When you're making business contacts in the real world, the handshake is with someone you know. On LinkedIn, assuring a genuine connection depends on you investigating the contact before bringing the individual into your professional network. Photo: Atee83 | Dreamstime Molouk Y. Ba-Isa Saudi Gazette What if you discovered that some of the supposedly professional connections you'd made through LinkedIn.com were instead scam artists just waiting for an opportunity to exploit you or members of your LinkedIn network? Scary as that sounds, according to Mirza Asrar Baig, CEO of Riyadh-headquartered information security firm, IT Matrix, this is exactly what is happening in Saudi Arabia. After three months of investigation, Baig and his team found that through LinkedIn, key industries in Saudi Arabia are becoming potential targets of fraudsters. “Our extended research began because we received invitations to connect on LinkedIn which looked suspicious,” Baig said. “The profile photos were not standard professional business images. Details in the profile text were inaccurate and scanty. When we did an image search using the profile photos we found that the pictures belonged to women in the adult entertainment industry, models, obscure film stars or were taken from online dating sites.”
The IT Matrix team began their research with just a few known fake accounts and then went looking for similar profiles. LinkedIn claims to have over one million members in Saudi Arabia so there were many profiles and networks to investigate “We found many fraudulent LinkedIn profiles and soon we found a pattern in their connections. It was clear that they were targeting sensitive industries in the Kingdom,” remarked Baig. “When we spoke with government agencies and industry regulators they were surprised. They were further shocked when we showed how LinkedIn could be used to launch various attacks. It was concerning to them because some of these fraudulent LinkedIn accounts were connected to hundreds of individuals in the same key industries in Saudi Arabia. One fake account had racked up over 800 connections in a specific sensitive field of work.” There are many reasons why criminals want to establish networks of legitimate contacts in Saudi industries. The first goal is to collect intelligence on staff within an organization to be used when needed. There may also be attempts to “share” files with contacts in order to inject malware into systems. This enables criminals to steal documents and other data and to spy on an organization's operations. It's sophisticated industrial espionage which can have national consequences. There's also the potential for blackmail. “One of the first things that happened when we connected with a fraudulent account is that there was a request for our mobile contacts. It's already happening in Dubai and Saudi Arabia that staff of major corporations receive calls and what they think are flirtatious dalliances that no one will ever know about are recorded and become vectors for blackmail,” explained Baig. IT Matrix alerted its clients to the danger and advised LinkedIn to take down the fake profiles associated with IT Matrix customers' accounts. LinkedIn clearly didn't follow up on the issue. Despite the fact that one nonexistent company had 32 fake profiles, 30 of which belonged to women with fraudulent photos, only the profiles identified as fake by IT Matrix were removed. The other profiles are still “live” and collecting new connections as of the time of this report. Profiles may be flagged by LinkedIn members as “inappropriate” but it's not a one click process to do so and there's no guarantee that LinkedIn will act on the flag. There are numerous reports in the LinkedIn forums of fake profiles with some concerned members in the LinkedIn community writing about “millions” of fraudulent profiles. With no onus on LinkedIn to determine if a profile is real or fake, it's really up to individuals and companies to defend themselves. Corporate social media policies can hold employees legally responsible for any use of social media where the profile reflects an association with the company. Such policies are common in the USA and Europe and are now being considered by major enterprises in the Kingdom. Individuals can join LinkedIn for instance without revealing a company affiliation. Companies may determine that social media sites such as LinkedIn may not be accessed at work or from networks, computers or other electronic equipment owned by the company. Senior management should control the content on any social media page in the company's name and administrators of those sites should sign undertakings that those pages are the intellectual property of the company and not any individual. “LinkedIn can be a good tool, but people have to really be careful when they are making connections,” advised Baig. “Don't connect to anyone you don't know. Look at the profile first, even if you think you know the person. There are many instances of criminals creating a false profile based on a real person. Organizations need to have social media policies and staff must attend awareness sessions where such policies are discussed and understood for the protection of the company and the individual.”