Data Scraping: The Legal Invasion of Your Cyber Privacy

Data scraping isn’t a new concept; it’s been around almost as long as the internet. In its early days, marketers scraped the web to compare ad performance and gather competitive intelligence, but things have changed. Data scraping tools now harvest millions of data points in seconds, from job titles and email addresses to your company’s org chart and social media activity.

While it might sound like something only big companies need to worry about, if your employees are on your website, have LinkedIn profiles, or talk about work on social media, your business is being scraped. And these scraping tools aren’t only in the hands of marketers.

When Hackers Start Data Scraping

Data scraping is technically legal, but that doesn’t make it ethical or safe. Cybercriminals realized some time ago that they could utilize these scraping tools to increase the effectiveness of their social engineering attacks. And because small and medium-sized businesses are already considered soft targets, hackers use information from existing data breaches to identify them and get a jump start on their research.

For example, back in 2021, scraped data from 500 million LinkedIn users was posted for sale on the dark web. It included account IDs, email addresses, phone numbers, job titles, and links to other social media accounts; all gathered from public-facing profiles. More recently, in 2024, over 26 billion records were leaked in what researchers now refer to as “the mother of all breaches.” And while most of the attention focuses on larger organizations, the consequences hit small businesses hardest.

It isn’t Just Data, It’s an Attack Vector

Each time someone posts online with an exciting new job title, mentions a client, or shares a photo of an office holiday party, it adds another piece to the puzzle. Hackers take all that public data to make their attacks appear more legitimate, like a phishing email that references the city you’re in, a fake invoice from a vendor you publicly mentioned, or a message “from IT” that includes your actual company logo and names real staff. These little additions take their attacks to the next level, and it works.

We call these targeted attacks Spear Phishing, and they are highly effective because they don’t feel like a scam; they feel familiar. Also, thanks to AI, these attacks are getting smarter and faster, as what used to take days to research can now be done in minutes. Bots do the scraping, generative AI writes the message, and your employees become the unwitting targets.

What Makes Small Businesses So Attractive to Hackers?

Most small businesses don’t have full-time cybersecurity teams or enterprise-grade firewalls, yet they still maintain sensitive financial records, HR files, and access to third-party vendors. That’s more than enough for hackers to go after. In fact:

• 82% of ransomware attacks now target businesses with fewer than 1,000 employees
• 60% of small businesses that suffer a cyberattack go out of business within six months
• The average phishing attack now costs companies over $4.8 million

Awareness is essential because small and medium-sized businesses, especially those that maintain sensitive PII, ePHI, and client financial information, are on the front lines of these attacks.

What Can You Do to Secure Your Business?

The good news is that you don’t need a huge budget to make a big difference. Here are some best practices we recommend to every client:

• Think Before You Post: Remind employees that everything they post publicly can be scraped, including job titles, email addresses, photos, and work anniversaries
• Keep Posts Minimal: If you list team members on your website, consider limiting job titles or contact details, and don’t include direct email addresses
• Train Your Team: If your employees can’t recognize a phishing attempt, it doesn’t matter how many tools you put in place; that’s why we offer Security Awareness Training
• Use Strong Passwords and MFA: A scraped email address paired with a reused password is gold for a hacker
• Don’t Recycle Accounts: If you’re no longer using an online service, close the account and update your password manager; old accounts are common access points for credential stuffing
• And most of all, Be Skeptical of links, attachments, and an enhanced sense of urgency

Be Aware of Your Public Presence

Here at Clark Computer Services, we work with numerous small businesses that never expected to be targeted by cybercriminals, but the reality is that we’re all targets. We’ve seen phishing scams that look like vendor invoices, emails that mimic company owners, and AI-generated voicemails trying to trick people into logging in to fake portals. And almost every one of them started with scraped public data.

Take a moment to examine your online presence as if you were a hacker. What information are you putting out there, and, more importantly, how can that information be used to fool you or your employees? If you’re not sure, give us a call at 301-456-6931 or send an email to [email protected] and we’ll help you figure out how to make your business more secure.