What’s that you say? A privacy consultant could not have been phished. She must know better. Ah, if only that were true. Because October is National Cybersecurity Month, I decided I would come clean. (Fish pun intended.)
So how did it happen?
After starting my consulting practice last January, I was pleased to hear from people seeking my services. Some were email referrals from my professional network and former colleagues. Others came from LinkedIn connections who saw my status updates and posts about my new work. Well, apparently, the scammers were paying attention as well!
In February, I received a LinkedIn message from a connection asking if I would be interested in an upcoming project. I read the message and saw that there was a link to Microsoft OneDrive. In retrospect, I realized that I must have clicked on the link, but I definitely did not enter my credentials. Instead, I messaged my connection, and asked if she could provide the materials in a different manner. The next day, she posted that her account had been hacked. She also responded to my personal message. I naively thought that was the end of it.
What were the consequences?
A few days after the initial LinkedIn message, Google notified me about suspicious activity on my account and recommended that I change my email password. Several days later, I could not open LinkedIn because my account was “restricted.” LinkedIn asked me to verify my identification by sending a copy of my driver’s license or passport. I was a bit wary, but after an online search indicated that this request was legitimate, I uploaded a copy of my driver’s license and received an email that confirmed receipt and informed me that LinkedIn would get back to me within 24-72 hours.
Imagine my dismay to learn that I might have no access to LinkedIn for three days at a time when my consulting business was just getting off the ground. And what was worse, a LinkedIn search of my name from my husband’s device indicated that I had no LinkedIn profile. I had disappeared!
And to top it off, I learned that LinkedIn online customer support is only accessible from a logged-in account which, now, I did not have. The internet led me first to a customer service number which was “not accepting calls or messages” and then to Twitter, which was touted as the best way to contact LinkedIn support. I created a Twitter account (which, of course, could present new ways for my identity to be compromised), and through this platform, received a prompt response confirming that LinkedIn’s “safety team” was reviewing my case, and that there was nothing more I could do.
Fortunately, the next morning, I received an email from LinkedIn stating that the restriction on my account had been removed. To date, nothing else has happened. But, please let me know if you receive strange messages from me!
Was there an explanation?
Although LinkedIn apologized for the delay, LinkedIn did not acknowledge that I could have been phished through LinkedIn. Rather, the email listed three possibilities:
· Failure to sign out of a public computer or shared device.
· An outdated email or phone number associated with the account that may have been recycled or compromised.
· Use of the same password on multiple websites that might have been compromised through unaffiliated sites or a phishing attack.
None of these applied. The person who supposedly contacted me told me that her LinkedIn account had been hacked. (Perhaps she was guilty of one of the suggested causes, but I was not.) Instead, I found two articles from the fall of 2019 describing a similar LinkedIn phishing attack with a supposed OneDrive. (Interestingly, the articles are identical but the authors are different.)
I have seen little other press on this issue. So, please feel free to share this blog post!
What can you learn from my experience?
1. Be aware that LinkedIn accounts can be compromised.
LinkedIn is the go-to site for professional networking and job hunting. I would not have fallen for this scam had it come through email or other social media. But, in my haste to seize a new business opportunity, and because I was on LinkedIn, I overlooked the clues that are often found in targeted email phishing attacks.
2. Slow down and watch for red flags.
🚩 Greetings-type approach
🚩 Customized message
🚩 Bad grammar
🚩 Links
The message I received, began with: Good morning and I'm wishing you the very best. While I noted that the message was not addressed to me individually, I was mistakenly comforted by the fact that the message discussed an upcoming project and a request for services. In fact, I marveled that my connection had found a new way to contact people based on a subject matter search, similar to LinkedIn’s recruiter search tools. LinkedIn users should especially watch out for targeted messages regarding business and career opportunities.
In my haste, I missed the warning sign of poor grammar (although to be fair, in our digital world, I see a lot of bad grammar). I also thought that the use of a link to OneDrive might be an interesting way in which to share information. I thus convinced myself that the message was reasonable and that the opportunity was interesting.
3. As soon as you realize something might be amiss, stop, and report!
Fortunately, I stopped and did not enter my credentials into the bogus OneDrive site. Instead, upon realizing that this might be a scam, I contacted my LinkedIn connection and learned that she had been hacked. Had I worked in a corporate environment, I would have immediately reported the situation through proper channels so that an investigation could be done and future harm prevented.
4. Appreciate company efforts to catch suspicious activity.
Like the credit card companies which have become increasingly sophisticated in catching fraudulent charges, Google and LinkedIn caught the problem and forced me to change my passwords. Although I question why LinkedIn shut down my account rather than attempting to contact me, at least no further harm was done (as far as I know). Pay attention to these notices, but be careful to not click through any emails you receive. Always log onto the sender’s site separately.
5. Review your passwords and turn on multi-factor authentication/two step verification.
We all have hundreds of passwords. Take the time to review your passwords and make sure that they are strong passwords and not repeated across applications. There are many views on what makes a strong password. LinkedIn recommends a mix of 10 or more characters that cannot be easily guessed. Consider your options which may also include using a password generator and manager.
And finally, turn on two-step verification on LinkedIn and elsewhere where available. This feature prevents unauthorized access to your accounts because anyone seeking access would need both something you know (your password) and something you have (your device). A few extra seconds to sign into applications is well worth it.
6. Remember that we are all human and that anyone can make a mistake.
In our busy world, and especially this year, we are all under stress. Take the time to be careful, but also to take care of one another. Teach best practices, but refrain from shaming.
So, now you know my story. Are you willing to share? Has this happened to you?