← Blog

What your LinkedIn tells an attacker before they ever contact you

Tenant Strike3 min read

Attackers do research, and most of what they need is public. Your website, your team's LinkedIn, and your social posts can quietly hand over the org chart, the tools you use, and the perfect cover story.

Targeted attacks start with research, and the uncomfortable truth is that most of what an attacker needs is already public. Before anyone sends a single phishing email or makes a single scam call, they read. Your website, your team's LinkedIn profiles, your social media, your job postings — together these quietly hand over the raw material for a convincing con. Security folks call this open-source intelligence, but you can just call it homework.

What is sitting in plain sight

None of the following requires hacking. It's all out there for anyone to read:

  • Your org chart. LinkedIn reveals who works for you, their titles, and who reports to whom — exactly what an attacker needs to impersonate the boss or target the right employee.
  • Who handles money. Titles like bookkeeper, accounts payable, finance manager, or office manager point straight at the people who can move funds or change payment details.
  • Your suppliers and tools. Case studies, partner badges, "we're hiring someone who knows [software]" job ads, and even photos of monitors in office pictures reveal the vendors and systems you rely on. That tells an attacker which fake "supplier" or fake "IT provider" story will land.
  • The patterns of your business. Press releases, social posts, and out-of-office replies reveal when the owner is traveling, when a big deal is closing, and when finance is busy — all good timing for a scam.
  • Email formats. Once an attacker sees one address ([email protected]), they can guess everyone's.

Put it together and an attacker can write to your bookkeeper, pretending to be a real supplier you actually use, referencing a real project, at a moment when the owner is genuinely away. That's not luck. That's research.

Why this matters more than it seems

The reason spear phishing and pretexting work so well is that they're built on real details. The single biggest factor in whether a targeted scam succeeds is how convincingly it fits your reality — and you supply most of that reality yourself, for understandable reasons. You want to market your business, attract talent, and look established. Visibility is the goal.

So the answer isn't to go dark. It's to be deliberate about what you broadcast and to assume that anything public will be used.

Being deliberate without disappearing

You can stay visible and still raise the cost of research:

  1. Assume your org chart is known, and defend accordingly. Since attackers can see who handles money and who's in charge, make sure those exact people have the strongest protections and the firmest verification habits.
  2. Be thoughtful about operational detail. "The owner is at a conference all week" and detailed posts about your exact tools and processes are gifts to an attacker. A little vagueness costs nothing.
  3. Check what's incidentally exposed. Photos that show screens, whiteboards, or badges; job ads that list your entire tech stack; documents shared more widely than intended. Small leaks add up.
  4. Tighten personal privacy settings, gently. Encourage staff — especially finance and leadership — to limit what's public on personal accounts, where attackers also look.
  5. Train on the assumption of research. The most useful thing your team can internalize is that a message using real, accurate details is not automatically trustworthy. Real details are the easy part.

The goal is a business that's findable to customers and frustrating to con artists.

Research tells an attacker where to aim; your settings decide whether the shot lands. Tenant Strike even includes an outside-in view — it shows what your business looks like from the public internet, the way an attacker scanning for targets would see it — alongside a read-only check of your Microsoft 365 and Azure settings. Five minutes gives you both halves of the picture: what you're exposing, and how well-defended the targets behind it are.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.