January is the month when employees are most likely to think about changing jobs, according to a survey by Glassdoor. Almost one in five jobseekers cited January as the most popular month to make a move, which means that resumes, cover letters and reference contacts are eagerly shared through social media, email and company websites.
Cyber thieves are eager to take advantage of the busy hiring season, too, and they’ve come up with several ways to infiltrate corporate systems. Security pros offer their tips on what to watch out for, and how to stop them.
Cyber criminals use LinkedIn and other social media sites to bypass company defenses
LinkedIn and other social networks are becoming targets for threat actors since they know it's a great way to bypass company's defenses, according to cybersecurity firm Cylance. LinkedIn is typically a site that is not blocked by network filters to allow HR departments the freedom to communicate with prospective job candidates.
Some 87 percent of recruiters use LinkedIn when vetting candidates during the hiring process, according to Jobvite’s Recruiter Nation Survey 2016. Jobseekers flock to the site as well, many of them browsing at the office, with 45 billion page views from LinkedIn members in the first quarter of 2016, according to LinkedIn.
“These attacks are becoming more common because it’s easy and inexpensive,” says Chris Stephen, channel engineer at Cylance. “Companies have placed a lot of money in their perimeter security and purchased products to find sites with poor reputations scores. LinkedIn circumvents both of these layers.”
Email scanning is almost completely circumvented in these types of attack, Stephen says. Most professionals sign into LinkedIn using their personal email addresses, not through their company account, so these emails will not be scanned by their email security. Though most email providers don’t allow .exe file attachments, hackers can still upload resumes infected with malware via a Word document or PDF, which professionals are more likely to open, he adds.
“For LinkedIn, you’re providing them with your resume, and that’s really the vector that’s going to give (threat actors) an increased likelihood of payout,” Stephen says. Job sites such as Monster and Indeed have candidates pre-fill their resume instead of attaching one, he adds.
Cyber thieves posing as legitimate LinkedIn users can also be hard to spot. They’re often able to infiltrate a company by striking up conversations with recruiters or employees in social engineering plots or to share malware attachments. If the fake user’s account has a lot of shared connections, then the employee is less likely to be concerned, Stephen says.
When asked about the vulnerability, LinkedIn issued a written response: "Growing your network is a crucial step in finding new business opportunities. The most important thing LinkedIn members can do to protect themselves is to only accept requests from people they know or recommended contacts from a trusted connection. We encourage our members to flag any profiles, messages or postings they believe are suspicious. We have many helpful articles in our Help Center to stay educated…. We also have… dedicated teams that work quickly to remove any instance of fraudulent activity and prevent future reoccurrences."
Sign up for CIO Asia eNewsletters.