Open-Source Intelligence Guide to Emerging Internet Threats

Introduction

Cyber threats evolve rapidly, with criminals constantly exploiting new technologies and platforms. In recent years, internet-based scams and fraud schemes have grown in frequency and sophistication – global scam losses surpassed $1 trillion in 2024 according to the Global Anti-Scam Alliance. Many of these threats are emerging tactics that have not yet been formally identified by authorities. This guide provides a comprehensive, tactical approach for using Open-Source Intelligence (OSINT) to discover and investigate such novel threats. We focus on new social engineering ploys, abuse of freshly launched platforms or features, AI-generated scams, synthetic identity fraud, and other tech-enabled fraud schemes, while excluding extremism or misinformation. The aim is to equip OSINT professionals with clear, repeatable workflows to identify and track these threats using publicly available information.

OSINT and Emerging Threats: OSINT – gathering intelligence from public sources – is uniquely suited to spotting new dangers before they become widely known. By monitoring open platforms, social media, forums, and other data, an investigator can catch early warning signs of novel scams. Today’s fraudsters often leave digital traces: a suspicious social media profile, an unusual website, a leaked conversation, or repeated victim reports. The following sections break down major categories of emerging online threats and explain step-by-step investigative strategies in plain language. Each section outlines the nature of the threat, the OSINT tools and techniques useful for discovery, and practical workflows to investigate cases in the real world. All strategies prioritize evidence-based analysis over speculation, employing a professional and analytical tone throughout.

Novel Social Engineering Tactics

Social engineering – tricking people through deception – is an age-old threat, but it’s entering a new era. Criminals are adopting novel tactics and leveraging technology to make their scams more convincing than ever. Organizations saw a 50% increase in attacks involving AI-generated deepfakes (fabricated audio/video) and highly personalized phishing. Over 90% of cyber threats now involve some form of social engineering. Unlike the crude email scams of decades past, modern perpetrators may impersonate CEOs in live video calls or clone a loved one’s voice to demand money. One alarming example is “zishing,” a phishing scam conducted over Zoom or video calls using deepfake video/voice to pose as someone trusted. Such techniques play on human trust in new ways, catching victims off-guard before defenses exist.

The first step for an investigator is knowing these tactics are out there. OSINT professionals stay alert by monitoring cybersecurity news (e.g. FBI or IC3 bulletins at https://www.ic3.gov/), threat reports, and even social media chatter for mentions of unusual scam methods. Reports of fake video conference calls or AI voice scams can be found by searching news articles or community forums (like Reddit’s r/scams). Networking with other investigators and following industry feeds (e.g. via LinkedIn or Twitter) also helps surface emerging social engineering ploys. Setting up Google Alerts (https://www.google.com/alerts) for keywords such as “deepfake scam” or “voice cloning fraud” can automatically flag new cases as they arise.

Once a novel social engineering scam is suspected, a structured OSINT investigation can uncover the scope and perpetrators. Collect any available evidence of the scam attempt. This could be emails, direct messages, call recordings, screenshots of video calls, or chat logs. Save copies offline to preserve metadata. For example, if the scam is an email, preserve the full headers and content; if it’s a deepfake video call, try to record it or note distinguishing details. These details will guide your investigation.

Social engineers often impersonate real people or organizations. Use OSINT to verify if the person or entity contacting the victim is genuine. For instance, if you receive a video call from someone claiming to be a CEO, cross-check through another channel – call the known official number of that CEO’s office, or contact them via a verified method. On the OSINT side, search the person’s name and title on LinkedIn or the official company website to see if the real person was likely to make that call.

Look at the scam content critically using open-source tools. For emails or messages, analyze writing style – if it’s too perfect or slightly off for the purported sender. If investigating a voice recording, consider using a free voice analysis tool or simple waveform inspection to see if the audio has unnatural characteristics. For videos, free tools like InVID (https://www.invid-project.eu/tools/) can break a video into key frames for analysis. Perform a reverse image search on video frames via Google Images or TinEye (https://tineye.com/) to check if the video was doctored from existing footage. Watch for visual artifacts.

If you have a hook – such as an email address, phone number, username, or domain involved in the scam – pivot your OSINT search to these indicators. For example, a fraudulent Zoom call invite might have come via a certain email; search that email address online to see if it’s mentioned on scam reporting websites or social media. Phone numbers used in voice scams can be looked up on public phone directories or scam call report databases. Usernames or aliases can be searched across platforms using tools like WhatsMyName or Google.

Use open forums and databases: search on communities like Reddit, Twitter, or specialized scam forums for keywords related to the scam. Searching “deepfake voice scam CEO money transfer” may turn up news of previous incidents. Law enforcement press releases or financial regulator warnings can also provide leads and indicators to look for.

Determine how widespread the threat is. Is this a one-off targeting a single individual, or are there signs of a broader campaign? Indicators of a larger scam include multiple reports of similar approaches, reuse of the same deepfake assets or scripts, or chatter among cybercriminal communities about a “successful new method.” Document your findings and report them to appropriate channels. Providing concrete evidence (recordings, transcripts, OSINT links) lends credibility. Early reporting can also prompt tech platforms or law enforcement to take action before the scam proliferates.

Throughout these steps, maintain an impartial, analytical stance. Even the most convincing deepfake or AI-assisted deception often leaves footprints that open-source research can uncover.

Abuse of New Platforms and Features

Wherever users flock, scammers follow. When a new social media platform or online service launches, bad actors waste no time figuring out how to exploit it. The lack of established security checks and user awareness in early stages makes new platforms a goldmine for fraud. For example, when Meta launched its Threads microblogging app, security experts immediately warned that impostors and phishers would target the user base. Scammers might create fake profiles impersonating platform officials or popular figures to gain trust and trick users into divulging information.

Staying ahead of such abuse requires continuous monitoring of the digital landscape. An OSINT investigator should track trending platforms and features via tech news sites and developer announcements. As a platform gains rapid popularity, anticipate that scams will surface there. A practical OSINT approach is to proactively join or observe activity on the new platform as soon as possible – not to engage in any deceptive behavior, but to look out for telltale signs of abuse. On a new social network, search for keywords like “giveaway,” “free,” “support,” or “admin” among user profiles – scammers often use these to lure victims. Use the platform’s search function or API if available.

Monitor online discussions about the platform on external sites – early adopters often discuss scams they encounter on Twitter, Reddit, or community forums. Within weeks of Threads’ debut, users on Reddit’s r/CryptoCurrency warned of impersonation scams where attackers pretended to be famous crypto personalities on Threads to promote fake investments. These community flags are invaluable OSINT signals of new fraud activity.

When you suspect that criminals are exploiting a new platform or feature, use OSINT methods to map out what’s happening and who is responsible. Start by examining the suspicious profiles or accounts on the platform. If a profile claims to be a support representative or a celebrity but something seems off, dig deeper. Check the profile’s creation date. Look at their posting history. Also, see if the profile name or content appears copied from an authentic source. Scammers frequently clone profiles by stealing avatars and bios from real accounts.

Many new platforms are mobile-only or closed ecosystems, but scammers operating there may still leave a footprint on the open web. They might use external websites or links as part of their scheme. If you encounter a suspicious link or domain in messages on the platform, investigate it with standard OSINT tools: do a WHOIS lookup on the domain to see when it was registered and by whom. Search the domain on threat intel databases like VirusTotal or URLVoid to see if it’s flagged as malicious.

Often, scammers pivot between platforms. They might use one platform to contact victims and another to collect information or money. Use OSINT to follow this trail. Suppose a scammer on a new app directs users to Telegram or WhatsApp. Investigating these connected accounts is crucial. If they give a cryptocurrency address for payment, paste that address into a blockchain explorer to see if it’s associated with known scam tags.

Use platform-specific OSINT tools to pull a set of suspect posts or accounts for analysis. Even without coding, tools like Snowflake (for Mastodon) or advanced search websites may exist. Build a dataset: list of user accounts involved, content of their posts or messages, and any relationships. This transforms disparate OSINT findings into a coherent picture of the threat.

Unlike traditional OSINT where you passively collect information, investigating abuse on a live platform might involve some active engagement. This must be done cautiously and ethically. If you create a sockpuppet (an undercover account), never use your real identity or sensitive information. Through that persona, you could initiate contact to see what the scammer does. They might send you the phishing link or ask for details. This technique can reveal the scam’s playbook.

Use OSINT findings to alert the platform if possible. Many have abuse reporting channels. Responsible disclosure can prompt them to shut down those accounts. Share non-sensitive findings with the wider OSINT community. Posting an analytical write-up outlining the scam modus operandi can raise awareness.

By following these steps, investigators can effectively tackle abuse on new platforms. OSINT techniques enable us to validate profiles, trace scam infrastructure, and ultimately blunt the impact of these schemes before they become widespread.