The Case for Corporate (Human) Honeypots

Normally finding clearly fake profiles for a business is a huge red flag - the area of sketchy 5 star reviews and effusive praise for sushi restaurants in Kansas. However, creating fake profiles designed to draw in cybercriminals (particularly BEC actors) can be an effective strategy for corporate security teams.

Typically honeypots are systems designed to look legitimate (and appealing) to an attacker, while actually containing no sensitive data or access to the environment. This allows security teams to draw in attackers, observe their behavior, and shore up their defenses. It's much easier to monitor a fake system for abnormal activity (since there's no legitimate activity that would hide the malicious) than a real system which can behave more unpredictably. While these can be effective, in recent years, there's been a significant uptick in social engineering attacks in an attempt to evade technical controls, and these types of traditional honeypots aren't effective at detecting these attacks.

However, human honeypots can help. Since many threat actors do their research on who to target via third party data collection sites (which often scrape LinkedIn), LinkedIn itself, or the organization's corporate website, by planting fake data on these sites, you can attract threat actors to your honeypot. Many threat actors will either develop their targeting lists from these sites or reach out to employees directly on the social media sites. A simple human honeypot is relatively easy to create and can provide high quality alerts of malicious activity before real users have been impacted.

You can start with a fake Linkedin profile attached to a corporate email address that silently forwards all requests to the security team (easy to set up if you work for the organization's security team). This profile probably won't be sophisticated enough to fool nation-state actors which may look closely at the fake persona and attempt to confirm details via other social media sites or government records, but its a great way to attract BEC or targeted phishing attempts.

Ideally, you would start with a finance, sales, and/or IT persona (potentially with the addition of a fake engineer, developer, or designer, depending on whether or not you anticipate being the target of espionage or intellectual property theft).

Additionally, the idea of a fake executive is very interesting, but presents its own issues, such as being relatively difficult to pull off  (executives typically have a very public presence, which is difficult for a fake person to have) or potentially misleading investors if the organization is publicly traded.

A simple honey pot would start with the following:

  • Fake LinkedIn profile with a name from and a photo from a stock photo site, a site like, or an un-posted photo from a friend (since the first thing any good attacker will do is reverse image search the photo).
  • Fill out the LinkedIn profile with a few roles (ideally different roles at your organization), some education, volunteer experience, interests, etc. It should look as close to a real person as possible. Then, it should be allowed to 'age' for a few weeks/months, as you login occasionally and provide it with typical activity (liking and sharing posts, sending and accepting connection requests, etc.) .
  • Solicit connections. Reach out first to other people who list the same employer. Then expand a little - external recruiters are often a great resource as they'll typically accept almost any connection request, as will others with the same alumni network or similar interests.
  • Connect the account to a real email address at your organization that is either immediately forwarded to the security team, or is a shared inbox that security team members have access to.

Now, sit back and wait for the connections to roll in. You'll likely start to see BEC attempts, phishing lures, and suspicious connection requests you can action before (or at the same time) as the attackers are reaching out to real employees.

Want a slightly more advanced honeypot?

  • Add typical contact information to sales lead/data amalgamation databases for your honeypot.
  • Add a basic corporate directory entry if that information is public (or include your honeypot on your corporate website).
  • Turn the honeypot into a fully fledged sock puppet with other social media accounts and activity.
  • Post enticing messages/posts on your profile which may attract an attacker (such as mentioning rolling out a new (fake) payroll system).
  • Add an unprivileged AD account for the user, as long as you can also add constant monitoring for any usage or changes.

While human honeypots can be extremely valuable tools to identify threat actors targeting your organization, they do carry their own risks. Creating fake personas can violate terms of service for some social media platforms and any honeypots created to represent your organization should be approved by leadership teams. Additionally, the profiles should never be used to artificially inflate employee satisfaction or manipulate the organization's appearance either to external or internal audiences.

Happy hunting!

Show Comments
As seen in: