Social networking sites have changed the game of the Internet, ushering in a new layer of functionality and connectivity. People have new ways to connect, both for fun and business. Unfortunately, attackers also have new ways to connect as a result.

A recent report showed that ten thousand users of LinkedIn, a networking site for business professionals, were targeted in a spear phishing attack which attempted to trick users into downloading a malicious attachment. Spear phishing is particularly dangerous because of the level of trickery involved. By now most of us know to raise the red flag when we receive an email from a web site we use addressed to “Dear Member,” or some other generic greeting, which then proceeds to ask us for personal information. But spear phishing addresses us by name–thereby lulling us into a false sense of security and trust. In this attack, the email appeared to be from LinkedIn and addressed the recipient by name, and asked them to download a file, implying that the member had requested it.

Certainly, a spear phishing attack is more difficult to carry out, since the attacker must first obtain personal information–but with the increasing popularity of social networking sites, obtaining email addresses and names could be done with a little bit of time and planning. These types of directed attacks have a much higher success rate, and so it is necessary to take education to the next level.

In addition to educating users about not clicking on emailed links, and educating them about emails that appear to be from trusted sources but addressed generically, we must also provide education specific to these targeted attacks. Specifically, users should be suspicious if they receive an email that is addressed to them specifically and appears to be from a trusted source, but it nonetheless asks them to download a file or take an action that they did not request. And at all times, it’s a good idea to enter the legitimate web site’s URL directly into the browser as opposed to clicking on an emailed link, which can be disguised. The attack could be easily avoided if, when receiving the email that appeared to be from LinkedIn, the recipient went directly to the LinkedIn account through their browser instead of clicking on the provided link.