Alert: RateStars and LinkedIn phishing scam

- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

Yesterday, I received an email from my friend, Susan, requesting a review of her business on RateStars. Given how supportive she’s been of my efforts with The 3/50 Project, sharing well-deserved kudos was the least I could do.

Oddly, clicking the provided link resulted on a dead end page. I emailed Susan to let her know, expecting a “Thanks, I’ll look into it” response.

Instead, her reply began with the dreaded words, “IGNORE THIS REQUEST!” Turns out, it’s yet another scam looking for LinkedIn passwords. All it takes is one trusting person to start the scam rolling. 

Here’s how it worked:

1. Susan received a RateStars request from a trusted friend (we’ll call him Jeff), sent from his email address

2. Believing the message truly was from Jeff, she clicked the link

3. When instructed, she logged into the review page using her LinkedIn account (the request came from a trusted friend, after all)

4. RateStars accessed her LinkedIn account

5. RateStars began whipping off the next wave of scam emails, this time to people in Susan’s LinkedIn network…which is how I ended up with one

Given the myriad of websites that ask users to log in using their LinkedIn, Facebook, and Twitter accounts, none of this seemed unreasonable—especially since the initial email appeared to come from Jeff…right?

Wrong.

How to protect yourself:

1. If you receive anything from RateStars, delete it (better yet, add them to your email blacklist, if you have the option).

2. If you think there’s even a sliver of a chance you’re exposed, change your password now…and please, make it alpha-numeric and tough. (Personally, I adore 1Password, which not only creates tough passwords, but encrypts them for future use.)

3. If an email says you need to access your account, don’t click the link provided. Instead, manually go to their website, then log into your account. It’s absurdly easy to create an email that looks legit, including logos, graphics, and typefaces.

4. If a website asks you to log in using a password from another site (LinkedIn, Facebook, Twitter, etc.) look elsewhere on the page for an alternative option. Most offer one, although that option might be in fine print, off to the side or at the bottom of the page.

5. If your friends begin receiving fake emails from your address, change your address. Now. Scammers and spammers love to share—ending up on one scumbag’s list usually means ending up on several. Closing the burned address, then replacing it with something new, allows friends to blacklist the old one, reducing their risk.

It’s all about doing right by one another, after all.