How Spoofers Weaponize Your Public Info—And What To Do About It

May 7, 2025

We’re seeing a surge in business email scams that are very individually-targeted. Spoofers are mining public info about businesses from multiple sources to craft messages that look like real boss-to-employee requests or client-to-vendor instructions.  These emails aren’t just scams—they’re engineered deceptions.

Email targeted scam 750x500
A Diabolical Example

We recently saw a scammer that cross-referenced 3 sources of public info:

LinkedIn for a new team member’s company, plus…
 Zoominfo or other marketing dossiers for company ownership, and…
 Website testimonials for client names

They then sent multiple emails appearing to come from that owner or client, requesting the employee’s direct phone number so they could text further instructions.

Yes this info was found online, but the attack was old school: No accounts were compromised, and the FROM email address was made up, just the personal Display Name was faked.  Also, by switching to text, they’d avoid typical email protections triggered by sensitive requests.

This approach bypasses almost all tech protections, and disarms the human by manipulating their trusted relationships.

Fortunately the targeted employees were trained to spot phishing scams like this, so they didn’t fall for it!

Good Vigilance like this is key, but Prevention is also critical…

Slingshot logo horz
Check Yourself

1. Lock Down Your Social Media Privacy

 
Have employees limit information visibility of their profiles:
 
• LinkedIn: Me > Settings & Privacy > Visibility
• Facebook: Settings & Privacy > Settings > Privacy
• Instagram: Settings > Privacy > Account Privacy > Private Account
 
For others, Google “[platform] privacy settings” — most have steps published to limit your visibility.
 
2. Rethink How Much Your Business Shares Online
 
• Testimonials: First names and interaction context are fine. Avoid last names, job titles, or identifying project specifics.
 
• About/Team Pages: Consider using only first names and general personality items (e.g. ‘loves nature and music’), NOT anything hinting internal roles. If your staff’s full name and job title are available on both your website and LinkedIn, you’ve handed spoofers a playbook.
 
3. Other Precautions to Consider
 
• Conduct a “What could an attacker learn about us in 10 minutes?” exercise
 
• Periodically Google your team names + company to see what’s publicly visible
 
• Remove or redact old press releases, bios, and documents that list job titles and hierarchy

Educate Your Whole Team

Attackers thrive on human error, not just technical flaws or exposed information, so user education is also indispensible. Security Awareness Training and phishing simulations are key for businesses to keep every employee vigilant against these human-engineering attacks.
 
For Slingshot’s clients, our SecurityAware service delivers real-world security awareness training, tailored so your team can better learn to spot scammers and other threats before they react.

Let’s Talk About Your IT
No Pressure

Want eyes on your public presence or curious about training? Contact Slingshot today and let’s talk.