As the debate over bots on Twitter plays out in the courts of Chancery and public opinion, another social media company is being forced to tackle scams that pose a far bigger risk to users.
LinkedIn has become the latest target of inauthentic accounts with perpetrators appearing to be far more sophisticated and cunning than those afflicting Twitter Inc. Even bigger dangers abound because customers expect more from the business networking site owned by Microsoft Corp. than they do from the short-message service Elon Musk may end up buying.
Website for fake persona
Scams aren’t unique to LinkedIn. Twitter, Facebook, Instagram and basically the entire internet have been platforms for nefarious actors for years, from variations on the Nigerian Prince fraud, to phishing attacks that lure users to download malicious code and steal credentials.
Yet recent LinkedIn campaigns have come extraordinarily close to replicating real people with the help of one of the most powerful websites on the internet.
ThisPersonDoesNotExist.com creates headshots using artificial intelligence complete with jewelry and a scenic backdrop. It’s eerily good, and allows anyone to create a deep-fake persona that passes as the real thing. Add in web-scraping tools, which copy data from actual LinkedIn resumes, and you too can become Victor Sites, Chief Information Security Officer at Chevron Corp.
That’s precisely what’s happened. Hundreds of times over. Brian Krebs, a noted author and cybersecurity investigator, discovered the profile of Sites and cross-checked it against the real CISO of Chevron. Compounding the perception of reality is that a Google search for that role returns the fake profile alongside the real one. There are countless similar phonies on the site, he noted.
A confounding aspect of the problem is determining motive.
Motives
Earlier this year, the FBI warned that one objective is to lure people into fraudulent cryptocurrency investment schemes. Researchers at security firm, Mandiant Inc. also found evidence that North Korean hackers were using such profiles to land remote jobs inside cryptocurrency firms. These positions could then give the actors access to tools and intelligence that could aid money laundering and handling of illicit funds, Bloomberg News reported.
There are also more mundane purposes. As National Public Radio found earlier this year, dummy accounts have been deployed to cast a wide net as companies seek to hire candidates. Those who take the bait then get passed on to human resources. “Think telemarketing for the digital age,” NPR’s Shannon Bond wrote. The plethora of motives opens up a broad array of jobs that could be created to lure victims. And there are many more fake profiles for whom the goals and motives aren’t immediately obvious.
What’s clear, though, is that LinkedIn’s cachet as being the social network for serious professionals makes it the perfect platform for lulling members into a false sense of security. Although Musk is using the perception that Twitter is infested with bots as an excuse to wriggle out of his purchase agreement, there’s no evidence to suggest that the fake rate on LinkedIn is any lower.
LinkedIn security risk
Yet it is true that consumers place far higher faith on it over rivals. Both Facebook and Twitter rated among the worst in surveys that assessed perceptions of deceptive content and of protecting privacy while LinkedIn was at the top, according to research published by Insider Intelligence last year. That air of professionalism goes a long way toward explaining LinkedIn’s user and revenue growth since Microsoft bought the company six years ago.
While the two companies were once neck and neck, LinkedIn now brings in twice the sales and has narrowed the gap in revenue per user. Its 850 million members is almost four times that of Twitter’s 238 million.
Much of that growth spurt has come in the past two years as the Microsoft unit doubled down on its corporate credentials amid an uptick in hiring and demand for professional services.
Exacerbating the security risk is the vast amount of data that LinkedIn collates and publishes, and which underpins its whole business model but which lacks any robust verification mechanisms. A Twitter user, by contrast, can gather a vast following while still remaining anonymous.
Suggested measures
There are two simple steps LinkedIn could take to vastly improve its platform, Krebs noted in a recent post. First, add a “created on” date, which Twitter already deploys, in order to highlight which profiles are recent versus long-established. A second, more powerful, feature would be to implement domain verification that ensures that a member has an email account at the organization where they claim to be employed.
"We work every day to keep our members safe and this includes our automated systems paired with teams of experts to stop the vast majority of fake accounts before they appear in our community,” Oscar Rodriguez, LinkedIn Senior Director of Trust, Privacy and Equity. “We also ask members to report suspicious profiles and content to us so that we can take action.”
The company declined to say whether it was considering adding creation date or domain verification, or outline any changes it has made in recent months to tackle the spate of deep-fake profiles.
LinkedIn has a chance to learn from its rivals’ mistakes, but it needs to take action quickly before the situation gets out of hand.
With the Cambridge Analytica scandal putting Facebook in the spotlight, teen mental health highlighting the risks of Instagram, Beijing’s links to TikTok raising concerns about that short-video service, and the debate over Twitter bots raging in a Delaware court, Microsoft has stayed out of the fray.
That protective cover won’t last forever.