COMMENTARY: Social engineering, the root cause of 70% to 90% of all cyberattacks, uses a variety of manipulative tactics to coerce and direct users to login or password reset pages aimed at stealing credentials.Common social-engineering attacks exploit basic human emotions, such as urgency, curiosity, or fear. In a mass-phishing attack, the target's name might be absent, misspelled, or incorrect, and the content may reference products, services, or locations unfamiliar to the recipient.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]On the other side, in a targeted phishing attack, content gets meticulously crafted, incorporating personal details like name, job title, or contact information, mimicking the organizational tone or style, and referencing past or upcoming corporate events. Beyond phishing, social-engineering tactics include baiting, scareware, pretexting, watering hole attacks, and physical breaches.In recent years, the prevalence of targeted social-engineering attacks has increased significantly owing to one underlying reason: the availability of Open-Source Intelligence (OSINT).
OSINT refers to both the process of gathering and analyzing publicly available information and the intelligence insights derived from that process. Coined by the U.S. military during World War II, OSINT serves as an overarching term that encompasses multiple intelligence categories, including geospatial intelligence (GEOINT), human intelligence (HUMINT), signal intelligence (SIGINT), imagery intelligence (IMINT), and social media intelligence (SOCMINT), among others.While OSINT gets widely used by governments, law enforcement, and businesses for legitimate purposes, it has also become a favored tool for threat actors. By piecing together fragments of publicly available data, attackers can build detailed profiles of their targets, which lets them design personalized and highly effective social-engineering campaigns.Using GEOINT, adversaries can pinpoint a target’s location, daily routines, or frequently visited places, letting them craft scenarios that feel familiar and credible. HUMINT often gets employed to build trust through direct interactions, such as impersonating colleagues or authority figures, to extract sensitive information or manipulate targets into taking specific actions. SIGINT lets attackers intercept and analyze communications, such as emails or phone calls, to gather personal or organizational details that are used to create highly convincing phishing or pretexting schemes. IMINT offers visual insights, such as photos or videos, which can reveal personal habits, workspaces, or even security vulnerabilities that attackers exploit to tailor their approach. SOCMINT lets bad actors harvest personal data, interests, and social connections from platforms like LinkedIn, Facebook, or X, for the design of hyper-personalized attacks that exploit human emotions like trust, curiosity, or greed. Together, these OSINT techniques empower attackers to create sophisticated, targeted social engineering campaigns that are increasingly difficult to detect and resist.Conduct independent assessments: OSINT assessments help identify and analyze the digital footprint of the organization and its employees, ensuring awareness of publicly accessible information and potential threats. Assessments must include both defensive and offensive approaches. Develop high-level policies: The C-suite, working with compliance, risk, and OSINT experts, must focus on creating data protection policies and procedures—for example, procedures to verify the authenticity of requests, especially those involving sensitive information or financial transactions. Deliver recurrent training: Offer regular, comprehensive training and awareness programs for employees at all levels, helping them understand how attackers can exploit publicly-available information, equipping them with the knowledge and skills to protect both personal and professional data from social engineering threats. Foster a culture of personal responsibility: Encourage staff members to take accountability for their actions, emphasizing the importance of vigilance, information hygiene (limiting what they share online) and adherence to cybersecurity protocols in both professional and personal contexts. The sophistication of these attacks will continue to grow, so it’s essential that organizations take OSINT risks seriously, perform defensive and offensive OSINT assessments regularly, and invest in security awareness training programs. Only by taking a proactive approach to OSINT can organizations stay one step ahead in the ongoing battle against social engineering.Steve Durbin, chief executive, Information Security ForumSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
OSINT refers to both the process of gathering and analyzing publicly available information and the intelligence insights derived from that process. Coined by the U.S. military during World War II, OSINT serves as an overarching term that encompasses multiple intelligence categories, including geospatial intelligence (GEOINT), human intelligence (HUMINT), signal intelligence (SIGINT), imagery intelligence (IMINT), and social media intelligence (SOCMINT), among others.While OSINT gets widely used by governments, law enforcement, and businesses for legitimate purposes, it has also become a favored tool for threat actors. By piecing together fragments of publicly available data, attackers can build detailed profiles of their targets, which lets them design personalized and highly effective social-engineering campaigns.
