Before a spear phishing email arrives, attackers have already spent time building a profile on the target. They use LinkedIn, company websites, social media, public records, and data broker profiles to construct a picture detailed enough to make the attack feel legitimate. The research phase is what separates spear phishing from spam.
Analysis Briefing
- Topic: Spear phishing target research and OSINT methods
- Analyst: Mike D (@MrComputerScience)
- Context: An adversarial analysis prompted by a reader question
- Source: Pithy Cyborg
- Key Question: What does an attacker know about you before the first message arrives?
The Open Source Intelligence Stack Attackers Use
LinkedIn is the most valuable research source for professional spear phishing. Job titles, reporting relationships, current projects, recent job changes, and professional connections are all publicly available and directly useful for constructing a plausible attack scenario.
Company websites yield org chart information, client names, partner relationships, and internal terminology. Press releases reveal recent deals, key personnel, and strategic priorities. Earnings calls and investor presentations for public companies provide even deeper context.
Social media provides personal details that make impersonation convincing: recent travel, family context, current events in your life, and communication style. A spear phishing email that references your recent conference attendance or congratulates you on a promotion you just posted about is not lucky. It is researched.
What Your Public LinkedIn Profile Tells an Attacker
Your LinkedIn profile is a gift to anyone planning a targeted attack. It confirms your employer, your title, your manager’s name if they are a connection, your colleagues, your career history, and your professional skills.
The “people also viewed” section maps your professional network. Your endorsements confirm technical capabilities an attacker might reference. Your activity feed shows what you are engaged with professionally right now.
None of this requires special access. It is the information you chose to make public to advance your career. Attackers read it for the same reason recruiters do: it tells them exactly who you are and how to approach you credibly.
How AI Has Changed the Research Phase
AI has changed not just the writing of spear phishing emails but the research phase that precedes them. Automated OSINT tools can now aggregate LinkedIn profiles, public records, data broker databases, and social media activity into a target dossier in minutes. Research that previously took hours of manual work is now commodity infrastructure.
This is why spear phishing volume has increased even as the personalization quality has improved. The cost of researching a target has dropped to near zero. The emails are more convincing and there are more of them.
| Research Method | Data Points Extracted | Attacker Utility | 2026 AI Enhancement |
| LinkedIn Scraping | Reporting lines, current projects, tech stack. | High: Used to craft “Internal” lures. | Persona Mapping: AI predicts your likely “boss” or “trusted vendor.” |
| Google Dorking | Accidental PDF leaks, forgotten forum posts. | Critical: Finds your “Unique Voice” & credentials. | Automated Crawlers: Bots search for your name + “Confidential” 24/7. |
| Social Media (OSINT) | Travel history, pet names, hobby groups. | Medium: Used for “Friendly” conversation starters. | Lifestyle Profiling: AI identifies your “high-pressure” moments (e.g., a move). |
| Breach Databases | Old passwords, secondary emails, site history. | High: Used for account recovery & credential stuffing. | Historical Correlation: Links 10+ years of leaks into one profile. |
How Attackers Use This Information to Construct the Attack
A well-researched spear phishing email typically contains several specific, verifiable details about the target. It comes from an address that impersonates someone in the target’s professional network. It references a real context: a project, a relationship, a recent event.
Some high-value attacks extend the research phase into direct interaction. Attackers may call a company’s front desk, IT helpdesk, or reception before launching the phishing campaign to confirm reporting relationships, verify internal email formats, and establish whether a target is currently in the office. The phishing email that follows is more convincing because the attacker already knows things that should only be knowable from inside the organization.
The request embedded in the email is calibrated to the target’s role. A finance professional receives a payment request. An IT professional receives a credential reset request. An executive assistant receives a scheduling request that leads to credential theft. The attack is designed for the specific person, not for a generic employee.
How Attackers Use Google Dorking to Find Things You Did Not Know Were Public
Google advanced search operators, known as Google dorks, allow attackers to find specific types of sensitive information indexed by Google that most people do not know exists publicly.
Common dork patterns used in target research include searching for a person’s name combined with their company and the filetype operator to find publicly accessible documents they authored. Searching for a company’s domain combined with terms like “password” or “credentials” finds accidentally exposed files. Searching for a person’s name in combination with specific platforms surfaces accounts they may have forgotten exist.
Information you posted years ago on a forum, a blog, or a platform you no longer use may still be indexed by Google and visible to anyone who searches with the right operator.
The Self-OSINT Audit: Search Yourself Before They Do
The most actionable thing you can do with the information in this piece is run the same searches on yourself that an attacker would run, before they do. Three searches cover the most important ground:
Your name in quotes (“Jane Smith”) combined with your employer surfaces the profile an attacker sees first. Add your city if your name is common. Note which data broker sites, forum posts, or old accounts appear in the first two pages of results.
Your work and personal email addresses searched directly reveal breach listings, forum registrations, and platform accounts linked to those addresses that you may have forgotten exist. HaveIBeenPwned.com covers the breach exposure specifically.
Your name combined with your employer and your role (“Jane Smith Acme Corp finance”) shows what a targeted attacker constructing a BEC or spear phishing scenario would find when researching your specific position.
If any of these searches surface information you would not want an attacker to have, that result tells you where to focus your opt-out and privacy audit effort. The data broker opt-out guidance from the previous piece in this series applies directly to whatever surfaces here.
What This Means For You
- Audit your LinkedIn privacy settings. Consider limiting who can see your full connection list and activity feed. These are not paranoid steps: they are the same audit a recruiter or journalist would do.
- Run the three-search self-audit described above before assuming you know what is publicly visible about you. Most people are surprised.
- Be skeptical of any unsolicited contact that demonstrates detailed knowledge of your professional situation. Research is a signal of intent, not a signal of legitimacy.
- Train yourself to notice the personalization pattern. A message that references your name, your manager, and a real project is not proof it is legitimate. It is proof it is researched.
- Apply the same skepticism to phone calls as to emails. Pretexting calls to your organization’s front desk or helpdesk are part of the research phase for high-value attacks. Unusual questions about org structure or staff availability from unfamiliar callers are worth noting.
If this was useful, more like it lives at Pithy Cyborg | AI News Made Simple.