Three ways your website is making it easy for attackers

Posted by Gemma Sirett on January 14, 2020

Cyber attackers are quietly appreciative of businesses across all sectors for making their job easier. With all the information they need to craft their attack laid out neatly in front of them, adversaries only need to join the dots to build the foundations of a credible impersonation attack.

Once they’ve spent a minute or two gathering the information they need, cyber criminals can begin socially engineering their way to the financial details, trade secrets, and customer information you hold.

A quick internet search revealed that large businesses have a tendency to make researching an attack a trivial task for cyber criminals. But what exactly is going wrong?

1. Personal contact details

100% of the websites we checked listed names and email contact details for staff at all levels. No big deal, right? Surely customers want to know who they’re dealing with?

An impersonation attack will only work if it convincingly impersonates an actual person. If your website is advertising the names of your staff – especially VIPs – that’s the first part of the spoofed email address nailed. It will also enable cyber criminals to concoct a realistic email signature.

Corporate email accounts all follow the same pattern, so publishing contact details – even a generic ‘contact@’ email address – gives adversaries the consistent format of the second half of the email address. They can then spoof the domain to make it look almost identical to the genuine article. Add this to the name they’ve identified, and they’ve got a convincing email address that looks like it comes from a genuine person at your company. Simple.

2. LinkedIn profiles and career backgrounds

80% of the sites we surveyed provided detailed career histories and a link to each person’s LinkedIn profile.

Although sparkling credentials add credibility to your business, they also give criminals personal information to work into their attack, to make it more credible and therefore more likely to succeed.

LinkedIn profiles provide the same personal insight, with the added bonus of revealing professional connections. This enables attackers to not only accurately impersonate someone at your company, but also provide background to a relationship with the person their spoofed email is intended for. Hobbies, for example, are listed on many LinkedIn profiles, so it’s not out of the question to presume a quick glance at the target’s profile will give the attacker a friendly, conversational hook to their email, which implies the attacker knows them already. (As a side note, it’s best not to overshare on LinkedIn either, for this very reason.)

3. Named customers

100% of the business’ websites we checked revealed their customers to the public – 60% openly listed names and logos, and 40% identified theirs through named testimonials.

It’s not uncommon for businesses to shout about their successes in bagging big name customers, but it’s also a terrible idea. Advertising these customers effectively paints a tempting target on their backs for cyber criminals. Compromising a FTSE 100 company is no easy task, but breaching one of their suppliers or partners can be comparatively straightforward – especially if their website is generous enough to provide the information highlighted in points 1 and 2.

It’s a trivial task for adversaries to check your senior executive’s LinkedIn profile against your company’s list of customers to see who they’re connected to. All the adversary needs to do then is use the information on your website to spoof the executive’s email address, and get in touch with the known customer contact, requesting invoice payments to be diverted to alternative bank details.

Anatomy of an impersonation attack

To illustrate how easy it is, we've created this example of an email spoofing a law firm, using our research to show where these details are usually found online.


This seemingly innocuous information sharing makes a cyber criminal’s job almost too easy. Your website is the face of your business, but which mask does yours wear? Websites flooded with ‘useful’ contact information are prime targets for opportunistic cyber attackers, looking for a quick win. The more difficult your website makes it to spoof your business, the less likely attackers are to try their luck.

Don't make it easy for attackers

Review your website through the eyes of a cyber criminal – try to find all the components you would need to create an accurate spoof of an email address for someone at your company. Chances are it will be easier than you think...

Email is the single biggest attack vector, so as well as paring down the contact and customer information on your website, ensure your business puts preventative measures in place to protect against email-based fraud.