AI-Enabled Social Engineering: What Attackers Can Do With Publicly Available Information
The time cost of personalised social engineering has historically been a limiting factor in how many targeted attacks any single attacker could run. Researching a target, drafting a convincing personalised email, and adapting it to the specific context of the person's role and relationships took time. That time constraint kept sophisticated, personalised attacks limited to high-value targets where the effort was worth the return. AI tools have largely removed that constraint, and the implications for how organisations need to think about social engineering risk are significant.
Generating a convincing, personalised spear phishing email using publicly available information now takes minutes rather than hours. A LinkedIn profile, a company website, and a handful of social media posts provide enough material to produce an email that references the target's role, their manager's name, a current project, a recent company announcement, and the appropriate internal terminology. At scale, this means sophisticated personalised attacks are no longer limited to high-value targets. Any staff member with a public profile is now a viable target for a contextualised attack.
What Attackers Can Extract From Public Sources
The starting point is professional networking profiles, which typically provide name, job title, employer, reporting structure, colleagues, career history, skills and tools used, and sometimes project names or client references. A company website adds office locations, key personnel, service descriptions, recent news, and sometimes client lists or case studies. Social media adds personal context: interests, travel, family references, and social connections that can be used to build rapport or impersonate someone the target knows.
Public financial filings, tender documents, planning applications, and media coverage add industry and organisational context that makes impersonation more convincing. A phishing email that references a specific procurement process currently underway, uses the name of a genuine counterparty, and arrives at the right point in the expected timeline is significantly harder to identify as fraudulent than a generic email about an unexpected invoice. AI tools can synthesise material from multiple public sources into a single coherent and contextualised communication far more efficiently than a human researcher working manually.
Personalised Phone Call Scripts and Vishing
AI-enabled social engineering is not limited to email. The same publicly available information can be used to generate phone call scripts that are contextually convincing. A caller who knows the target's name, role, manager, and the internal project they are currently working on can build immediate credibility in a phone conversation. Adding voice synthesis that can approximate the voice of someone the target knows, or a sufficiently authoritative tone, makes the phone vector a serious and growing attack surface.
We cover vishing as a related attack pattern in more detail elsewhere, but the AI component is worth noting specifically here: the quality of personalised phone attack scripts that can be generated from open-source research has increased substantially. The traditional defence of being sceptical of unsolicited callers asking for sensitive information remains valid, but the signals that previously indicated an illegitimate call (unfamiliarity with the organisation's context, generic framing, poor quality language) are now much less reliable as the AI-generated content quality improves.
What This Means for Awareness Training
The implication for security awareness training is that generic phishing awareness is less sufficient than it used to be. Telling people to look for spelling errors and generic greetings as signals of a phishing email was already a partial defence. Against AI-generated content that is grammatically correct, contextually accurate, and personalised, it provides even less protection. Training needs to shift emphasis toward verification habits and process controls that do not depend on the target identifying the attack based on content quality.
The training conversation also needs to include a discussion of what staff share publicly. Many people do not think about their professional profiles as attack-enabling information. Understanding that the level of contextual detail in a LinkedIn profile directly reduces the attacker's research burden changes how people think about what they post and what they share. This is not about eliminating public profiles. It is about making thoughtful decisions about the level of operational detail that appears in public-facing professional content, and understanding that project names, client names, and tool references all provide useful material to a motivated attacker.
The Reduced Signal Quality Problem
One of the most practically significant consequences of AI-enabled social engineering is that the signals traditionally used to identify attacks are becoming less reliable. Grammar and spelling quality, contextual accuracy, appropriate tone, and plausible scenario framing were all indicators that distinguished sophisticated from amateur attacks. AI tools narrow the quality gap significantly. This means that organisations cannot rely on their staff being able to identify attacks based on these signals, and that training based primarily on signal recognition needs to be supplemented by verification habits that work regardless of how convincing the communication appears.
- AI tools allow attackers to generate contextualised, personalised social engineering content at scale from public sources.
- Professional profiles, company websites, and social media provide sufficient material for convincing spear phishing.
- AI-generated phone call scripts make vishing more contextually convincing than before.
- Traditional signal-based detection (grammar, generic framing) is becoming less reliable.
- Training needs to emphasise verification habits over content quality assessment.
- Staff should understand that their public profiles provide research material for attackers.
Cyberlinx helps organisations understand and train against the changing social engineering threat landscape, including AI-enabled attack techniques. Contact us at info@cyberlinx.com.au to discuss how your programme should be adapting.
Related Articles







