The question we all need to be asking, before we open any odd or even remotely suspicious email or link – even if it comes from a trusted source, colleague, or platform, is “Did you send that to me?” Whether it was an email, LinkedIn message, a link, an attachment, or anything else, zero trust is more than just a term for IT security companies.
We’ve been warned not to click on links in emails and not to trust emails from people we don’t know…but it turns out we also can’t trust an actual LinkedIn message from a first-degree connection either. This week I received a LinkedIn message from a colleague that I’d seen earlier in the day. While I thought the message was somewhat odd, because it didn’t reference the fact that we’d seen each other, and it felt a little too formal, it was a LinkedIn message from a first-degree connection. It contained a link, which I clicked on.
The link required me to enter my Google password to open a document, which I did, still operating under the guise of believing this was a verified message from my colleague. Yet when I entered my Google password, it simply prompted for more information and I was stuck in the same loop of questions. At that point, I stopped and talked to my IT person, who determined that my colleague had been hacked – that while the message really did initiate from LinkedIn and from this colleague, someone had broken into his account. My IT person – we all need great IT people in our lives! – asked me two questions that I will now be asking myself: “Do you know this person?” and “Does that link look odd to you?” And another one I’ve added: “What is my intuition telling me?” Rather than saying, “It’s probably OK,” we need to assume it most likely isn’t.
While I dealt with changing my passwords, my colleague received 30 messages from his connections who had also received the message I did. LinkedIn didn’t notify him that there had been unusual activity on his account.
Our vendors are failing us
Customers get a text message from American Express within 30 seconds of a card being used for any transaction, to make sure it was legitimate. If something is wrong, customers can be instantly connected to their customer service team to resolve the issue and prevent any further risk to the account.
Compare that to LinkedIn, which doesn’t even have a phone number. In fact, there was no immediate solution available for my colleague. He ended up having to send an email to LinkedIn support, and it took more than 12 hours to receive a response. In today’s world, 12 hours is an eternity. What’s even worse is that when he did finally hear from LinkedIn support, they required a copy of the front and back of his driver’s license to verify it was him. What?! Everyone under 40 has told their parents not to send anything like driver’s licenses or passports through the Internet. It was an unreasonable request and demonstrates a clear lack of concern for users. LinkedIn, in spite of having a data breach a few years ago, was a trusted source. No longer.
We Deserve Better Security
LinkedIn – and every other social sharing platform, email host, and online service – should be monitoring and alerting customers immediately – and Congress should be mandating it. Every company, starting immediately, needs to have a security system that PROTECTS the consumer. Plenty of companies have it – 2-step verification, security questions, and next-generation verification. But none of them should be asking for our social security numbers, copies of documents, our birthdays, or anything else that identifies us and leaves us vulnerable to identity theft.
We should also ask about every company’s security policy – knowing that they use our information is not enough; we need to ask specifically what they are doing to protect our security. We all ask about return policies, and consumer demand has resulted in the smart companies offering free shipping in both directions. Those are the companies we like doing business with. Asking companies for their security policies should be as common a question before we buy or engage with them.
Every one of us should demand better security before we’re even willing to do business with a company. I know that’s a tall order, and it will take time. But we deserve it. And in the meantime, don’t forget to ask your connections if that email/link is really from them.