How Attackers Use Your Public Information Against You

Before a sophisticated attacker launches a phishing email, attempts a compromise, or even decides you're worth targeting, they research you. This research phase — called Open Source Intelligence gathering, or OSINT — uses only publicly available information. No hacking required. No dark web resources. Just the internet as it exists, examined methodically by someone who knows what they're looking for.

Understanding what attackers can learn about your organisation from public sources is both sobering and actionable. Sobering, because the amount of intelligence a determined researcher can assemble from entirely public information is consistently underestimated. Actionable, because many of the most useful information sources can be modified or managed.

Your Website

Your website tells an attacker more than you might expect. The staff directory or "meet the team" page names key individuals, their roles, and sometimes their contact details — the same individuals who will appear in targeted phishing emails addressed to them by name and referencing their specific role. Technology mentions — "built with WordPress", "powered by Salesforce", logos of technology partners — identify the software stack your organisation runs, allowing the attacker to cross-reference with current vulnerability databases. Copyright dates and page metadata can indicate how often the site is updated, suggesting how quickly patches might be applied.

Job adverts are particularly information-rich. A vacancy for a senior IT position that lists required experience with specific technologies — "experience with SonicWall firewalls and Veeam backup" — tells an attacker exactly what firewall and backup product you use and can be combined with current CVE disclosures for those specific products.

LinkedIn

LinkedIn profiles reveal the complete professional history and current responsibilities of every staff member who maintains a profile. For a targeted social engineering attack — impersonating a supplier, a regulator, or a senior colleague — this information is invaluable: the attacker knows the target's name, their manager's name, their length of service, their professional connections, and their likely areas of responsibility.

LinkedIn also provides an organisational chart for free. From a company page and its connections, an attacker can map the entire leadership structure, identify the finance function (useful for business email compromise targeting payment authorisation), and find the IT staff (useful for vishing calls impersonating IT support).

Companies House

Companies House filings are a statutory requirement and entirely public. They reveal: the registered address, the full names of directors, the company's financial history, charges over assets, and — for companies that file detailed accounts — significant information about revenue, client concentration, and financial position. For a social engineering attack that requires appearing to know the business well, Companies House is a rich source of credible detail.

DNS Records and Technical Infrastructure

DNS records reveal technical details about your infrastructure that have direct security implications. MX records identify your email provider. SPF, DKIM, and DMARC records reveal the configuration and potential gaps in your email security. Subdomains — enumerable via passive DNS databases — may reveal staging servers, development environments, VPN endpoints, and administrative portals that weren't intended for public exposure. TLS certificate transparency logs record every certificate ever issued for your domain, including for subdomains that have been decommissioned but may still be accessible.

Attack surface management tools — including those used by attackers — enumerate all of this automatically and continuously. Your external-facing infrastructure is being catalogued whether you know it or not.

Social Media

Staff social media accounts, particularly those that aren't set to private, provide intelligence about work patterns, travel schedules, client relationships, and the internal culture of your organisation. A post about a difficult client negotiation, a photo from an internal event that reveals office layout and security measures, a check-in at a client premises — all of these provide colour that makes social engineering attacks more convincing.

Office announcements and team celebrations posted on LinkedIn also reveal when key personnel are on holiday, when the company is going through a significant transition, and when the finance team is likely to be under pressure — precisely the conditions under which business email compromise attacks are most likely to succeed.

What You Can Do About It

You cannot remove yourself from the internet entirely, and attempting to do so often creates more problems than it solves. The goal is not invisibility — it's reducing the information that is genuinely useful to an attacker without compromising your legitimate business presence.

Review your website for unnecessary technology disclosures: version numbers, plugin lists, generator meta tags, and technology partner logos that serve no marketing purpose. Review job adverts to ensure they don't specify the exact products in your technology stack. Consider whether your full staff directory needs to be public, or whether a more limited representation serves your business needs.

Provide staff with basic OSINT awareness: the understanding that what they post publicly about their work is potentially useful to someone preparing to attack the organisation. This doesn't require paranoia — it requires thoughtfulness about what information serves a legitimate purpose and what creates unnecessary exposure.

Attack surface management — the continuous monitoring of your externally-facing infrastructure for newly exposed services, subdomains, and misconfigurations — addresses the technical dimension. It identifies the forgotten test server, the development subdomain with an outdated vulnerability, and the administrative portal that was opened temporarily and never closed.