Businesses should be on high alert from social engineering tactics

Networks of spies using bribery and fake identities may seem the stuff of high politics, but techniques devised by hostile foreign intelligence services are being adapted by those seeking industrial secrets for commercial gain.  

The warning comes after investigators claim to have uncovered a series of high-profile infiltrations by Chinese state spies. In one case, it is alleged that an intelligence officer for China's Ministry of State Security used the professional social media platform LinkedIn to connect with British officials, academics and those in sensitive positions in security, science, and technology. Presenting himself as a legitimate connection via a string of aliases and fake companies, he is said to have lured individuals into sharing secrets in exchange for money or lucrative business deals, including requests for authorising specialist articles.  

"It's a form of social engineering, by which fraudsters use psychological manipulation to trick users into making security mistakes or giving away sensitive information," explained Commercial Intellectual Property Law Expert Torion Bowles. "In this case, it seems that connecting via a public platform led to many of those contacted simply assuming that the connection was genuine without carrying out any checks."

Targets on LinkedIn involved government officials, but the tactics were also applied to those with privileged research or commercial knowledge in academia and industry.

"It's easy to see how this approach can be adapted from the arena of state-sponsored spying into the commercial arena, and it's a real wake-up call for organisations of all sizes and sectors. They need to be sure they have up-to-date processes in place to protect their intellectual property and confidential organisational information. It's also important that staff are regularly updated on new techniques used by fraudsters".

"The burden is on businesses to prove they have protected their corporate intelligence under the Trade Secrets (Enforcement, etc.) Regulations 2018. Businesses need to show that reasonable steps have been taken to protect trade secrets".

"Legislation introduced in 2018 means that companies need to prove the inherently secret nature of information and demonstrate how it has been protected if they wish to challenge any sharing of it. A regular review of the processes in place with employees, suppliers and customers is essential, including non-disclosure agreements and confidentiality provisions in both supplier and client contracts".  

"Restricting access to information internally is also important; ideally, trade secrets should be stored using encryption and password protection, with clear protocols on access. And sometimes, simple steps such as using 'confidential' as a document watermark can help reinforce the culture by demonstrating the value of information that may seem 'everyday'."

Tips for combatting online fraud and validating individuals are set out in MI5's Think Before You Link campaign. It suggests using reverse image searching of pictures and being aware that someone with mutual LinkedIn connections does not mean they have valid credentials. LinkedIn also publishes regular updates on how they are combating fraud and guidance for users.  

If your organisation has been subject to a breach in data or confidential information, speak to our Intellectual Property Legal specialists on 023 8063 9311 or email enquiries@warnergoodman.co.uk. We can review your case and provide guidance on what steps to take next to help minimise the impact on your business and prevent any future breaches.