Every security awareness presentation makes the warning about opening attachments or clicking on links in emails when you don't know the sender or aren't 100% positive that the sender intended to send the email. Yet, despite this general warning, we all typically do it. For instance, if you're on Twitter and you get an email saying someone is following you, you have a link in that email where you can check out their profile and follow them back. If it's a name or handle you recognize, it seems like a no-brainer to click on the link and follow them back. It's just not a good idea.
Over the last few weeks I've received several emails that purport to be from LinkedIn and look like the real thing. They are all emails saying someone wishes to establish a connection with me. The graphics, text, and layout are copied straight from the legitimate LinkedIn emails. The names aren't obvious give-aways that something is wrong. The only way one can tell is to hover over the link and see an address other than linkedin.com show up. However, even this test isn't foolproof.
For instance, if you go to a media site and you click on a link that takes you off-site to another media provider, you might see the URL point to something at outbrain.com. It's a "content recommendation solution" that tries to provide links of interest based on what is known about the person doing the browsing. Obviously this isn't going to be the same address as the media site you were hitting. As more and more of these solutions become available, it becomes increasingly more difficult to judge what's a legitimate link and what's not. When you add in all the URL URL shortening solutions out there like tinyurl.com, bit.ly, and others, you don't have any real way of knowing the real address on the other end.
The solution is slower, but safer. Navigate to the site itself. So if I suspect there are LinkedIn connections waiting on me, I go to LinkedIn directly. This is the same sort of advice that we're told in those security awareness presentations and it's really the best course. It's not foolproof because a legitimate site could be infected, but there's not anything better. It does mean manual effort, but with phishers becoming more adept at sending emails that look like the real thing, it's all we're left with. After all, the usual warning signs of bad grammar, misplaced graphics, etc., have been overcome in too many cases now. Better to be safe than sorry.