Gather Victim Identity Information: Employee Names
Why Employee Names Matter in Cyberattacks
Employee names are the foundation of social engineering. Knowing who works where and in what role lets attackers craft convincing impersonations that bypass both technical controls and human skepticism. When an adversary can address a victim by name, reference their manager, mention their department's recent project, and speak knowledgeably about the company's organizational structure, the resulting illusion of legitimacy is extraordinarily difficult to detect. This is not theoretical, it is the opening move in the vast majority of targeted attacks today, from business email compromise (BEC) to spear phishing to pretext-driven phone scams.
According to the Verizon Data Breach Investigations Report (cited via miniOrange), social engineering accounts for more than 70% of global data breaches. The human element remains the weakest link in virtually every security program, and employee names are the key that unlocks it. A Harvard study found that 60% of participants fell victim to AI-generated phishing emails, matching the success rate of carefully crafted human-written ones, demonstrating that when attackers combine known names with AI personalization, the threat becomes even more potent.
The threat landscape is accelerating dramatically. Vishing (voice phishing) attacks jumped 442% in the second half of 2024 alone, as reported by Cybersecurity Ventures via LinkedIn. Simultaneously, AI-enabled cyberattacks increased by 47%, enabling adversaries to automate and scale their reconnaissance efforts, including the mass harvesting of employee names from publicly available sources. Phishing overall surged an extraordinary 1,265%, driven by the convergence of AI tools and the ever-growing trove of personal data available online.
Attackers use Google dorking, LinkedIn profile scraping, WHOIS database lookups, corporate website enumeration, and social media monitoring to collect employee names and associated intelligence (source: LinkedIn MITRE ATT&CK article). OSINT becomes a powerful weapon in the hands of adversaries, transforming publicly available information into a detailed playbook for social engineering operations (source: LinkedIn/David Baek). Every name, title, department, and project mention published online is a data point that can be weaponized.
Key Terms & Concepts
Employee Names (T1589.003) is a sub-technique under MITRE ATT&CK's T1589, Gather Victim Identity Information, where adversaries systematically collect the names of individuals working at a target organization. Names are harvested from a wide range of publicly accessible sources: LinkedIn profiles (the single richest source of professional identity data), corporate "About Us" and "Our Team" web pages, conference speaker lists, press releases, SEC filings (which name executives and board members), job postings (which reveal hiring managers and team structures), and social media platforms like Twitter/X, Facebook, and GitHub. Once obtained, these names serve multiple attack purposes: they are used to derive email addresses (using common naming conventions like [email protected]), craft personalized phishing lures that reference the recipient by name and role, impersonate executives in Business Email Compromise (BEC) attacks where the attacker poses as a C-suite leader to authorize fraudulent wire transfers, and build detailed pretext scenarios for social engineering operations such as vishing (voice phishing) and in-person impersonation. Knowing specific names and roles makes attacks dramatically more convincing and significantly harder for victims and defenders to detect, because the communication appears to come from a legitimate, recognized source.
Imagine a pickpocket who studies a hotel's guest list before arriving. They learn the names of the general manager, the head of security, the front desk supervisor, and several prominent guests. They note which guests arrived for the annual shareholders' conference, which executive is hosting a private dinner, and which manager recently received a promotion. When they walk into the lobby, they can greet people by name, reference colleagues and events, complain about the "usual" slow elevator service, and blend in perfectly, all because they did their homework. No one questions them because they seem to belong. The security guard doesn't ask for ID because "everyone knows" that person is a conference attendee. The front desk doesn't verify credentials because the visitor drops the CEO's name casually. That's exactly what attackers do with employee names, they learn who's who, who reports to whom, and what projects are underway so they can walk into your digital organization, speak the language, reference the right people, and look like they belong. The difference is that a hotel pickpocket can only steal one wallet at a time, while a cyberattacker armed with employee names can compromise an entire organization in minutes.
Real-World Scenario: The Tom Nakamura Incident
Target: Atlas Logistics, Global Shipping Company
Victim: Tom Nakamura, Head of Human Resources
Company: Atlas Logistics, 3,000 employees across 14 countries
Industry: Global shipping & supply chain management
❌ Before: Exposed Employee Data Enables Devastating Attack
Atlas Logistics had published detailed employee names and titles on their corporate website's "Our Team" page, organized by department and regional office. LinkedIn showed 2,800 employee profiles with granular job descriptions, reporting structures, tenure dates, and professional connections. Press releases routinely named key executives and their roles in new contracts, partnerships, and expansion initiatives. Job postings revealed team structures and named hiring managers.
A sophisticated attack group (tracked as APT-SCORPION) scraped this publicly available data over a two-month reconnaissance period using automated tools. They built a complete organizational chart, from the CEO down to regional warehouse supervisors, mapping reporting relationships, recent promotions, project assignments, and even internal reorganizations visible through LinkedIn activity patterns. They identified Tom Nakamura as a high-value target: as Head of HR, he had broad system access, authority over employee onboarding processes, and a trusting relationship with the IT department.
The attackers impersonated Tom himself in a vishing (voice phishing) attack. They called the IT helpdesk, spoke confidently, cited specific team members by name (Sarah in Payroll, David in IT Infrastructure, and Jennifer who had just been promoted), referenced a recent company-wide software migration project, and convinced a technician that Tom was locked out of his account during an urgent off-hours emergency. The technician, recognizing "Tom's voice" and the accurate internal details, reset a privileged Active Directory account password.
Within 24 hours, the attackers had accessed the shipping management system, rerouted 12 containers worth $8.5 million, and exfiltrated the employee database containing sensitive personal information of all 3,000 staff members. The breach was discovered only when a port authority in Rotterdam flagged a container that didn't match the declared manifest.
✓ After: Comprehensive Name Exposure Reduction Strategy
After the devastating breach, Tom Nakamura led a fundamental overhaul of Atlas Logistics' information exposure policies. He implemented a name exposure reduction policy that removed all individual employee pages from the corporate website, replacing them with department-level descriptions and generic role titles. He provided LinkedIn privacy training to all employees, teaching them to limit profile visibility, disable connection browsing, and remove sensitive details like direct phone numbers and project assignments.
The company replaced all named contact points with department-level email aliases (e.g., "[email protected]" instead of "[email protected]", "[email protected]" instead of "[email protected]"). This simple change eliminated the attacker's ability to derive individual email addresses for spear phishing and made BEC impersonation significantly harder. Tom also established callback verification procedures for all IT requests involving password resets, account changes, or privileged access, requiring technicians to call back the requester using a number on file, not a number provided during the call.
Atlas deployed voice authentication for high-privilege password resets and sensitive operations, using voice biometrics to verify caller identity before making any changes. They instituted quarterly social engineering penetration tests to continuously measure improvement and identify residual exposure. Within one year, the company's social engineering susceptibility rate dropped from 34% to under 8%, and their employee name exposure footprint on search engines decreased by 92%.
I'm in back-to-back meetings and can't reach David. Can you authorize the ACME Logistics Q4 payment ($47,200) before 5pm today? Our account manager said the invoice is past due and they'll halt shipments tomorrow.
Wire details attached. Please confirm once done.
Marcus Webb
CEO, Atlas Logistics ⚠ This email was crafted using publicly known names, titles, and organizational relationships scraped from LinkedIn and the Atlas website.
Step-by-Step Guide: Protecting Employee Name Data
Audit Employee Name Exposure Online
Conduct a thorough audit of all publicly accessible sources where employee names appear. Search Google, Bing, LinkedIn, social media platforms, conference websites, press release archives, SEC filings, job boards, and industry directories for your organization's employee names. Document every instance with the source URL, the employee name and title listed, and the sensitivity of the information revealed (e.g., reporting relationships, project involvement, contact details). This audit forms the baseline for measuring improvement.
- Use Google dorking: site:linkedin.com "Your Company" + job titles
- Search the Wayback Machine for archived team pages
- Check GitHub, GitLab, and Stack Overflow for employee accounts
- Review job postings for named hiring managers and team details
Implement Social Media Guidelines and Training
Develop and enforce a comprehensive social media policy that educates employees about the risks of oversharing professional information online. Training should cover LinkedIn privacy settings (restricting profile visibility to connections only, disabling "people also viewed"), the dangers of posting about specific projects, clients, or internal tools, and the risks of accepting connection requests from unknown profiles that may be adversary-controlled reconnaissance accounts. Make this training mandatory and annual.
- Require employees to review LinkedIn privacy settings quarterly
- Prohibit sharing internal org charts or reporting structures online
- Train employees to recognize fake connection requests from OSINT collectors
Replace Individual Contacts with Role-Based Aliases
Eliminate named individual contact points on your public-facing website, email signatures, business cards, and external communications. Replace all individual email addresses with department-level aliases (e.g., "[email protected]" instead of "[email protected]", "[email protected]" instead of "[email protected]"). This single change dramatically reduces the attacker's ability to derive email addresses for spear phishing and makes it significantly harder to impersonate specific individuals in BEC attacks, because the target can't be addressed by their personal email.
- Create role-based aliases for every externally-facing department
- Route role-based aliases through ticketing systems for accountability
- Update all marketing materials, directories, and partner communications
Restrict Public Organizational Charts
Remove detailed organizational charts from your corporate website, investor presentations, and publicly accessible documents. If organizational structure information must be shared (e.g., for investor relations), use generic role titles rather than named individuals, and restrict access behind authentication. Internal organizational charts should be classified as sensitive information and shared only on a need-to-know basis. Lobby against the publication of named executive profiles in press materials, annual reports, and third-party directories.
- Replace "Meet Our Team" pages with department-level descriptions only
- Review all SEC filings, annual reports, and investor decks for named employees
- Request removal from third-party business directories and rating sites
Implement Verification Procedures for Sensitive Requests
Establish and enforce strict verification procedures for any request that could lead to sensitive actions, password resets, account changes, wire transfers, data access grants, or configuration changes. Never rely solely on the caller's claimed identity or knowledge of employee names as verification. Implement callback procedures using phone numbers stored in your internal directory (not numbers provided by the caller), require multi-factor authentication for password resets, and create escalation paths for unusual or urgent requests that bypass normal processes.
- Always callback using a known, stored number, never caller-provided
- Require MFA for all privileged account password resets
- Create an "urgent request" protocol that adds extra verification steps
- Train IT helpdesk and finance staff specifically on social engineering tactics
Conduct Regular Social Engineering Assessments
Run quarterly social engineering penetration tests that specifically test your organization's resilience to attacks leveraging employee name information. These assessments should include simulated spear phishing emails (crafted using OSINT-gathered names and roles), vishing calls targeting the IT helpdesk and finance department, and pretexting scenarios that test whether employees verify the identity of callers claiming to be executives or trusted partners. Track metrics over time (click rates, information disclosure rates, successful impersonation rates) to measure improvement and identify training gaps.
- Use realistic phishing lures based on your actual OSINT exposure
- Include vishing and smishing (SMS phishing) in your test scenarios
- Report results to leadership with trend data showing improvement
Deploy Voice Authentication and Callback Procedures
Implement voice biometric authentication for high-privilege operations, particularly password resets, account changes, and financial transaction authorizations conducted over the phone. Voice authentication adds a biometric layer that is extremely difficult for attackers to bypass, even when they have the target's name and role information. Combine voice authentication with mandatory callback procedures using pre-registered phone numbers, and implement time delays for high-value transactions to allow additional verification. Train employees to expect and welcome these verification steps rather than viewing them as obstacles.
- Deploy voice biometrics for IT helpdesk and finance department calls
- Implement 24-hour cooling-off periods for wire transfers above thresholds
- Create a "safe word" system for executive-to-executive urgent requests
- Log and audit all privileged account changes for forensic analysis
Common Mistakes & Best Practices
❌ Common Mistakes
- Publishing detailed "Meet the Team" pages with full names, photos, titles, departments, and direct contact information on the corporate website, providing adversaries with a ready-made target list complete with everything needed to craft convincing impersonations.
- Allowing employees to list their work email addresses publicly on LinkedIn or other social media platforms, giving attackers confirmed email addresses that can be used immediately for spear phishing without any guesswork or derivation effort.
- Using predictable email naming conventions (like [email protected]) across the entire organization without implementing any rate limiting or email enumeration protections, making it trivial for attackers to derive every employee's email address once they know a single pattern.
- Neglecting to train employees on social engineering awareness, assuming that technical controls like spam filters are sufficient protection, when in reality the most effective BEC and spear phishing attacks bypass technical defenses entirely by leveraging personal details that only proper training can help employees recognize as suspicious.
- Trusting caller ID and email display names as identity verification, both are trivially spoofed, yet many helpdesks and executive assistants still treat a caller who "is" the CFO as verified simply because the caller ID matches, without performing any independent callback or authentication.
✓ Best Practices
- Implement role-based email aliases for all external communications, use department-level addresses (security@, hr@, info@) for all public-facing contact points, and keep individual employee email addresses strictly internal to prevent enumeration and targeted phishing.
- Conduct quarterly OSINT audits of your organization's public exposure, systematically search LinkedIn, Google, social media, job boards, and archived websites to discover what employee names and details are publicly accessible, then work to remove or reduce the most sensitive exposures.
- Deploy mandatory annual social engineering awareness training that uses realistic simulations based on your actual organizational structure and employee data, including simulated BEC emails, vishing calls, and pretexting scenarios that reference real names, projects, and relationships.
- Implement callback verification with stored numbers for all sensitive requests, never trust caller-provided contact information, always callback using numbers from your internal directory, and require multiple verification factors before performing password resets, account changes, or financial transactions.
- Deploy voice biometric authentication for high-privilege operations, voice authentication adds a biometric verification layer that cannot be bypassed with stolen names or spoofed caller ID, providing strong protection against vishing attacks targeting privileged account management.
Red Team vs. Blue Team Perspective
☠ Attacker View: How to Exploit Employee Names
From the adversary's perspective, employee names are the lowest-cost, highest-return intelligence available during the reconnaissance phase. They are freely available, rarely protected, and instantly weaponizable. The red team approach begins with broad OSINT collection: scraping LinkedIn for every employee profile associated with the target domain, using Google dorking to find named individuals in press releases, conference programs, and court filings, and harvesting social media posts that reveal internal relationships, project names, and organizational changes.
Once a comprehensive name database is built, the red team uses it to derive email addresses using common corporate naming conventions (firstname.lastname@, flast@, firstinitiallastname@), then validates these addresses using tools that check for SMTP responses. Validated emails become targets for spear phishing campaigns personalized with the recipient's name, title, department, and known projects. For BEC attacks, the red team identifies C-suite executives and finance staff, studies their communication patterns and relationships, and crafts emails that impersonate these individuals in time-sensitive authorization requests.
For vishing operations, employee names enable pretext building: the attacker calls a helpdesk or executive assistant, claims to be a named employee (whose voice they may clone using AI deepfake technology), and references specific colleagues and projects to establish credibility. The more names the attacker knows, the more convincing the impersonation becomes. Names are not just data points, they are keys that unlock trust, and trust is the ultimate vulnerability.
🛡 Defender View: How to Detect & Prevent
For defenders, the challenge is that employee name collection happens entirely outside your perimeter, you cannot detect or block an attacker browsing your public LinkedIn profiles or reading your press releases. Defense therefore focuses on reducing the available attack surface (minimizing what information is publicly accessible) and hardening the human layer (training employees to recognize social engineering attempts that leverage name-based personalization).
Blue team countermeasures include: OSINT monitoring programs that regularly audit what employee information is publicly exposed; role-based email aliasing that prevents individual email enumeration; enhanced email authentication (DMARC, DKIM, SPF) that makes it harder for attackers to spoof your domains; callback verification procedures for sensitive operations; and behavioral analytics that detect unusual access patterns, such as a helpdesk technician receiving multiple calls requesting password resets in a short period, or an executive's email being used to send unusually urgent financial authorization requests from an atypical location.
Continuous social engineering testing is essential, not one-time assessments, but ongoing programs that adapt to your evolving exposure. Track metrics like phishing click rates, vishing success rates, and time-to-report, and use them to focus training investments. Implement voice biometrics for phone-based authentication and hard breaks in financial transaction workflows that require independent verification regardless of the perceived urgency. The goal is not to eliminate employee names from the internet (which is impossible) but to make it so that knowing a name is never sufficient to compromise your organization.
Threat Hunter's Eye: Detection Opportunities
🔎 What Threat Hunters Should Look For
While the actual collection of employee names (T1589.003) occurs outside your network and cannot be directly detected, threat hunters can identify the downstream effects of name-based reconnaissance by monitoring for patterns that indicate an adversary is using harvested employee data in active operations. Here are the key detection signals and hunting hypotheses:
| Detection Signal | What to Monitor | Tool / Data Source |
|---|---|---|
| Email enumeration probes | Rapid RCPT TO commands or SMTP VRFY probes targeting derived email addresses (firstname.lastname@, flast@, etc.) | Mail server logs, SMTP gateway |
| Spear phishing with name personalization | Incoming emails that correctly reference internal employee names, titles, or projects not available to external parties | Email gateway, SIEM, SOC reports |
| BEC impersonation patterns | Emails from lookalike domains that spoof executive names, with urgent language requesting wire transfers or credential changes | DMARC reports, email security platform |
| Helpdesk social engineering attempts | Multiple password reset requests in short windows, callers referencing specific employee names to gain trust | Service desk ticketing system, call logs |
| LinkedIn profile scraping traffic | Unusual traffic patterns to LinkedIn from company IP ranges or VPN endpoints (indicating insider reconnaissance) | Proxy/web filter logs, DNS logs |
| Account takeover correlation | Compromised employee accounts used to access HR databases, org charts, or contact lists (post-exploitation enumeration) | UEBA, IAM logs, Cloud SIEM |
📚 Hunting Hypotheses
Hypothesis 1: If an adversary has harvested our employee email addresses, we should see an increase in targeted phishing emails that use first-name-only greetings (e.g., "Hi Sarah" instead of "Dear User") and reference our actual department names and project codenames.
Hypothesis 2: If attackers are using our organizational chart for BEC, we should detect email spoofing attempts that impersonate executives by name, originating from domains that are character-level variations of our actual domain.
Hypothesis 3: If vishing attacks are leveraging employee name data, our helpdesk should experience an uptick in callers who accurately name specific employees when requesting password resets or access changes.
Related Techniques in Identity Reconnaissance
Employee Names (T1589.003) is one of three sub-techniques under Gather Victim Identity Information. Explore the full attack surface of identity-based reconnaissance:
Remember: Every employee name published online is a potential key to your organization. Audit your exposure, train your people, and verify everything. The human layer is both the most targeted and the most defendable, if you invest in it.
DONATE · SUPPORT
- February 13, 2026