Before a skilled attacker sends you a phishing email, they do their homework.

They find your LinkedIn profile. They read your recent posts. They note your job title and department. They check who your manager is. They look at any conferences you attended or industry events you mentioned. They identify your company's current projects from press releases or public announcements. If your city is observing a major holiday, they factor that in.

Then they write an email that references something specific to you. Not a generic "your account has been compromised" template. Something that sounds like it came from a colleague, a vendor you work with, or a recruiter who actually knows your background.

This is OSINT-powered phishing. And platforms like NexGuards replicate this process automatically to test whether your employees can resist it before a real attacker tries.

What OSINT Means

OSINT stands for Open Source Intelligence. It refers to information gathered from publicly available sources: social media profiles, company websites, LinkedIn, job postings, press releases, conference speaker lists, data breach databases, and anything else accessible without unauthorized access.

In the context of social engineering and phishing, OSINT is the reconnaissance phase. Before launching an attack, the adversary builds a profile of the target using information the target has made publicly available, often without realizing how much they have revealed.

The key point is that employees typically do not think of their LinkedIn profile as a security risk. They are building their professional brand. They are sharing industry insights. They are congratulating colleagues. Each of those activities produces data an attacker can use to craft a credible, personalized approach.

What Real Attackers Actually Look For

LinkedIn is the richest single source for most professional targets. A typical LinkedIn profile tells an attacker:

The target's exact job title and seniority level
Their company and department
Their reporting structure (connections with managers and executives)
Their work history, including previous companies and how long they stayed
Skills and certifications they have highlighted
Recent posts they published, including what topics they care about
Reactions and comments on colleagues' posts, revealing relationships
Events they have mentioned attending or speaking at

Beyond LinkedIn, attackers look at the company's public website for team pages, department names, and recent announcements. They check press releases for partnership announcements, contract wins, or executive changes. They review job postings to understand what systems and technologies the company uses. They search breach databases for the employee's email address and any previously leaked credentials.

Contextual timing adds another layer. An attacker targeting a Dubai-based finance team during Ramadan knows that wire transfer requests are common before Eid celebrations. An attacker targeting a US logistics company after Thanksgiving knows that year-end inventory reconciliation is underway. These details make the attack feel urgent and contextually appropriate.

How OSINT Phishing Differs from Template-Based Phishing

A template-based phishing simulation picks a scenario from a library. "Your account password is expiring." "You have a shared document waiting for your review." "There is a package delivery exception for your address."

These work to a degree. Employees who have never been tested can still click a clumsy generic template. But as organizations run more simulations, employees get better at recognizing the patterns. They learn to look for the usual red flags in the usual places.

OSINT-powered phishing does not follow those patterns. The email arrives with context the employee recognizes as real. Their first reaction is "this is relevant to me," not "this looks like a test."

The practical difference in click rates between a generic template and a well-constructed OSINT-based phishing email is not incremental. Organizations that have run both types of simulations typically see significantly higher failure rates on the personalized tests, even among employees who have passed multiple rounds of template-based testing. The employees thought they were trained. They were not trained for this.

The OSINT Workflow Inside NexGuards

NexGuards automates the same reconnaissance process a real attacker would run, at scale, for every employee in the simulation campaign.

Before generating a phishing email, NexGuards collects:

The employee's online presence and profiles: full text content, role, department, work history, skills, and recent social media posts they published
The employee's job title and department from the organization's own data
The company name and sector
Contextual events: holidays relevant to the employee's location, industry calendar events, and any organization-specific dates the administrator has flagged

The AI then generates a phishing email that incorporates this data. The email might reference a conference the employee recently mentioned attending, a skill set they listed, a colleague they work with, or an industry trend relevant to their stated expertise. It is written to feel like it came from someone who knows the employee's professional world.

The email is different for every employee, generated specifically for them. No two employees in the same organization receive the same phishing simulation.

For voice and SMS attacks, the same contextual data informs the script. For fake video meetings on Google Meet, Zoom, or Microsoft Teams, a cloned version of an executive's voice is used in the call, making the scenario credible before the employee has any reason to be suspicious.

Why This Matters for Your Security Program

Most security awareness programs measure themselves by asking: "What percentage of our employees clicked a phishing email last quarter?"

The more important question is: "What percentage of our employees can resist a targeted phishing attack built from their public data?"

These are different questions with different answers.

An employee who has passed three rounds of template-based phishing tests may still be highly vulnerable to an OSINT-personalized attack. The templates trained them to spot certain patterns. The personalized attack does not follow those patterns.

OSINT-based simulation gives you an honest measurement of where your people actually stand against the attacks that well-resourced adversaries run. That measurement is more useful to a CISO than a high pass rate on easy tests.

The State of OSINT-Powered Attacks in 2026

The April 2026 Drift Protocol attack demonstrates how far targeted social engineering has advanced. North Korea's threat actors spent six months building profiles of specific multisig signers, understanding their relationships, their communication patterns, and their decision authority. Then they executed a social engineering campaign that led to $285 million being drained in twelve minutes. The attack was built entirely on the kind of reconnaissance that OSINT makes possible.

The March 2026 Axios npm supply chain attack began with the compromise of a package maintainer's account, likely through social engineering or credential phishing targeted at a specific individual based on their public developer profile.

These are not cases of generic phishing emails going to bulk mailing lists. They are targeted campaigns built on information the targets had published publicly.

The same methodology targets employees at financial services firms, healthcare organizations, legal practices, and any other business where individuals hold access to valuable systems or decision-making authority. The sophistication of the attack scales with the value of the target.

What OSINT-Based Testing Reveals

Running OSINT-powered phishing simulations typically reveals three things organizations do not know about themselves:

Which employees are most exposed: The employees who post frequently, have detailed online presence, and are active in industry communities are often the most vulnerable to targeted attacks. Their visibility is a professional asset that also makes them high-priority targets.

Which roles are highest risk: Finance, HR, executive assistants, and IT administrators are consistently the most targeted roles in real attacks. OSINT-based simulations show whether your highest-risk employees are your most resilient.

Whether your current training is effective against real threats: Employees who pass generic template tests regularly can still fail OSINT-personalized tests badly. If that is true at your organization, your training program is measuring the wrong thing.

Getting Started

Running OSINT-powered phishing simulations does not require a red team or specialized security expertise. Platforms like NexGuards automate the reconnaissance, simulation generation, and post-click training in a single workflow. You onboard employee list, the platform scrapes the relevant public data, generates personalized simulations, runs the campaign, and delivers immediate contextual training to every employee who fails.

The result is a realistic measurement of your organization's actual resilience against targeted attacks, and a training program that closes the gaps the measurement reveals.

NexGuards is a cybersecurity awareness and phishing simulation platform that uses OSINT to generate personalized simulations for every employee. To see how your employees' public data looks to an attacker, contact the NexGuards team for a live demonstration.

Sources used in this article:

The Hacker News, April 2026: Drift Protocol $285M social engineering attack
Palo Alto Networks Unit 42: Axios supply chain attack, March 2026
Hoxhunt 2026 Phishing Trends Report: AI phishing surge data
Mandiant M-Trends 2026: initial access methods

What Is OSINT-Powered Phishing Simulation? How Real Attackers Profile Your Employees