As the debate over bots on Twitter plays out in the courts of Chancery and public opinion, another social media company is being forced to tackle scams that pose a far bigger risk to users.
LinkedIn has become the latest target of inauthentic accounts with perpetrators appearing to be far more sophisticated and cunning than those afflicting Twitter. Even bigger dangers abound because customers expect more from the business networking site owned by Microsoft than they do from the short-message service Elon Musk may end up buying.
Scams aren’t unique to LinkedIn. Twitter, Facebook, Instagram and basically the entire internet have been platforms for nefarious actors for years, from variations on the Nigerian Prince fraud, to phishing attacks that lure users to download malicious code and steal credentials.
Yet recent LinkedIn campaigns have come extraordinarily close to replicating real people with the help of one of the most powerful websites on the internet.
ThisPersonDoesNotExist.com creates headshots using artificial intelligence complete with jewelry and a scenic backdrop. It’s eerily good, and allows anyone to create a deep-fake persona that passes as the real thing. Add in web-scraping tools, which copy data from actual LinkedIn resumes, and you too can become Victor Sites, Chief Information Security Officer at Chevron.
That’s precisely what’s happened. Hundreds of times over. Brian Krebs, a noted author and cybersecurity investigator, discovered the profile of Sites and cross-checked it against the real CISO of Chevron. Compounding the perception of reality is that a Google search for that role returns the fake profile alongside the real one. There are countless similar phonies on the site, he noted.
A confounding aspect of the problem is determining motive.
Earlier this year, the Federal Bureau of Investigation warned that one objective is to lure people into fraudulent cryptocurrency investment schemes by gaining trust before taking the victim’s money. Researchers at security firm Mandiant. also found evidence that North Korean hackers were using such profiles to land remote jobs inside cryptocurrency firms. These positions could then give the actors access to tools and intelligence that could aid money laundering and handling of illicit funds, Bloomberg News reported.
There are also more mundane purposes. As National Public Radio found earlier this year, dummy accounts have been deployed to cast a wide net as companies seek to hire candidates. Those who take the bait then get passed on to human resources. “Think telemarketing for the digital age,” NPR’s Shannon Bond wrote. The plethora of motives — from gaining inside access and stealing money, to marketing calls and phishing attacks — opens up a broad array of jobs that could be created to lure victims. And there are many more fake profiles for whom the goals and motives aren’t immediately obvious.
What’s clear, though, is that LinkedIn’s cachet as being the social network for serious professionals makes it the perfect platform for lulling members into a false sense of security. Although Musk is using the perception that Twitter is infested with bots as an excuse to wriggle out of his purchase agreement, there’s no evidence to suggest that the fake rate on LinkedIn is any lower.
Yet it is true that consumers place far higher faith on it over rivals. Both Facebook and Twitter rated among the worst in surveys that assessed perceptions of deceptive content and of protecting privacy while LinkedIn was at the top, according to research published by Insider Intelligence last year. That air of professionalism goes a long way toward explaining LinkedIn’s user and revenue growth since Microsoft bought the company six years ago.
While the two companies were once neck and neck, LinkedIn now brings in twice the sales and has narrowed the gap in revenue per user. Its 850 million members is almost four times that of Twitter’s 238 million.
Exacerbating the security risk is the vast amount of data that LinkedIn collates and publishes, and which underpins its whole business model but which lacks any robust verification mechanisms. A Twitter user, by contrast, can gather a vast following while still remaining anonymous.
There are two simple steps LinkedIn could take to vastly improve its platform, Krebs noted in a recent post. First, add a “created on” date, which Twitter already deploys, in order to highlight which profiles are recent versus long-established. A second, more powerful, feature would be to implement domain verification which ensures that a member has an email account at the organization where they claim to be employed.
“We work every day to keep our members safe and this includes our automated systems paired with teams of experts to stop the vast majority of fake accounts before they appear in our community,” Oscar Rodriguez, LinkedIn Senior Director of Trust, Privacy and Equity, wrote in emailed response to Bloomberg Opinion. “We also ask members to report suspicious profiles and content to us so that we can take action.”
The company declined to say whether it was considering adding creation date or domain verification, or outline any changes it has made in recent months to tackle the spate of deep-fake profiles.
LinkedIn has a chance to learn from its rivals’ mistakes, but it needs to take action quickly before the situation gets out of hand.