Visit the website of most mid-sized or large organisations and you’ll find a familiar landing page: a meet the team’ or about us section, complete with headshots, full names, job titles and links to employees’ social media profiles.
For many organisations – particularly those in professional services, technology, consulting and regulated sectors – public visibility like this isn’t optional. Customers increasingly expect to see who they are dealing with, recruitment depends on identifiable culture and expertise, and named individuals often function as a trust signal in markets saturated with anonymous or AI-generated content.
To an attacker conducting reconnaissance, however, the same information can provide a verified starting point for spear phishing attacks.
This means that most organisations must balance trust, recruitment, credibility and accessibility against the reality that public information can also support social engineering.
What corporate websites typically expose
This exposure goes far beyond the about us page. A routine reconnaissance pass across a corporate web estate can reveal:
- Named employees, titles, and photos. Leadership pages and team biographies provide attackers with a verified roster of high-value targets. Photos support impersonation and physical reconnaissance, while titles such as Head of Finance or IT Operations Manager identify who matters most.
- Email addresses, or the pattern behind them. Even a handful of published addresses such as press@ or sales@ is often enough to identify the company’s email format, which attackers can use to test for valid recipients.
- Links to social media profiles. A LinkedIn profile connected to an employee biography can expose tenure, education, certifications, previous employers and professional networks. That can be enough to convincingly impersonate a colleague or manager.
- Press releases, case studies and blogs. These often reveal active projects, key clients, suppliers, partners, recent contract wins and even internal writing style. Useful material for convincing pretexts.
- Job adverts and careers pages. A vacancy requesting experience with, for example, CrowdStrike Falcon, Okta and AWS Control Tower reveals technologies in use, defensive controls and potential capability gaps.
- Investor and regulatory disclosures. Annual reports, SEC or Companies House filings, and investor presentations frequently identify directors, auditors, suppliers, and strategic partners.
Individually, each detail seems harmless. Combined, they form a highly effective intelligence profile.
How that profile gets weaponised
A spear phishing campaign builds in stages: selecting a target, gathering OSINT (open-source intelligence), crafting a believable pretext and delivering it through email, chat, SMS or a phone call. Once the target engages, the attacker pivots to credential harvesting, malware execution, lateral movement or data exfiltration.
It is the personalisation step, fed almost entirely by public corporate information, that turns a generic phishing attempt into a spear phishing attack, and the difference is significant. Barracuda’s analysis of 50 billion emails found that while spear phishing accounts for less than 0.1% of email volume, it is responsible for 66% of breaches.
A pretext call to the IT helpdesk that opens with the caller’s real name, real job title, real manager’s name and a plausible reference to a recent project, all sourced from public pages, may bypass normal verification processes.
A phishing email that addresses an employee by name, references a colleague they connected with on LinkedIn last week, mentions a conference the employee spoke at last month and adopts the writing style of a CEO whose blog posts are hosted on the corporate site, can be difficult for employees to distinguish from legitimate correspondence.
Generative AI has compressed the timeline. Tasks that once demanded weeks of manual reconnaissance can now be completed in hours, with tools that scrape, correlate, and summarise OSINT data far faster than humans. Research published in December 2024 by Heiding, Schneier and colleagues found that fully automated AI-generated phishing emails achieved click-through rates of approximately 54%, against 12% for non-personalised controls, performing on par with human experts.
The downstream cost is not theoretical. The FBI’s 2024 Internet Crime Report attributes $2.77 billion in reported losses to Business Email Compromise alone and separate Barracuda research found that 77% of BEC attacks target employees outside finance and senior leadership. The targets are sales staff, project managers and ops leads – exactly the people most likely to appear on a public team page.
Case study: the 2023 MGM resorts attack
In September 2023, MGM Resorts was attacked by the threat group Scattered Spider (also tracked as UNC3944 and Octo Tempest). The reconnaissance was the same approach used against Twitter three years earlier, only more polished. The group used LinkedIn to identify a current MGM employee, assumed their identity and called the MGM IT helpdesk requesting help logging into their account. The call lasted around ten minutes. By the end, the attackers had administrator privileges to MGM’s Okta and Azure tenant environments.
From there the incident escalated quickly. ALPHV/BlackCat ransomware was deployed across MGM’s ESXi infrastructure, slot machines went offline, digital room keys stopped working, and guests at the Bellagio, MGM Grand and Aria queued in lobbies while staff handled check-ins on paper. MGM has put the operational cost at roughly $100 million (approximately £77 million), and in June 2025 a federal court in Nevada granted final approval to a $45 million (approximately £35 million) class-action settlement, paid into a settlement fund by MGM’s cyber insurers.
The failure at MGM was not the existence of public employee information, but the absence of verification controls capable of resisting impersonation supported by that information. The attackers required nothing more than publicly accessible organisational context to convincingly impersonate an employee during a helpdesk interaction. The technique has continued to appear in advisories from CISA, Mandiant, Unit 42 and the FBI throughout 2024, 2025 and 2026.
The same group has been linked to the April 2025 attacks on UK retailers including Marks & Spencer, the Co-op and Harrods. The Cyber Monitoring Centre, an industry body backed by the UK insurance sector, assessed the M&S and Co-op incidents as a single combined Category 2 systemic event with a total financial impact between £270 million and £440 million, with M&S alone reporting around £300 million in lost operating profit. The publicly known attack pattern began in the same place: identifying employees through public sources and impersonating them to the helpdesk.
From a recent engagement
A recent external infrastructure and web application penetration test that we conducted illustrates how quickly this type of exposure compounds when combined with other public data.
From a vulnerability perspective, the engagement found little: the infrastructure was secure and the attack surface minimal. However, the staff directory was a different story. It listed 58 employees and each profile exposed:
- Full name.
- Job title and business unit, such as Risk Consulting, Tax Services or Audit and Assurance.
- Corporate email address.
- A direct LinkedIn link for 56 of the 58 entries.
- A headshot and a link to a dedicated employee biography page.
Individually, none of this appears especially sensitive. The problem is that the directory does not stay isolated.
Cross-referencing the 58 corporate emails against publicly available breach datasets returned matches for 25 accounts. One of those records included a plaintext password from a previous third-party breach.
So, before any active testing even began, we knew that more than 40% of the listed staff had been associated with credentials in known breach data and one individual had a password that could potentially be tried against externally accessible authentication services later in the engagement. None of this required any interaction with the target organisation and every underlying source was freely and publicly accessible.
This is the level of OSINT knowledge an organisation’s controls must assume an attacker already holds before any active engagement begins.
FTSE 350 audit: how typical is this?
If that is one company, what does the wider market look like?
In May 2026, we ran a passive audit of all FTSE 350 organisations, classifying public websites using signals such as LinkedIn links, mailto links, JSON-LD Person blocks, repeating profile card patterns and headshot images. No authentication or bypass was attempted and robots.txt was respected throughout.
Of the 350 companies we analysed, 316 (90.3%) had a publicly reachable website.
- Among those 316 companies, 61.4% published a detectable team or leadership page.
- The split between indices was narrower than expected:
- FTSE 100: 62.0%
- FTSE 250: 52.8%
The exposure was usually limited in scale:
- 87 companies published leadership-only pages with 1 to 10 named individuals.
- 91 companies published mid-sized directories containing 11 to 50 individuals.
- 16 companies published large directories with more than 50 individuals.
That final category matters because it mirrors the engagement discussed earlier.
Roughly 1 in 20 FTSE 350 companies publishes extensive employee directories combining names, photographs, business units and biographies on a browsable public page. The type of high-exposure directory that produced 25 breached email matches is uncommon, but far from unique.
- Among companies that published team pages:
- 1% listed named individuals.
- 9% included photographs.
- 3% disclosed business units or department labels.
Together, those three elements provide enough context to support most OSINT collection and pretexting activity.
Direct exposure of corporate email addresses (6.2%) and LinkedIn profile links (4.6%) was less common, but still material: 12 companies exposed corporate email addresses directly on team pages, while 9 linked employees to LinkedIn profiles.
The results suggest that public staff visibility is now common among large UK-listed companies, particularly where organisations choose to publish structured team or leadership pages. Extensive employee directories remain less common but are far from rare.
Helpful or harmful?
Public staff visibility is already normal across large organisations. The more useful security question is therefore not whether this information should exist, but whether organisational controls have been designed around the assumption that attackers already use it.
The Verizon 2025 Data Breach Investigations Report found that the human element was involved in around 60% of breaches, broadly consistent with previous years. That figure does not persist because attackers continue to discover new ways to reach people; it persists because organisations still vary in how effectively they prepare employees, verify requests, and implement layered controls around human decision-making.
Operating securely when visibility is unavoidable
None of this requires stripping a website of personality or transparency. The practical question is how to make controls and processes resilient against OSINT-driven attacks. A small number of changes can significantly limit what that picture leads to:
- Design security controls on the assumption that attackers already possess detailed OSINT on staff, technologies, and organisational structure.
- Implement strong identity verification for helpdesk and account recovery interactions.
- Deploy phishing-resistant MFA (multifactor authentication) for high-risk roles and privileged accounts
- Train staff to recognise personalised, OSINT-driven social engineering rather than only generic phishing.
- Use out-of-band verification for sensitive actions such as payment changes, MFA resets, or privileged access requests.
- Regularly audit public-facing assets and staff exposure to understand what attackers can realistically collect.
- Reduce operationally unnecessary exposure where practical, particularly detailed reporting structures and excessive technical disclosure.
Closing thoughts
An attacker does not need a breach to map reporting lines, identify key staff, or build convincing phishing pretexts. In many organisations, much of that groundwork is already publicly available by design.
The question is therefore not whether organisations should have public-facing staff pages. For most modern organisations, some degree of public visibility is inevitable. The real issue is whether security controls, verification processes, and staff training have been built for a world in which attackers can already assemble a detailed picture of the organisation before making first contact.