OSINT Threat Simulation for High-Value Targets

Expose what an adversary can learn about your people, then deal with it before someone weaponizes it.

 

CONTACT A SECURITY EXPERT

 

Publicly available information now gives attackers powerful opportunities to target executives and other high-value individuals with highly credible social engineering campaigns. By combining data from breaches, social media, conference materials, developer platforms, and certificate transparency logs, adversaries can build detailed profiles that make attacks faster, more convincing, and harder to detect. The result can be financial fraud, account compromise, or manipulation of internal processes using information already exposed to the public.

IOActive’s OSINT Threat Simulation for High-Value Targets helps organizations understand and reduce this risk. Using the same methods real-world adversaries rely on, the service shows how individuals and organizations appear from an attacker’s perspective and turns those findings into practical remediation and awareness actions. The result is stronger resilience, better-informed leadership, and a clearer understanding of the public exposure surrounding people, brands, and critical business functions.

Who it’s for/common triggers

  • Security Leadership and Risk Owners: CISOs, product security, corporate security, and fraud/risk teams responsible for managing human-focused risk across executives, high-access roles, and sensitive business processes. One recent example shows how attackers used deepfake video to pose as Arup senior leadership, resulting in a fraudulent transfer of approximately $25 million.
  • Organizations Undergoing Change or Heightened Scrutiny: Those experiencing transformation events such as mergers and acquisitions, restructuring, leadership transitions, security incidents, funding rounds, major grant cycles, significant donations, or high-profile product, regulatory, or public disclosures.
  • High-Access and High-Trust Functions: Teams and roles with privileged access, financial authority, or reputational influence, including IT and service desk, cloud and identity administration, finance (accounts payable, treasury, and payment approvers) HR and recruitment, legal, corporate communications, program leadership, and executive assistants. Also, charity leadership, trustees, grant administrators, and teams handling beneficiary or donor data.
  • Asset-holding Individuals and Groups: High-net-worth individuals, family offices, asset managers, and other groups with authority over investment, treasury, or payment workflows outside of traditional corporate structures.
  • Targeted by Recent Threat Activity: Organizations, charities, or asset-holding groups that have experienced deepfake, phishing, or social engineering attempts directed at leaders, trustees, finance/payment functions, or other high-trust roles.

Threat Examples

Deepfakes are synthetic audio or video designed to convincingly imitate a real person’s voice, face, or behavior. In practice, they make it much easier for attackers to impersonate trusted executives, colleagues, or public figures in order to create urgency, exploit authority, and manipulate people into taking action. The core risk is simple: a familiar voice or face is no longer reliable proof of identity, which is why verification and deepfake defense has to move into trusted processes and systems.

The following are real-world instances of successful social engineering incidents:

  • Attackers used deepfake video to impersonate senior executives of Arup’s Hong Kong office, resulting in a fraudulent transfer of approximately $25 million. This incident illustrates escalation from single-person impersonation to multi-party meeting deception, aimed squarely at functions with payment authority and organizational trust.
  • Criminals used AI-generated voice cloning to impersonate a senior executive from a German parent company and pressured the CEO of a UK-based energy firm into making an urgent supplier payment, resulting in an unauthorized transfer of roughly €220,000. This incident shows how convincing voice impersonation can bypass normal skepticism when it targets high-trust roles and time-sensitive finance workflows.
  • Attackers cloned the voice of a company director and combined it with supporting communications to persuade a bank to move funds, with reports indicating losses of around US$35 million. This illustrates how threat actors can blend deepfake-enabled impersonation with believable business context to defeat verification steps in high-value payment processes.
  • Criminals used AI voice cloning to impersonate Italy’s defense minister (and other officials) while contacting prominent business leaders with an urgent payment request, leading at least one target to transfer nearly €1 million before authorities traced and froze the funds. This incident shows how threat actors are extending deepfake-enabled social engineering beyond traditional corporate chains of command and directly targeting high-asset individuals and their advisors using urgency, authority, and highly credible pretexts.

Field examples are also common. In one controlled exercise, a deepfake voice impersonating a chief technology officer was used to bypass a helpdesk identity verification process, demonstrating how publicly available video can be sufficient to produce a convincing synthetic voice. This scenario exposed weaknesses in password reset and account recovery procedures, leading to practical, documented improvements in verification controls and escalation workflows.

What we do

We replicate realistic reconnaissance against nominated high-value individuals, correlate breach and social data, and construct attacker narratives that demonstrate precisely how a compromise could occur. The assessment is observational only; we do not contact targets or execute live attacks. Deliverables include per-person exposure profiles, plausible attack paths, and clear, practical remediation actions.

IOActive’s OSINT Threat Simulation scope includes:

  • Intelligence Collection: Aggregated from public sources, breach corpora, social platforms, developer ecosystems, and basic infrastructure traces.
  • Threat Modelling: Threat-intelligence-led analysis maps your exposure to likely adversary objectives, pretexts, and attack paths.
  • Scenario Design: Realistic playbooks for spear phishing, vishing, and related pretexts. Optional simulated media (voice or video) is produced with explicit consent. Findings and simulations are confined to the engagement and will not be propagated beyond agreed channels.
  • Risk-Based Remediation: Targeted recommendations for individuals and organizational policies, plus optional training to improve detection and response.

Deliverables

The product of a threat simulation exercise is a series of deliverables that illustrate weaknesses and provide a roadmap for strengthening the organization:

  • Per-individual Exposure & Threat Profile: Evidence-based profiles for each nominated individual that document their digital footprint and explain how it could be exploited (for example for impersonation, fraud, or access)
  • Narrative Attack Scenarios: Realistic adversary playbooks that illustrate how gathered information could be weaponized, helping leadership and security teams visualize tangible threat paths.
  • Optional Simulated Media: Controlled examples of deepfake voice or video content, produced only with prior explicit consent, for awareness and training purposes.
  • Prioritized Remediation Plan: Actionable recommendations including footprint reduction, data-broker opt-outs, policy and helpdesk process improvements, identity separation, and stronger MFA and recovery controls.

Executive Readout and Optional Training: A final briefing tailored for senior stakeholders, with the option of targeted training sessions to reinforce awareness and resilience.

How it works

An exercise follows these steps:

  1. Kickoff and target nomination. After you nominate between five and 25 individuals for the assessment, we will agree upon legal boundaries, consent posture, and reporting audiences prior to starting work.
  2. Collection and exposure mapping. This step includes the compilation of name variants, professional and personal emails, usernames, and social handles. We will also aggregate breach hits, public assets and domains, developer and cloud traces, vendor records, media appearances, and other publicly available exposure.
  3. Threat modeling and scenario development. We analyze exposure through an attacker’s lens and build realistic scenarios aligned to common tactics, techniques, and procedures (TTPs) such as reconnaissance and phishing. We also map likely adversary objectives and plausible attack paths.
  4. Draft profiles and review. We produce per-individual draft profiles with supporting evidence, then review collaboratively with your stakeholders, confirm their accuracy, and agree upon remediation priorities.
  5. Final report, readout, and remediation session. To conclude the exercise, we deliver a consolidated Threat Simulation Report with an executive summary, group themes, prioritized remediation, and appendices. An executive readout and a remediation working session will assist in translating findings into practical actions.

Outcomes and metrics

This exercise provides multiple security benefits:

  • Reduced OSINT exposure: Measurable reduction in each target’s public footprint, including confirmed data-broker removals, social privacy hardening, and minimized personal-data availability.
  • Stronger process controls: Improvements to high-risk business processes commonly targeted by adversaries, such as helpdesk verification, payment approvals, guest account creation, and password recovery workflows.
  • Enhanced detection and response: Faster identification and escalation of social engineering or impersonation attempts, informed by threat scenarios tailored to your environment.
  • Leadership alignment: Clear, evidence-based narratives linking exposure to tangible business impact, driving executive engagement and informed decision-making.
  • Simulation Only: All activities are observational and simulated. No Direct engagement is made with targets, and no live attacks are conducted.
  • Controlled Media Use: Any use of simulated voice or facial media requires prior explicit consent, remains fully contained within the exercise, and is never distributed outside the agreed scope.
  • Governance and Compliance: All work is conducted under strict ethical standards and in full accordance with the terms of the Master Services Agreement (MSA) and Statement of Work (SoW).

FAQs

How is this different from traditional “executive protection”?
We focus on digital exposure that enables social engineering, impersonation, and fraud, not physical security. The outcomes translate directly into improvements in policy, process, and personal privacy.

Do you ever contact my executives or vendors?
No. The assessment is entirely observational. We do not phish, call, or otherwise engage with individuals unless a controlled exercise is separately authorized.

Will you create deepfake audio or video?
Only with prior written consent from the individuals involved. Any simulated media is produced strictly for the engagement, remains contained, and is never shared or reused.

What data sources are in scope?
Only publicly available information is used. This includes data from the public web, breach and credential repositories, social networks, developer platforms, media appearances, and basic infrastructure traces linked to named individuals. We do not access non-public or private systems.

What happens after the report?
We can provide support for the implementation of remediation actions to reduce personal digital footprints, harden account and recovery verification paths, strengthen helpdesk and finance workflows, and update training using realistic attacker scenarios.

Additional Resources

Talk to an expert. We will review candidate targets, outline scope and consent, and confirm a pilot plan your leadership will support.