From LinkedIn to X, GitHub to Instagram, there are many alternatives to share work-related info. However posting might additionally get your organization into hassle.
01 Dec 2025
•
,
5 min. learn
Worker advocacy has been round as an idea for over a decade. However what began out as a well-intentioned solution to improve company profile, thought management and advertising, additionally has some unintended penalties. When professionals publish about their work, their firm and their function, they’re hoping to succeed in likeminded professionals, in addition to prospects and companions. However menace actors are additionally paying consideration.
As soon as that info is within the public area, it’s typically used to assist construct convincing spearphishing or enterprise electronic mail compromise (BEC)-style assaults. The extra info, the extra alternative for nefarious exercise that might find yourself hitting your group laborious.
The place are your staff sharing?
The primary platforms for sharing such info are the standard suspects. LinkedIn is maybe the obvious. It might feasibly be described as the biggest open database of company info on this planet: a veritable treasure trove of job titles, roles, obligations and inside relationships. It’s additionally the place recruiters publish job listings, which can overshare technical particulars that may be leveraged in a while in spearphishing assaults.
GitHub is maybe higher identified in a cybersecurity context as a spot the place absent-minded builders publish hardcoded secrets and techniques, IP and buyer particulars. However they may additionally share extra innocuous details about mission names, CI/CD pipeline names and knowledge on what tech stacks and open supply libraries they’re utilizing. They may additionally share company electronic mail addresses in Git commit configurations.
Then there are the traditional consumer-facing social platforms like Instagram and X. That is the place staff are prone to share particulars on their journey plans to conferences, and different occasions which might be weaponized towards them and their group. Even info in your firm web site might be helpful to a would-be fraudster or hacker. Assume: particulars on technical platforms, distributors and companions, or main company bulletins reminiscent of M&A exercise. It might all present a pretext for stylish phishing.
RELATED READING: Is your LinkedIn profile revealing an excessive amount of?
Weaponizing info
The primary stage of a typical social engineering assault is intelligence gathering. The subsequent is weaponizing that intelligence in a spearphishing assault designed to trick the recipient into unwittingly putting in malware to their gadget. Or probably to sharing their company credentials for preliminary entry. This might be achieved through an electronic mail, textual content or perhaps a cellphone name. Alternatively, they may use info to impersonate a C-level government or provider in an electronic mail, cellphone or video name requesting an pressing wire switch.
These efforts often require a mix of impersonation, urgency and relevance. Listed below are some hypothetical examples:
- An adversary finds LinkedIn info on a brand new starter in an IT function at firm A, together with their core function and obligations. They impersonate a key tech vendor claiming that an pressing safety replace is required, referencing the goal’s identify, contact particulars and function. The replace hyperlink is malicious.
- A menace actor finds info on two colleagues in GitHub, together with the mission they’re engaged on. They impersonate one in an electronic mail asking the opposite to evaluation an hooked up doc, which is booby-trapped with malware.
- A fraudster finds a video of an government on LinkedIn, or a company web site. They see on that focus on’s Instagram/X feed that they’re going to be presenting at a convention and will probably be away from the workplace. Figuring out that the exec could also be laborious to contact, they launch a deepfake BEC assault utilizing video or audio, to trick a finance workforce member to wire some pressing funds to a brand new vendor.
Cautionary tales
The above are solely hypotheticals. However loads of actual examples exist of menace actors utilizing “open supply intelligence” (OSINT) methods within the early phases of assaults. They embrace:
- A BEC assault which value Youngsters’s Healthcare of Atlanta (CHOA) $3.6m: Menace actors probably scoured press releases a few newly-announced campus, to seek out out extra particulars together with the hospital’s development accomplice. They might then have used LinkedIn and/or the company web site to establish key executives and finance workforce members of the development agency concerned (JE Dunn). Lastly, they impersonated the CFO in an electronic mail to the CHOA finance workforce requesting they replace their fee particulars for JE Dunn.
- Russia-based SEABORGIUM and Iran-aligned TA453 teams use OSINT for reconnaissance forward of spearphishing assaults on pre-selected targets. In accordance with the UK NCSC, they use social media {and professional} networking platforms to “analysis their [targets’] pursuits and establish their real-world social or skilled contacts.” As soon as belief and rapport have been established over electronic mail, they ship a hyperlink to reap victims’ credentials.
Cease the share? Learn how to mitigate spearphishing danger
The dangers of oversharing are actual, however luckily the treatments are simple. Essentially the most potent weapon in your armory is schooling. Replace safety consciousness applications to make sure that all staff, from executives down, perceive the significance of not oversharing on social media. In some instances, this can require a cautious rebalancing of priorities, away from worker advocacy in any respect prices. Warn employees to keep away from sharing through unsolicited DMs, even when they acknowledge the person (as their account might have been hijacked). And guarantee they’ll spot phishing, BEC and deepfake makes an attempt.
Again this up with a strict coverage on social media use, defining crimson traces on what can and may’t be shared, and making use of clear boundaries between private {and professional}/official accounts. Company web sites and accounts may must be reviewed and up to date to take away any info that might be weaponized.
Multi-factor authentication (MFA) and powerful passwords (saved in a password supervisor) must also be a given throughout all social media accounts, in case skilled accounts are hijacked to focus on colleagues.
Lastly, monitor publicly accessible accounts the place attainable for any info that might be leveraged for spearphishing and BEC. And run crimson workforce workout routines towards staff to check their consciousness.
Sadly, AI is making it sooner and simpler than ever for menace actors to profile targets, accumulate OSINT after which craft convincing emails/messages in excellent pure language. AI-powered deepfakes improve their choices but additional. The underside line must be, if it’s within the public area, anticipate a cybercriminal additionally is aware of about it … and can come knocking quickly.
