AI and OSINT: How Attackers Use Public Information

When people hear about a cyberattack, they often imagine someone breaking passwords and attacking servers. Reality is often simpler. The attacker first checks what a company and its people reveal publicly.

This is called OSINT, or open-source intelligence. It means collecting information from open sources. These are not stolen records. They are public information available on the internet.

AI OSINT matters because OSINT supports phishing, vishing, deepfake scams and social engineering. AI speeds up the process: it helps turn scattered public details into a believable message, call script or fake business context.

For broader context, read AI as an Attacker, what AI phishing is and how to recognize deepfake voice scams.

What counts as public information?

Many people say: "I do not publish anything sensitive." Attackers are not always looking for one big secret. They look for small pieces of a puzzle.

Public information can include:

  • employee names,
  • job titles,
  • organizational structure,
  • email formats,
  • phone numbers,
  • photos from offices, conferences and events,
  • job ads and technologies in use,
  • customer lists, suppliers and press releases,
  • LinkedIn comments and public employee posts,
  • documents, presentations and company registry data.

On their own, these details may look harmless. Together they can create a precise picture of a company, its people, projects and internal priorities. That is why a digital footprint is a security topic, not only a marketing issue.

Risks in a publicly shared conference photo: badges, screens and internal information

How attackers build the story

Imagine a simple scenario. A company posts on LinkedIn that it won a new project. Employees comment on the post. One of them lists "project manager" in their profile. The company website includes contact details. A job ad mentions a specific CRM system. A photo from the office shows the name of a supplier.

The attacker suddenly has enough information to write a convincing message:

"Hi Martin, I am sending the updated CRM export for the new logistics client. Please review it today, we have a deadline tomorrow."

This is much more dangerous than generic phishing. It contains a name, project, tool and work context. The message feels like it makes sense.

Where AI changes the attack

AI helps attackers process many details quickly and turn them into credible text. An attacker can feed public information into an AI tool and ask for an email to finance, a personalized LinkedIn message, a phone script or fake supplier communication.

AI can also tune the tone. The message can sound formal, friendly, short, executive or technical. It can be written without obvious grammar mistakes and include just enough detail to feel real.

That is why grammar mistakes are no longer a reliable warning sign. Modern AI phishing can be written better than an ordinary work email.

What is pretexting?

Pretexting means creating a false story that convinces the victim to do something. The attacker invents a reason and plays a role.

They may pretend to be:

  • a new supplier,
  • a customer,
  • a colleague from another department,
  • IT support,
  • a courier,
  • an auditor,
  • a job candidate,
  • a manager or bank employee.

A good pretext is not dramatic. It is ordinary. It fits into the workday. That is exactly why it works.

Examples of OSINT attacks

LinkedIn phishing

The attacker chooses an employee on LinkedIn. They review the person's role, comments, colleagues and interests. Then they send a message as a recruiter, business partner or conference attendee.

The goal may be to send the target to a fake login page, deliver a malicious file or build trust for the next step.

LinkedIn OSINT attack: public profile information used to build a personalized phishing message

Invoice fraud

The attacker identifies who handles finance and which suppliers the company uses. They send a message that looks like a supplier request to change bank account details. Without verification, money can be sent to the attacker's account.

Fake technical support

Job ads often reveal which systems a company uses. The attacker calls an employee and pretends to be support for that tool: "Hello, I am calling about your CRM system. We are running a migration today and need to verify your access."

Deepfake preparation

Public videos and podcasts can contain voice samples of managers. An attacker can reuse them in a voice scam. The more public content exists, the easier the preparation becomes.

How to reduce a company digital footprint without disappearing from the internet

The goal is not to stop communicating. Companies need marketing, sales, LinkedIn, websites and trust. The goal is to share carefully.

For individuals

  • Do not publish too many details about internal processes.
  • Consider whether every work tool must be listed in your profile.
  • Be careful when receiving messages from unknown people.
  • Do not click links in LinkedIn messages without verification.
  • Watch for photos that reveal screens, badges, whiteboards or internal documents.
  • Do not send work documents through personal accounts.

For companies

  • Review what your website publishes.
  • Check job ads and remove unnecessary technical details.
  • Set rules for public office photos.
  • Train employees on OSINT and social engineering.
  • Use verification processes for payments and account changes.
  • Monitor suspicious domains similar to your company domain.
  • Make suspicious message reporting simple.

Why LinkedIn is a double-edged tool

LinkedIn is useful. It helps build a brand, sell, recruit and share expertise. At the same time, it is an excellent information source for attackers.

This does not mean you should stop using it. It means you should think about what you share. A post saying "our finance team is working on a major audit with an external supplier" may look harmless to marketing, but useful to an attacker.

The best rule is simple: share achievements, not internal details.

Practical checklist for marketing and HR

Marketing and HR often publish the most information. They need a simple checklist.

Before publishing, ask:

  • Are screens, documents or internal notes visible in the photo?
  • Are we naming people next to sensitive systems?
  • Are we giving too much detail about technologies?
  • Are we revealing who approves payments or access?
  • Could this post be used for a fake approach?
  • Are we posting vacations or absence of key people in real time?

Conclusion

AI and OSINT are a dangerous combination. Public information gives attackers the material. AI helps turn it into a convincing story. A person under pressure can make a mistake.

The good news is that the risk can be reduced. You do not need to disappear from the internet. You need to understand that anything public can also be used against you.

The same logic applies to families and schools. Photos, profiles and public posts can affect privacy and fake-content risks, which is why we also cover protecting children online.

Before publishing, ask one question: "Does this information help our customers, or does it help an attacker more?"

Related articles

Do not wait until public information helps an attacker - test your company's digital footprint.

Book Now