I entered the recruiting industry about the same time social media started gaining popularity. From the beginning, it was impressed upon me the importance of having a strong LinkedIn network. So I began connecting with as many people as I could in various industries whom I felt would be good allies should I ever need to recruit in those industries. Additionally, I joined several groups, including several Open Networker groups, letting the LinkedIn community know that I welcomed invitations to connect. Naturally, as my network grew, so did the number of invitations I received. But as I continued to receive invitations to connect, it became obvious that many of these invitations were not from real people, but rather from fake LinkedIn profiles.
Why Do Users Create Fake Profiles?
I have since read several articles about how and why people create fake LinkedIn profiles. There seem to be a number of reasons, and certainly none of them are good. After all, if their creators’ intentions were pure, they would not need fake profiles. Most likely, the primary reason is for the purpose of gathering data. Dozens of fake profiles will likely achieve more connections than one authentic profile, thus allowing the creator to gather e-mail addresses, Twitter handles and any other information that can be sold to spam sites, sites that promise to increase your connections or followers for a price, or worse, any pertinent info that can be used for identity theft.
The thing that I find most interesting, however, is that all the fake LinkedIn profiles from whom I receive connection invitations all share the same characteristics:
- The first and last names are always in all lowercase letters. About 50 percent of the time, there is a period directly before the last name.
- The profile has very few connections – usually less than 50, sometimes even less than 10.
- Personal info is very limited. There are almost always two or three previous employers listed, a position title, and no other information.
- The photo is always generic. It’s usually a picture of something other than a person, and when it is a person’s photo, it appears to be a photo taken from the internet of someone doing something other than posing for a photo.
- The profile is almost always from Pakistan. I have no idea why, but nearly every fake profile connection request I receive lists Pakistan as the location.
Now, I understand the reasons for creating a fake LinkedIn profile, duplicitous as it may be. But what I don’t understand is why nearly ALL of them follow the exact same format I’ve listed above. If someone decides to create a fake profile, wouldn’t he or she at least TRY to make it look real? Lately I have received so many connection requests from these types of profiles that it takes only a few seconds to recognize them as fakes. Not to mention the fact that the requests seem to come in groups – this past weekend, I received eight in one day. Note to whomever is creating them – your format has become old and trite. It’s time to change things up.
LinkedIn does provide a remedy for the problem in the form of a “flag” button that will report the profile as spam. If enough people flag a profile, the site administrators will review it, and if they determine it’s spam, the user’s account will be suspended. But LinkedIn warns that anyone who abuses the flagging privilege, for example using software to mass-flag competitors’ profiles, will have their own account suspended.
The Story of Robin Sage
For those who put more than a half an ounce of effort into creating a fake profile, it can be surprising the amount of information some are willing to divulge online. Two years ago, security consultant Thomas Ryan conducted a social engineering experiment that was documented in The Washington Times. Ryan created a LinkedIn, Facebook and Twitter profile of a fictitious girl named Robin Sage who claimed to work as a Cyber Threat Analyst at the U.S. Navy’s Network Warfare Command. Within less than a month, the non-existent Ms. Sage had established connections with security specialists, military personnel, staff members at intelligence agencies, defense contractors and Global 500 corporations. Throughout the experiment, Robin was offered gifts, government and corporate jobs, and the opportunity to speak at security conferences. One soldier in Afghanistan forwarded her a picture of himself containing embedded data revealing his exact location, while a contractor with the National Reconnaissance Office inadvertently revealed the answers to the security questions on his personal e-mail account. While some caught on immediately to the fraudulent nature of Robin’s profile by calling the phone number listed on her profile or asking her to e-mail them from her military account, those who connected with her never took issue with the obvious red flags. For example, her age was listed as 25, yet she claimed to have 10 years of experience in the field of cyber security, which would have meant she entered the field at age 15. More importantly, there is no such position as a Cyber Threat Analyst at the Naval Network Warfare Command.
If this is the behavior displayed by top security officials, military personnel and corporate professionals, imagine the amount of information an experienced cyber criminal can glean by creating a fake social media profile and targeting the unsuspecting public. What advice can you give to discourage the fraudulent use of social media? How do you respond to LinkedIn connection requests from suspicious profiles to ensure your information doesn’t fall into the wrong hands?