Earlier this year, the business-oriented social network website LinkedIn confirmed that a number of user passwords had been hacked and published on a Russian web forum. Ironically, this came at around the time that Last.fm confirmed a similar password hack, and more recently Yahoo have admitted the same.

Frustratingly, in recent weeks, I’ve been receiving a number of phishing attempts by e-mail, sent by would-be cybercriminals who hope to use my LinkedIn password & profile for whatever means they deem necessary. It’s become so annoying (these attempts are almost daily now), that I’ve decided to highlight this issue, particularly as it no doubt affects many thousands.

What is “phishing”?

Phishing (pronounced “fishing”), is a fraud attempt where a criminal pretends to represent a real, legitimate organisation in an attempt to trick potential victims into revealing confidential information about themselves. This information can include bank account details, information which the criminals can use to pose as you (such as to apply for credit), e-mail and computer system passwords…

Phishing is typically associated with e-mail scams, but can include telephone calls, text messages, junk mail.

Spotting an e-mail Phishing Scam

Despite the occasionally clever design of HTML e-mails, phishers are quite adept at making mistakes, which can be spotted. Using examples from the recent LinkedIn phishing attempts, here are some of the mistakes:

  1. The sender – I’ve received phishing attempts from paiva@altanet.com.br, guillermo@newstation.com.ar, hilario@oswaldocruz.com.br, espeed@speedconsulting.com & didattica@fupress.com to name (and shame) a few. In each case, it’s clear that the sender is not LinkedIn themselves.
  2. Multiple recipients – sites like LinkedIn, Last.fm etc send e-mails directly to one user at a time. Recipients should not be able to view other site users contact details, as this generally violates their Terms & Conditions regarding what they agree to use your contact details for.
  3. E-mail subject line – the subject headers “Contact LinkedIn Mail” and “Signaling LinkedIn Mail” have never featured in the legitimate LinkedIn communiques I’ve received.
  4. Content – having searched many of the names featured in these e-mails, I’ve been unable to find them listed on LinkedIn. In one particularly amusing scam, I was informed that the CEO of Berkshire wanted to add me as a contact! Clearly the scammer was too lazy to find the name of a company, so opted for a UK county instead.
  5. The links within the e-mail – by positioning your mouse pointer over the links (but NOT clicking on them), you can see where the links lead to. Often, the links will lead to a non-legitimate website, or sometimes links created using a URL shortener like bit.ly.
  6. The standard of English – one scam I received had a poor standard of English. When the content seems badly written, it’s likely that the scammer is a non-native English speaker and has simply used an online translation engine to change the language. Be aware that automated translation sites simply change each word individually, often using a Thesaurus which will place uncommon words into the content. They don’t account for grammar, either, which will result in jumbled sentences and absent words.
  7. Preventing Phishing Scams

    There are a number of straighforward ways to prevent scams:

    • Websites who suffer a successful hack publish this information on their main website, and also pass the details onto news corporations. If you’re a member of the site, you should log in immediately and change your password. Don’t wait for the e-mail from the website, and just to be safe DON’T CLICK ON A “PASSWORD RESET” LINK THAT MAY BE SENT TO YOU BY E-MAIL.
    • Never use the same password for all your online accounts – that way, if hackers obtain one password, they won’t have them all.
    • Change your passwords regularly.
    • Make sure your username and password DON’T MATCH.

    What To Do When You Receive A Phishing E-mail

    Whilst I’ve not so far read a definitive “actions on” list, but there are some popular tips on what to do:

    • Inform your e-mail provider. They can then monitor further attempts and protect other users as well as you.
    • Inform the companies that the phisher is trying to impersonate, ideally forwarding the actual e-mail or a screen-shot. This helps them protect other users, and may eventually help when it comes to finding & prosecuting the criminals involved.
    • Inform the company who own the web domain that the phisher is using, telling them which account is being used. Tell them that you’ve also informed your own mail host, and the company that the phisher is trying to impersonate.
    Phishing Scam 1

    Example #1

    Example #2

    Example #3

    Example #4