Social Engineering Readiness Assessment: How Many Employees Overshare on LinkedIn?

Background

A defense contractor was preparing for a major government contract bid. The contracting agency required evidence of a social engineering awareness program. The contractor engaged TraxinteL to assess their vulnerability to LinkedIn-based social engineering.

Investigation Methodology

1. Employee LinkedIn Census: We identified all employees with LinkedIn profiles and cataloged the information shared: job titles, project descriptions, technology stacks, building locations, and organizational structure details.
2. Information Sensitivity Classification: All shared information was classified against the company's information classification policy — identifying content that should not be publicly available.
3. Attack Scenario Modeling: We modeled 5 realistic social engineering attack scenarios using only information obtained from employee LinkedIn profiles.

Key Findings

• 73% of employees shared job titles and project descriptions specific enough to map the company's internal organizational structure.
• 12 employees shared information about classified or sensitive projects in their LinkedIn experience descriptions, including code names and technology specifications.
• From LinkedIn data alone, we were able to construct the company's complete reporting hierarchy, identify the security team by name, and determine which buildings housed which programs.
• 5 employees listed their security clearance levels on their profiles.

Outcome

A company-wide LinkedIn security policy was established. Mandatory training was deployed to all employees. The 12 critical information leaks were addressed through individual meetings. The government contract bid included the assessment results as evidence of the security awareness program. Total investigation time: 3 weeks.