Last updated: March 2026
Social media gives attackers free intelligence. Employee names, job titles, org charts, project details, travel schedules, office locations – all of it can be scraped from public profiles and posts. Attackers use this information to craft targeted phishing emails and social engineering attacks that are hard to distinguish from legitimate communication.
This guide covers how social media information gets used against businesses, what training your team needs, and the practical steps to reduce your exposure.
Attackers scan public profiles and posts for:
- Employee names, roles, and reporting structures
- Email address patterns ([email protected] is easy to guess once you know names)
- Details about projects, clients, technology stacks, and vendors
- Travel plans and out-of-office announcements
- Personal interests and relationships that make phishing lures more convincing
Building targeted attacks
With this information, an attacker can:
- Send a phishing email that references a real project, a real colleague, or a real event
- Create a fake social media profile impersonating a coworker or industry contact
- Craft a pretext for a phone call that sounds completely legitimate
- Time their attack for when key security personnel are traveling or out of office
The more specific and personalized the attack, the higher the success rate.
Employee Awareness Training
Teach phishing recognition
- [ ] Spoofed emails – Show employees how attackers make emails look like they come from colleagues or known companies. Train them to check sender addresses carefully, not just display names
- [ ] Fake profiles and websites – Demonstrate how attackers create convincing fake LinkedIn profiles, company websites, and login pages
- [ ] Malicious links and attachments – Teach the habit of hovering over links to check the actual URL before clicking. Train employees to never download unexpected attachments, even from apparent contacts
- [ ] Suspicious emails – Instruct employees to forward questionable emails to ForwardToSafety.com for professional verification when they are unsure
- [ ] Walk employees through their own privacy settings and show them what is publicly visible
- [ ] Explain how posting about work projects, client meetings, or business travel creates attack opportunities
- [ ] Discuss how accepting connection requests from unknown people can expose information
Build healthy skepticism
- [ ] Verify requests for information through a separate channel, even when they appear to come from a colleague
- [ ] Report suspicious messages, connection requests, or posts to your security team
- [ ] When in doubt, check – it is always better to verify than to assume
Prevention Measures
- [ ] Run a workshop on reviewing and tightening privacy settings across platforms (LinkedIn, Facebook, Instagram, X/Twitter)
- [ ] Advise employees to limit publicly visible personal information: home addresses, birthdays, phone numbers
- [ ] Discourage posting about ongoing projects, client names, internal tools, upcoming travel, or company events
- [ ] Encourage maintaining separate professional and personal social media presences
- [ ] Review privacy settings at least twice per year, since platforms frequently change their defaults
Connection and message screening
- [ ] Do not accept connection requests from people you do not know professionally
- [ ] Be wary of new connections who quickly ask for information, favors, or meetings
- [ ] Watch for these red flags in social media messages:
- Poor grammar or unusual phrasing
- Urgency or pressure to act fast
- Requests for passwords, account details, or financial information
- Links to unfamiliar websites
Enable strong authentication
- [ ] Turn on MFA for all social media accounts (personal and company)
- [ ] Use authenticator apps (Duo Mobile, Google Authenticator, Microsoft Authenticator) instead of SMS verification
- [ ] Use unique, strong passwords for each social media account – a password manager makes this manageable
Organizational Steps
- [ ] Identify all social media accounts used for company activities (official pages, employee advocacy accounts, marketing accounts, customer service accounts)
- [ ] Review privacy settings on every identified account
- [ ] Check that settings align with your organization’s security policies
- [ ] Pay attention to who can see posts, send messages, and tag company accounts
- [ ] Repeat this audit at least annually
Your policy should cover:
- [ ] What types of company information should not be shared online (project details, client names, internal processes, security practices)
- [ ] Guidelines for accepting connections from unknown individuals
- [ ] Expected conduct when interacting with clients or customers on social platforms
- [ ] How to handle suspicious messages or impersonation attempts
- [ ] Consequences for policy violations
Distribute the policy to all employees and include it in onboarding.
Ongoing training program
- [ ] Provide phishing and social engineering training at onboarding
- [ ] Run refresher sessions quarterly with updated examples
- [ ] Include real-world case studies from your industry
- [ ] Conduct simulated social engineering tests periodically
- [ ] Use results to improve training, not to punish employees
- [ ] Keep employees informed about new threats as they emerge
- [ ] Remind employees that ForwardToSafety.com is available for verifying suspicious emails connected to social media interactions
Key Takeaways
- Public social media information is free intelligence for attackers – limit what your organization and employees share
- Train employees to recognize phishing attempts that use social media data to appear legitimate
- Enforce strong authentication on all social media accounts
- Create and enforce a clear social media policy
- Audit your social media presence regularly
- Forward suspicious emails to ForwardToSafety.com for safe verification