Many of us have seen the news and heard about people getting scammed via social media by connecting to seemingly valid people and later giving up information that ultimately results in their identity being stolen.
We also assume that it would never happen to us, because we're careful about who we accept as connections. The reality is that setting up a fake profile and getting people to connect to it is unbelievably easy all you need is a little creativity.
A recent blog article published by Satnam Narang at Symantec entitled "Fake LinkedIn accounts want to add you to their professional network" inspired me to investigate how easy this really is. The article was primarily about how scam artists are posing as Recruiters with fake LinkedIn profiles to harvest information from profiles and target individuals or corporations for spear-phishing attacks. While it was a great article about how the scammers go about it, the article lacked details about how successful these scammers are in gathering information.
I decided to construct a social media experiment where I could report on measurable results to indicate how susceptible a typical organization is to such an attack. For the first part of this experiment I decided to see how easy it would be to connect to people in an organization with less than 250 employees. The organization has grown significantly over the last several years, so it was plausible to me that it would be relatively easy to set up a new employee and link to current employees. Before starting the experiment I got the permission of the key leadership of the organization as well as the main HR representative to ensure that there was no perceived threat to the organization.
Setting up a fake LinkedIn profile is amazingly easy, all you need is an email address and some creativity and you can be up and running in under 10 minutes. The fictitious profile was male, had worked at a competitor of the company that he was going to work for, and had gone to a local university and high school. He even volunteered with the local animal shelter in his spare time, according to his profile. The profile image was the result of a simple Google search and I picked one at random. The profile looked exactly like somebody this company would want to come work for them with the right education and prior experience. The main issue was that everything about him was completely fictitious, and made up in 10 minutes.
Prior to the experiment, I spoke with a trusted colleague who's handles HR and recruiting at my company and asked what her acceptance rate generally is on LinkedIn. She said that in the last year, her acceptance rate has been greater than 90%. She also said that generally speaking if they are going to accept, they accept within 48 hours after the request. After that, the probability of a response goes downhill rapidly. I assumed that in a relatively small company, it would be more likely than a large company that people would question a person that they had never heard of. One thing I had in my favor though was that this company was relatively distributed and nearly 30% of the employees had joined within the last year. Given that I surmised that I might be able to get an attach rate of 50% or so. I didn't think I would get close to 90%.
The experiment started on Monday around mid-day. The fictitious profile had exactly zero connections at the start of the experiment. LinkedIn makes it incredibly easy to link in to people that work at the same company as you. Part of the setup of your LinkedIn account is reviewing a list of "people you might know" . Because of this extremely helpful feature, I was off and running with 100 requests to unsuspecting employees in under 10 minutes. After the requests went out, all I had to do was wait and see how long it took for the responses to roll in.
For the first wave, I consciously avoided people that would be "in the know" about a new employee with the title I had posted. I primarily avoided HR, Recruiters, IT and Business Operations people because they would know about new employees. I also avoided people that appeared to have management responsibility in the area that this individual was going to be working. My targets were employees outside of corporate headquarters, any employees that had started within the last year and employees that didn't appear to be in the same working group as the new employee.
I was surprised by the results. What was my return on the investment of about 20 minutes worth of work? I had a 60% acceptance rate within 24 hours. That is to say of the original sample of 100 people, 60 people accepted my request within 24 hours. I was frankly shocked that I had that type of acceptance rate in a 24 hour period. I guess everyone assumed that they would never be the target of a scammer, especially one that appeared to be joining their own company.
Acceptances had tailed off from the original group of employees and I wanted to see if I could get some former employees of the company to accept requests. Approximately 30 hours into the experiment I added people from HR, Recruiters, IT and Business Operations along with members of management. 100 contacts were added for a total sample size of 200. These were all current or former employees of the company we were testing.
Over the next 18 hours, my fake profile had 98 accepted connections out of 200 invitations sent to both current and former employees. That's a 49% acceptance rate. That means that for this experiment, nearly 1 in 2 people did not bother to check the legitimacy of the profile before accepting the request. A logical conclusion that employees could draw from somebody with 98 connections is that they must be legitimate because 98 other people accepted his request. I am fairly confident that had I not ended the experiment at 48 hours, the acceptance rate would have been significantly higher. Many of these people had logically assumed that they would never be attacked by a scammer claiming to be from their own company. This should be alarming to every individual and company out there, because as these profiles gain connections they gain legitimacy.
The good news is that for every person in this organization that accepted the request, there was another person who was either skeptical of the profile or doesn't accept requests from people that they don't know. The downfall of my experiment started when I added people from HR, Recruiting, IT and Business Operations. Approximately 42 hours into the experiment, and roughly 12 hours after adding the additional contacts suspicious employees started to engage with my fictitious profile. They were asking questions about when the fictitious employee was starting and who they were working for. The skeptical group was primarily represented by member of IT and HR, and this was key in the exposure of my fake profile.
The team investigating the fake profile was able to figure out a few things. First, the HR department knew that this person wasn't legitimate. They had no record of interviews, an offer or a start date for the individual. Next, the IT staff was digging into the legitimacy of the profile. They had contacted the previous employer of the fake profile and had found that there was no record of the individual. They even want so far as to do a reverse lookup of the image being used for the profile to find out the name of the real person to whom the picture belonged and to tell him that there was someone using his picture. This is when I realized I needed to terminate the experiment and shut down the profile. We then immediately disclosed to the full organization the nature of the experiment and why we were doing it.
As I de-briefed individuals that had unwittingly participated in the experiment, people fell essentially into three groups:
- The first group was embarrassed that they had been duped by a fake profile. They had assumed that because the company had been growing so rapidly that it was a legitimate new employee and there was no reason to question them. The confidence in the legitimacy of the profile was bolstered by the increasing number of people that were linking to him.
- The second group had initially accepted the request and as they started to look at the profile became skeptical of it and asked questions that ultimately led to the experiment being shut down.
- The last group stated that they never accept LinkedIn requests from individuals that they do not know or have never heard of.
Just as alarming as the nearly 50% acceptance rate of the profile requests is how un-traceable the origin of the profile was. As easily as I had set up the account, I quietly shut it down. The total time I invested in the shutdown was 10 minutes. There was no trace of the fictitious account on LinkedIn shortly thereafter and he was essentially erased from the Internet. As far as any "mortal" user can tell this person never existed.
This leads to the dilemma of social media in general. The goal of social media tools like LinkedIn is to connect people globally, regionally, professionally and socially. To be widely accepted, they have to be easy to join, setup and use on a regular basis. Those that succeed are huge repositories of personal information. This is information that other entities are willing to pay for because of it's accuracy and timeliness. Therefore, it generally isn't in the best interest of these companies to go to great lengths to introduce security measures to prevent these types of activities from happening.