How attackers automate social media reconnaissance to craft personalized phishing emails in 2026

Most phishing training teaches employees to spot suspicious domains and generic urgency language. That worked when attackers were sending mass templates. The attack pattern that’s showing up in 2026 is different. Here’s the actual sequence: Automated tool scrapes the target’s LinkedIn profile: job title, department, company, work history, last 5 posts Cross-references job postings to identify what internal systems the company uses (companies advertise their tools when they hire) Finds the target’s manager from their listed connections Generates a phishing email referencing something specific — a conference they just attended, a project their department is working on, a holiday relevant to their location Delivers it Tuesday morning at 9am when they’re processing email before the day starts The email doesn’t have the red flags employees were trained to look for. It has context that lowers their guard instead. Hoxhunt’s 2026 report documented a 14x surge in AI-generated phishing. Mandiant’s M-Trends 2026 identified vishing as the second most common initial access method. The Drift Protocol attack in April drained $285M using nothing but sustained social engineering, no technical exploits. Wrote a breakdown of how OSINT phishing simulation works, what attackers are actually pulling from public profiles, and what realistic training against this looks like: https://nexguards.com/blog/what-is-osint-powered-phishing-simulation-how-real-attackers-profile-your-employees Happy to discuss in comments. Particularly interested if anyone has seen this attack pattern in incident response work. submitted by /u/medoic [link] [comments]Technical Information Security Content & DiscussionRead More