Think T
Note – for obvious reasons the identity of the individuals has been disguised.
Consequences of linking before thinking
It’s easy to link before you think, at least it was for David. When Penny from an international consulting firm asked to connect on his professional networking site, he accepted. She was offering an auspicious business proposition, and he felt reassured by their mutual online contacts.
One month and many messages later, Penny suggests they switch to email communication. They exchange information on international events, and Penny exacts from David details of his expertise and insights. David is invited to an all-expenses-paid overseas trip, and he readily agrees. At the first meeting David is given a gift and a transaction is agreed: in return for his reports on geo-political events, he will be given a handsome fee. Following intervention by the Security Services, David is spared from further entanglement. However, he is not spared his employment, nor his security clearance, and he is vilified by work colleagues.
Industrial scale targeting
David is – or was - a civil servant, and he is not alone: MI5 estimates he is one of 10,000 British officials to have been targeted by hostile states on sites such as LinkedIn. And it is not just government personnel, or ex- government personnel, who are being targeted: it is professionals from every walk of life. Hostile state actors are posting malicious social media profiles on an ‘industrial’ scale to gain snippets of information from individuals relating to their work, and the industries they work in. The information hostile states gather through malicious approaches can be utilised to seek an advantage over, or even damage, the UK’s economic, technical and trading position in the world.
During the first six months of last year alone, almost 38 million fake profiles were removed on professional networking site LinkedIn.
before you Link
he consequences of not thinking before linking can be professionally catastrophic; new guidance from CPNI will help users of professional networking sites navigate the risk.
Flattery will get you everywhere
It is easy to think that you would not be duped like David, but approaches can be very beguiling. Behavioural Science research undertaken by CPNI to inform the campaign, reveals strong parallels with romance and financial scams online. In a similar vein, the perpetrator will ground their approach in an assessment of the individual’s behaviours and circumstances, to tailor and target their messaging. And they will use a combination of charm and flattery to entice someone into a relationship with them.
Fake-out factors
However, on the positive side, there are determining factors that will help users of online professional networking sites recognise the hallmarks of a fake profile. Perpetrator profiles are a smorgasbord of fake names, photos and job descriptions. CPNI advises people to make a judgement call – “if it doesn’t look and feel right, it probably isn’t”– and to always question the legitimacy of the contact. Just because they present a company name and share contacts with you, does not mean that they are bona fide.
The four Rs CPNI advice centres on a four-step approach:
• Recognise – look out for the hallmarks of a fake profile, check out the individual requesting the contact and the company they say they work for
• Realise – be cognisant of the threat and the ramifications of connecting with a malicious actor
• Report – if you suspect a malicious report, act on it. Report it to your security manager, professional networking site or to CPNI direct
• Remove – remove the connection from your professional network
CPNI has made two videos, ‘Glitch’ and ‘Linked’, which take the viewer through the four steps above and is encouraging
© CITY SECURITY MAGAZINE – SUMMER 2021
www.citysecuritymagazine.com
organisations to run the campaign for their own workforce. The campaign
materials and videos can be downloaded from the CPNI website:
https://www.cpni.gov.uk/security- campaigns/think-you-link
Force multiplier effect
By following CPNI protective security advice, employees can have a force multiplier effect; increasing their own levels of awareness and protection helps embed a strong security culture in the organisation. Furthermore, the greater the awareness people have of their digital footprint and the risk of clicking on unknown links in social media and in emails, the more alert they will be to spear-phishing attempts. Understanding the consequences of compromise can also contribute to people reducing their vulnerability to scams and criminality in general.
CPNI quote: “Over the years we have honed our unique position of being able to utilise experience and intelligence from our parent organisation combined with our Behavioural Science and Technical experts to deliver practical solutions to mitigate the threats we face. By following the behaviours advocated by the campaign, individuals and organisations will play a vital role in protecting themselves as well as our sensitive assets and information from malicious actors.”
In summary Don’t forget for every David, there’s a Penny out there; you are more interesting than you think.
Author: Head of Personnel and People Security & Insider Threat Research Centre, CPNI.
www.cpni.gov.uk
> 5
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36
