return
Those who have a presence on Linkedin will know that sometimes job offers with many benefits and good remuneration are received through a message on the platform or an invitation to connect. In general, Linkedin is mostly used by people in the Technology, IT, cybersecurity, among others, although many other areas have an increasingly massive presence. This makes the network a possible gateway to the organization to which people belong. In this post, we are going to touch on two important issues when receiving one of these offers on the platform or applying for any job position.
As in any social network, there are fake profiles, which are nothing more than non-existent people, who pretend to belong to a particular organization, usually working for large corporations, such as Meta (Facebook), Google, Netflix, Amazon, etc. The reasons why these accounts exist are many, from conducting open source intelligence (OSINT) to more sophisticated attacks such as attackers sponsored by certain countries stealing resumes of people to infiltrate organizations linked to cryptocurrencies.
Although this problem is well known and it is usually easy to detect one of these fake profiles, given the number of connections, its profile picture generated by artificial intelligence and other factors that make the user doubt, not all attackers act at the same level of sophistication.
Nevertheless, Linkedin makes a great effort to decrease the number of fake accounts on the platform, as mentioned in their semi-annual transparency report. In its latest report, which consists of the last half of 2021, the company exposes the amount of fake profile creation attempts that were blocked, about 12 million fake accounts blocked at the time of creation
At the same time, Linkedin tries to secure users in the best possible way, using advanced machine learning tools, artificial intelligence and adding new features to profiles such as the new section "About this profile", where you can check if the user verified that his organizational email has the domain of the organization to which he really belongs.
How many times have we received this type of messages on the platform, from the human resources team, talent, recruiters, etc. who are always "impressed with our profiles" and offering us the possibility of growing within a spectacular company with a dream culture, and all messages end in the same way, asking us to apply on a platform, sending them our resume or arranging a brief call to get more information about the position.
This should not always mean something bad or be labeled as spam, although some of the proposals only come to us because of a keyword in our profile. Many of them are legitimate offers, from existing organizations and personnel who are genuinely looking for new resources.
These offers not only reach employees with a current job, but also people who are currently out of work and are actively looking for one (even their first job). It is in the latter group that the attackers play on a key factor, human emotions. Finding a job can be time-consuming, tiring and exhausting, and as time goes by you can let your defenses down and apply for any open position. But, do we know to whom we are sending our resume? What information can be useful to a possible attacker?
If we think about it, our resume is a summary of important data in our lives, with information that can be used for malicious purposes if it falls into the wrong hands. Among the information that is usually present on resumes is the following:
● E-mail address. One of the infallible data in a resume. What would happen if an attacker knew it: Is it the email address I use to log in to any social network, platform, bank? Is it associated with any service? Can I be phished?
● Phone number. Another common data in the summaries. Again, let's think that we may be victims of an attack. Is that phone number used as a two-factor authentication (2FA)? Is it possible that this number could be stolen?
● Exact address. While it is less common to see the applicant's exact address of residence, it is still one of the most common pieces of information. Consider how necessary it is to give my exact home address to a third party. Can we give an approximate location instead?
● National Identity Card. The percentage of resumes with this information is much lower today than it was a few years ago, but it is not null. Is this information essential for the application?
These are some examples of sensitive data that are usually exposed in applicants' resumes. Are any of them present in yours? Did you ask yourself these questions before adding them?
We have mentioned some of the risks we are exposed to every day within this same social network. This does not mean that after reading this post, we ignore all the job offers that come to our inboxes, but we do seek to raise awareness and keep alert all users, not only large corporations, which can be a more profitable target for attackers, but anyone who uses the network.
Meanwhile, Linkedin tries by all means to prevent the creation of fake profiles, so that its network is not used to commit crimes or produce scams, but ultimately, as in any other context, we are responsible for the use we make of our tools.
