While LinkedIn is not the most widely used social media platform, it is disproportionately used by the professional class. Think business execs, lawyers, accountants, bankers, tech workers, finance, etc. They are (generally) high income earners and/or decision makers at large organizations. This makes LinkedIn a target rich environment for Bad Actors.

We saw this play out last month with the ransomware attacks on MGM and Ceaser’s Palace. The Bad Actors in these attacks purportedly initiated their crime by using employee information found on LinkedIn. (source) From there they were able to infiltrate each company’s network.

Having a public profile like LinkedIn has always been an obvious privacy risk. But it’s one most professionals decided is worth it. To date most of the risk is to the employer, though there’s no guarantee that remains the case if companies become too hard of a target. Either way, the MGM incident is an opportunity for all LinkedIn users to reevaluate the information they share and adjust as appropriate.

Areas of Risk

Doing without a LinkedIn profile is not feasible for the professional class these days. So it’s important to understand the types of LinkedIn personal information that poses the greatest risk and evaluate if the information needs to be disclosed or at least restricted. Here are some of the top ones:

1. Location Data. This could be the city, town or geographic area you live in. It’s prominently displayed in your profile headline. LinkedIn also asks for your zip code.

2. School Graduation Years. If you post the year you graduated from college, a Bad Actor can make a reasonable assumption about the year you were born. Ballpark is good enough.

3. Travel plans. Users often post current travel plans or future travel plans.

4. Email Address. Unless you have the proper limitations selected, this information is available to a wide range of LinkedIn users.

5. Phone Number. Same concerns as with email.

6. Resume. Users regularly post their more detailed resume to their LinkedIn profile. Though less common now, resumes tend to include your full residential address and phone number.

The problem with having the above information public is it can be used by a Bad Actor for a variety of purposes, from targeted phishing attacks to identity theft to offline stalking. The more information provided, the more convincing a spearphishing attack will be. And the more specific the data (e.g. Arlington, VA vs. Washington, D.C. metro), the more valuable to a Bad Actor. 

Of note, the information found on LinkedIn can be used to obtain even more detailed information about you from other sources. Here’s a real life example you can easily verify yourself:

• Bad Actor discovers your current employer, residential city and graduation year from LinkedIn.

• Bad Actor visits WhitePages.com or Zaba Search and looks you up using your name, city and state.

• Even if you have a common name (Joe Smith), with the data points from #1, Bad Actor can more easily identify your individual entry on WhitePages.com and Zaba Search and get all or some of the following data points: (a) residential history, (b) current address, (c) phone number, (d) email, and (e) names of your family members.

• It’s not hard to imagine different scenarios where that information can be used to your detriment.

Mitigating the Risks

To mitigate these risks and protect your personal privacy on LinkedIn (and other social media platforms for that matter), consider implementing the following measures:

1. Minimize the Data You Share: Less is always better. For example, use a metro area for your residence (instead of your specific town). Provide a “fake” zip code instead of your real zip code. Don’t provide your email or phone number (or use your secondary ones). Consider dropping your graduation years.

2. Review Your Privacy Settings: Regularly review and update your privacy settings on LinkedIn to ensure that only trusted individuals have access to your personal information. New features and settings are added regularly, so you want to check this a couple times a year.

3. Be Cautious About Accepting Connection Requests: Verify the person’s identity before granting them access to your personal information. It’s easy to put together a fake profile that looks legit.

4. Limit the Visibility of Sensitive Information: Utilize privacy settings to restrict the visibility of your personal information to as limited of a group as reasonable.

5. Enable Two-Factor Authentication: Enable two-factor authentication to add an extra layer of security and prevent unauthorized access.

6. Monitor Your Account Activity: Keep a close eye on your account activity and report any suspicious or unauthorized access.

7. Remove Your Personal Info Online: Unless you’ve already removed your data from online data brokerage sites like WhitePages.com and Zaba Search, your personal info is all over the internet. You can remove it yourself, but it’s difficult and time consuming. Plus new sites pop up all the time. Consider signing up for a paid service that regularly checks these sites and removes your data. Two popular ones are DeleteMe and Privacy Bee.

Conclusion 

By following these best practices, you can minimize the risks associated with sharing personal information on LinkedIn and other social media platforms and safeguard your privacy. Finding a healthy balance between staying connected online and protecting your personal privacy is increasingly important as new tech is rolled out. Be mindful of the information you share and take proactive steps to keep your personal information safe and secure.