Most security programs focus on the attack itself. Very few pay attention to what happens before the attack, the quiet reconnaissance phase when criminals spend days or even weeks gathering information about a person or company before sending a single email or message.

This early stage is often the most important. Attackers don't need to break through your firewall. Instead, they collect information that is already available online from your company, employees, vendors, and data leaks. They then piece it together to create a detailed profile that helps them convincingly pretend to be someone you trust.

The key takeaway from this issue is simple: if you can see the information an attacker can gather about you, you can stop the attack before it begins. We'll walk through the attacker's process - 1) collect, 2) connect, and 3) weaponize and then show you how to turn that knowledge into a stronger defense.

I built Footprint Lab to help people quickly check their username and email exposure, see what an attacker might discover about them online, and export the results as a PDF report. Clone it from GitHub and run it locally with one command (docker compose up -d --build) , then enter your email, verify it's yours, and check what an attacker would see: where that address is registered across the web and whether it's turned up in known breaches. It runs entirely on your own machine, so nothing you scan ever leaves it, and the README covers setup and ethical use.

→ https://github.com/jkasaudhan/footprint-lab

Clone the source code from GitHub:
git clone https://github.com/jkasaudhan/footprint-lab
cd footprint-lab

Make sure Docker and Docker Compose are installed and running on your computer. Footprint Lab runs locally inside a secure containerized environment.

Run: docker compose up -d --build

This will install the required OSINT tools (Maigret, Holehe, theHarvester, and Have I Been Pwned integration) and start the application at:

http://localhost:7860

Enter the email address you want to check. To retrieve the verification code,

run: docker compose logs app

The logs will display the submitted email address and verification code. Since everything runs locally, no SMTP or email configuration is required.

Enter a username to search across 300+ sites and discover where it appears publicly online.

Navigate to the Research page and click Scan My Email to identify services associated with your email address and check for known data breaches.

For more detailed breach information, you can obtain an API key from Have I Been Pwned and configure it in the application. Once scan is done you can stop the application using command ‘docker compose down‘

An attacker's first move is open-source intelligence (OSINT): gathering what's freely available. No intrusion required.

The raw material is everywhere. A reused username links your professional and personal accounts. A work email reveals your company's naming convention (first.last@), so the rest of the organization chart becomes guessable. Conference talks, webinars, and podcast appearances supply clean voice and video. Old breaches hand over passwords and the services you use and breach data is abundant. A email check at Have I Been Pwned usually surprises people with how many of their accounts already sit in a known leak.

None of these is alarming alone. That's the trap. Each is a fragment, and fragments feel harmless.

The power isn't in any single data point, it's in correlation. Scattered fragments get joined into one confident profile, and that profile is what makes you impersonable.

A handle found on one site is searched across hundreds more. An extracted real name plus a city narrows a LinkedIn match. The same avatar across platforms confirms it's one person. A leaked email reveals the corporate email pattern, which reveals the CFO's likely address.

This is exactly how the threat group Scattered Spider operates, the crew behind the 2025 wave against UK retailers (Marks & Spencer, Co-op, Harrods) and later airlines and insurers. As Per the joint CISA/FBI advisory (updated July 2025), they run extensive OSINT to impersonate employees and IT staff, then call the help desk sounding like someone who belongs and talk their way into an MFA reset. They don't fight the firewall. They convince a person. The reconnaissance is what makes the call convincing.

Once enough information has been gathered, attackers transform it into a convincing and targeted approach. Today, three tactics are particularly prevalent.

Business Email Compromise (BEC) remains one of the most financially damaging cybercrime schemes. According to FBI IC3 data referenced in the Verizon Data Breach Investigations Report (DBIR), reported BEC losses reached approximately $6.3 billion in 2024, with a median loss of nearly $50,000 per incident, an amount capable of crippling many small businesses. The use of pretexting, where attackers create believable narratives to gain trust, now accounts for roughly one-third of social engineering incidents.

AI-generated voice and video impersonation has further amplified the threat landscape. Advances in voice-cloning technology mean that only a few minutes of publicly available audio may be enough to create a convincing synthetic voice. Recognizing this growing risk, the FBI issued a public warning in 2025 about attackers using AI-generated voice and text messages to impersonate senior U.S. officials, establish trust with targets, and gain access to sensitive accounts. By mid-year, these campaigns had escalated to include voice-clone impersonations of the U.S. Secretary of State.

Several common beliefs continue to leave small and medium-sized businesses exposed to cyber threats.

"We're too small to be targeted."
Attackers focus on opportunity, not company size. With automated reconnaissance tools, profiling organizations has become easy and inexpensive. For many SMBs, a single successful Business Email Compromise (BEC) attack can have serious financial consequences.

"MFA is enough."
Multi-Factor Authentication (MFA) is essential, but it is not fullproof. Cybercriminals increasingly use social engineering, MFA fatigue attacks, and other techniques designed to bypass or undermine MFA protections.

"Deepfakes are only a problem for large companies."
Anyone with a digital presence can be targeted. Publicly available photos, videos, and audio recordings can be used to create convincing impersonations, regardless of the size of the organization.

"If I hear their voice or see their face, it must be real."
Advances in AI have made voice and video impersonation highly convincing. Familiarity is no longer proof of identity. Verification should always be part of the process, especially when sensitive information or financial transactions are involved.

The most effective way to defend against reconnaissance-driven attacks is to assess your own digital footprint before an attacker does.

Step 1 : Understand Your Exposure
Start by reviewing the online footprint of your organization and key personnel. Tools such as Footprint Lab allow users to verify ownership of an email address and discover where it has been registered or exposed in known breaches, providing valuable insight into what information may be available to attackers.

For a deeper assessment, several widely used open-source tools can help identify publicly exposed information:

These tools should only be used on your own accounts, with the consent of team members, or under explicit authorization.

Step 2: Reduce Your Attack Surface
Remove unused accounts, separate personal and professional identities where possible, and immediately change credentials that have been exposed in breaches. While some public content, such as executive presentations or media appearances, cannot realistically be removed, organizations can compensate by strengthening verification processes.

Step 3: Make Impersonation Ineffective
Even the most convincing deepfake or impersonation attempt can be stopped with proper verification controls. Establish out-of-band verification procedures for financial transactions, account changes, and other sensitive requests. This may include callbacks to known phone numbers, shared verification phrases, or dual approval requirements.

Most importantly, train employees, especially finance, HR, and help-desk teams, to understand that a familiar voice, face, or email address is no longer sufficient proof of identity. Verification, not recognition, should be the foundation of trust.

The defining cybersecurity shift of 2025–2026 is not simply that deepfakes and AI-generated content have become more convincing, it is that authenticity can no longer be taken for granted. A familiar voice, face, or email address is no longer sufficient proof of identity.

Attackers have become highly effective at gathering publicly available information and using it to build trust through impersonation and social engineering. However, this process depends on two critical factors: access to convincing information and an opportunity to exploit unverified trust.

Organizations can significantly reduce their risk by limiting unnecessary public exposure and implementing independent verification processes for sensitive requests. Rather than trying to outpace every new deepfake technology, the goal should be to make impersonation harder and verification routine.

The best place to start is by viewing your organization through an attacker's eyes. Understanding what information is publicly available about your people, systems, and operations can reveal weaknesses before an adversary does. In many cases, assessing your own exposure is one of the most cost-effective forms of threat intelligence available.

It is a free weekly briefing you can read in under 10 minutes - covering how deepfakes are actually built, real deepfake fraud cases studies, honest detection tool reviews, and prevention protocols that work. Written independently. 1,000+ cybersecurity professionals, founders, and IT managers across SMBs already read it. Feel free to forward it to your friends who might benefit from this newsletter.

Have you seen something that didn't feel right? or Got questions you don't know who to ask? Whether you've encountered a suspected deepfake, want to understand your exposure, or just want to talk through what's happening in this space, I'm setting aside time for free 30-minute calls.