How OSINT awareness can mitigate social-engineering attacks
COMMENTARY: Social engineering, the root cause of 70% to 90% of all cyberattacks, uses a variety of manipulative tactics to coerce and direct users to login or password reset pages aimed at stealing credentials.
Common social-engineering attacks exploit basic human emotions, such as urgency, curiosity, or fear. In a mass-phishing attack, the target’s name might be absent, misspelled, or incorrect, and the content may reference products, services, or locations unfamiliar to the recipient.
On the other side, in a targeted phishing attack, content gets meticulously crafted, incorporating personal details like name, job title, or contact information, mimicking the organizational tone or style, and referencing past or upcoming corporate events. Beyond phishing, social-engineering tactics include baiting, scareware, pretexting, watering hole attacks, and physical breaches.
In recent years, the prevalence of targeted social-engineering attacks has increased significantly owing to one underlying reason: the availability of Open-Source Intelligence (OSINT).
OSINT refers to both the process of gathering and analyzing publicly available information and the intelligence insights derived from that process. Coined by the U.S. military during World War II, OSINT serves as an overarching term that encompasses multiple intelligence categories, including geospatial intelligence (GEOINT), human intelligence (HUMINT), signal intelligence (SIGINT), imagery intelligence (IMINT), and social media intelligence (SOCMINT), among others.
While OSINT gets widely used by governments, law enforcement, and businesses for legitimate purposes, it has also become a favored tool for threat actors. By piecing together fragments of publicly available data, attackers can build detailed profiles of their targets, which lets them design personalized and highly effective social-engineering campaigns.
How hackers use OSINT in social-engineering attacks
Bad actors strategically leverage various types of OSINT to enhance the effectiveness of their social-engineering attacks:
- Using GEOINT, adversaries can pinpoint a target’s location, daily routines, or frequently visited places, letting them craft scenarios that feel familiar and credible.
- HUMINT often gets employed to build trust through direct interactions, such as impersonating colleagues or authority figures, to extract sensitive information or manipulate targets into taking specific actions.
- SIGINT lets attackers intercept and analyze communications, such as emails or phone calls, to gather personal or organizational details that are used to create highly convincing phishing or pretexting schemes.
- IMINT offers visual insights, such as photos or videos, which can reveal personal habits, workspaces, or even security vulnerabilities that attackers exploit to tailor their approach.
- SOCMINT lets bad actors harvest personal data, interests, and social connections from platforms like LinkedIn, Facebook, or X, for the design of hyper-personalized attacks that exploit human emotions like trust, curiosity, or greed.
Together, these OSINT techniques empower attackers to create sophisticated, targeted social engineering campaigns that are increasingly difficult to detect and resist.
AI and OSINT together amplify social engineering
Artificial intelligence (AI) has revolutionized the way attackers gather, process, and use OSINT. For instance, machine learning (ML) algorithms can quickly sift through social media platforms, public records, and online forums to identify patterns, relationships, and vulnerabilities that might otherwise go unnoticed. AI lets attackers efficiently build detailed profiles of their targets, including personal preferences, behavioral patterns, and professional networks, without requiring significant manual effort.
Additionally, natural language processing (NLP) algorithms can analyze communication styles, enabling attackers to craft phishing emails or messages that closely mimic the tone and language of a target’s colleagues or superiors. Similarly, AI can generate deepfake audio or video content, creating convincing impersonations of trusted individuals to manipulate targets into taking specific actions, such as transferring funds or sharing sensitive information.
Time to get serious about OSINT risks
Organizations must adopt OSINT-aware strategies to effectively manage and mitigate risks. Top strategies include:
- Conduct independent assessments: OSINT assessments help identify and analyze the digital footprint of the organization and its employees, ensuring awareness of publicly accessible information and potential threats. Assessments must include both defensive and offensive approaches.
- Develop high-level policies: The C-suite, working with compliance, risk, and OSINT experts, must focus on creating data protection policies and procedures—for example, procedures to verify the authenticity of requests, especially those involving sensitive information or financial transactions.
- Deliver recurrent training: Offer regular, comprehensive training and awareness programs for employees at all levels, helping them understand how attackers can exploit publicly-available information, equipping them with the knowledge and skills to protect both personal and professional data from social engineering threats.
- Foster a culture of personal responsibility: Encourage staff members to take accountability for their actions, emphasizing the importance of vigilance, information hygiene (limiting what they share online) and adherence to cybersecurity protocols in both professional and personal contexts.
The sophistication of these attacks will continue to grow, so it’s essential that organizations take OSINT risks seriously, perform defensive and offensive OSINT assessments regularly, and invest in security awareness training programs. Only by taking a proactive approach to OSINT can organizations stay one step ahead in the ongoing battle against social engineering.
