contacts. As I said before, I do cherish my connections and I felt compelled to alert them about the situation. If anything good came out of this ordeal, it was the opportunity to re-connect with them after a long time no see.

The lesson learnt: 2-step verification. I finally stopped procrastinating about it and took the time to turn on the 2-step verification in all my accounts. It’s a pain to set it up, no doubt. You have to re-login all your emails and accesses and verify all your devices, but at the end of the day, you know that none of your accounts will be accessed from a new device unless you approve it via text, phone or app from any previously approved device. Even if they somehow get their hands on your username and password, they won’t gain access unless you willingly approve it.

Information has become the most valuable asset, treat your data accounts the same way you do your bank accounts and you should be better off.