How attackers build a target profile from social media — step-by-step
1) Harvesting: what data they collect
Attackers collect any publicly available or weakly protected data. Typical items:
- Identity basics: full name, job title, employer, work email addresses and phone numbers (from LinkedIn, Twitter/X, Facebook).
- Relationships: names of family members, colleagues, managers, and partners (from posts, photos, tagged people).
- Routine & location: regular check-ins, travel photos, geotags, event attendance, and work hours (from Instagram, Stories, geotagged photos).
- Technical footprint: devices, apps, SaaS tools, open code repos or leaked credentials (GitHub, StackOverflow, job posts listing tooling).
- Personal interests + language: hobbies, slang, pet names, sports teams — used to make messages sound genuine.
Attackers use OSINT (open source intelligence) techniques and automated scrapers, plus manual review, to assemble these pieces into a coherent profile.
2) Profiling: creating the attack persona
From harvested data, attackers create a believable persona or context:
- Spear-phishing email: an email that references a recent team event, the victim’s manager, or a specific project to lower suspicion. (E.g., “Following up on the Q3 roadmap you posted — please review the attached doc”).
- Vishing / smishing script: a phone or SMS message that uses names/times (“This is IT — we observed unusual activity on your VPN at 10:12 AM on Tuesday”).
- Impersonation on social media / job recruiter ruse: fake LinkedIn recruiter profile referencing exact technologies the target uses — then send attachments or links. Recent threat actors have used this to recruit remote access or install malware.
Automation + generative AI now lets attackers generate highly personalised messages in minutes, improving success rates.
3) Attack execution: common use cases
- Spear-phishing → Credential harvest / malware: A tailored email convinces the victim to open a link or enter credentials on a fake corporate login page.
- Business Email Compromise (BEC): Using knowledge of finance contacts and approval workflows, attackers impersonate executives to request payments.
- Whaling: High-value targets (C-suite) receive tailored pretexts referencing board meetings, vendors, or confidential projects.
Romance / Sextortion & Deepfakes: Attackers build trust over time using stolen photos and then extort or trick victims into payments. Deepfakes increase realism.
Real-world examples
- Recruiter ruse on LinkedIn: Threat actors build convincing recruiter profiles to engage employees, deliver a malicious file, or gather access details. (Documented in incident reports and IR blogs.)
- Fitness app leaks: Public workout routes revealed sensitive locations (military bases) when users shared GPS-tagged activity. This shows how location data becomes a vector.
- Deepfake romance/impersonation rings: Organized groups used face-swap deepfakes to persuade victims into financial transfers or to extort.
Red flags — how to spot when social data is being weaponized
- Unexpected messages that reference very specific personal facts (kids’ names, recent trips, small workplace details).
- Messages creating urgency or secrecy: “Don’t tell anyone — need this done now.”
- New connect requests from people with sparse profiles but with mutual connections (often the first step to harvest more data).
- Recruiter/job outreach that asks you to download attachments or use personal email for “faster processing.”
- Phone calls that verify “your username” or ask for OTPs — legitimate IT will never ask for your password or one-time codes.
Practical mitigations
For individuals
- Harden social profiles: set posts and friend lists to private; limit bio details (phone, personal email).
- Remove metadata: disable geotagging in camera settings and strip EXIF data before posting. (Screenshots remove EXIF.)
- Think before you connect: vet LinkedIn requests (look for full histories, endorsements, consistent activity).
- Use app-based MFA or hardware keys — avoid SMS where possible.
- Be skeptical of messages that use personal info to force action; verify by separate channels (call a number you already have).
For organizations
- Enforce social media / digital footprint policies: controls over what employees can post (photos inside R&D labs, screenshots of whiteboards, etc.).
- Mandatory phishing simulation & awareness training focusing on relationship-based social engineering (not just “spot the typo”).
- Apply DMARC, DKIM and SPF to reduce impersonation; monitor for lookalike domains.
- Implement strict payment verification controls (out-of-band confirmation for wire transfers) to stop BEC.
- Limit privileged account access and use just-in-time access, plus strong logging and anomaly detection for unusual approvals or data exfiltration.
Quick checklist you can use / share
- Disable camera geotagging and remove EXIF before public posts.
- Review privacy settings on major platforms monthly.
- Never share passwords or OTPs; report suspicious requests.
- Verify payment / vendor change requests by calling an independently verified number.
- Train staff on social engineering every 6 months and run real-world phishing tests.
- Implement hardware MFA for executives and high-risk employees.