Uncovering Data From Phone Numbers by Gergo Varga


Before Googling movie trivia to prove friends and loved ones wrong, before Facebook stalking, before the internet was even available in your home, the primary source of OSINT – Open Source Intelligence – was the big phone book with its thin yellow or white pages. 

There, one data point, probably a surname, could reveal a physical address, phone number, and maybe a limited number of personal connections or an associated business.

Now, an OSINT investigation can take a phone number and build an entire portrait – a digital footprint – from it. 

A Brief Review of Open Source Intelligence

OSINT refers to intelligence gathering from publicly available sources of data. This can be literally every source of information that can be accessed by the public, even when it is not just lying “on the surface” and can be found via a simple web query, and might require some digging.

This might include:

  • Every social media post
  • Information from public databases like libraries, court records, website domain registrations
  • All published content (text, audio, image, video) ever
  • Maps and geolocation services
  • Information associated with email addresses and phone numbers

The raw data inside of this dataset is less than useful by itself, simply because of its unmanageable size and inconsistent quality. However, there exists a huge body of software and services that perform OSINT lookups for all different scales and metrics, most of which function by entering data points and then returning whatever can be found on the public, open web. This information and these tools are an invaluable resource for any organization that wants to gain insights into its users or shore up its security vulnerabilities. 

Unfortunately, it is equally valuable to fraudsters and cybercriminals. 

Dial OSINT For Information

In the age of the near-ubiquitous smartphone, the phone number associated with your mobile device is potentially one of the most revealing when it comes to how much personal data it could lead to. A reverse phone lookup for a terrestrial number might reveal an address and a name, but a mobile number could lead to a whole livelihood. Consider that a mobile number could lead to every social site that the number was registered to or any sign-up that requires two-factor authentication via text or call, and then whatever personal data can be accessed publicly on those accounts.

Armed only with 10 or so digits, an inquisitive mind, good or bad, could input a phone number and have access to:

  • Whether the phone is mobile, terrestrial, VOIP, or invalid
  • Geolocation data to at least the country level, if not more
  • First and last names, potentially usernames
  • When the phone was first and most recently viewed
  • Associated social media accounts, and thus
    • Hobbies and interests as posted on SNS
    • Family, friends, and professional connections
    • Professional background via LinkedIn
    • Photos, videos and audio, and any locations they are attached to

If this seems an alarming amount of data to relinquish to the public space, that’s because it is. 

For many people, the above list might be totally populated with publicly scrapeable information, creating a multidimensional digital footprint of a user, but that doesn’t mean it’s being used for malicious purposes.

How Can Phone OSINT Data Be Use?

Despite the fact that even casual mobile phone use can lead to a deep and well-defined footprint, most organizations leveraging OSINT against their incoming traffic are using it invalid, non-nefarious ways. 

In particular, security-minded entities like law enforcement, intelligence agencies, and fraud prevention or cybersecurity teams will be looking to keep their web space safe, whereas corporations will be employing an OSINT tool to increase their bottom line via successful market segmentation, mitigation of loss to fraud, or market research. 

OSINT, the Secure Line

Defensively speaking, intelligence and security agencies of every cloth will be enriching their knowledge with OSINT investigations. 

Discussing OSINT’s value in the field of law enforcement, Sir Mark Rowley QPC, incoming commissioner of London’s Metropolitan Police, notes that “the insights that OSINT can offer are unlikely to be found in internal datasets, curated databases, or sanctions lists'', and that this data discovery was instrumental in his investigations. Sir Rowley, incidentally, was awarded a knighthood in recognition for his achievements as the head of the UK Counter Terrorism Policing, where he used open source data from social networks to foil some 27 extremist plots. 

The methods of OSINT investigation will vary case by case. Data derived from a phone number may potentially be complicated enough that it needs to be unpacked and analyzed by a machine learning algorithm in order to recognize malicious behavior patterns. For example, SEON’s fraud prevention tool populates a list of social and messaging accounts from a reverse phone lookup, the particular results of which can be audited for anomalies or customized red flags.

Other times, a manual evaluation might be necessary, combing through social media posts for clues in the backgrounds of photos or videos uploaded, or, as in a high-profile OSINT investigation, manually uncovering a fraudster's real name via their eBay and Apple Music accounts.

OSINT, The Business Line

For most companies, the bottom line is the only concern. Here, when it comes to protecting investments, the application of OSINT can play roles on both the offensive and defensive sides of the coin.

In terms of profit maximization, an OSINT tool can assist in companies’ knowledge of their customer base, and ultimately provide an improved user experience through it. By thoroughly combing over a user’s OSINT results, companies can be better informed about how they should be segmenting their customers. A reverse phone lookup that yields, for example, a prolific Airbnb profile with international destinations could confidently be segmented into a high-value user group, and many fraud solutions offer the ability to create custom rules to highlight these users. 

Similarly beneficial to a company’s profits is the ability to apply OSINT on competitors’ updates and the state of the market at large. In fiercely competitive market spaces, to stay up-to-date on developments in a sector, a company might set up regular OSINT checks on the blogs of a competing product or a sector-specific website. 

A responding market strategy can then be started as soon as relevant news goes live. 

OSINT, the Business Security Line

From both a security and business standpoint, OSINT is instrumental in fighting fraud and cybercrime. 

Every e-commerce company will be utilizing a stack of fraud prevention software to check the veracity of its customers inside its digital marketplace. As mentioned above, fraud solutions will take data points like a phone number or physical address from a customer’s onboarding or checkout process, then conduct an OSINT investigation based on them. 

A data point like a phone number can indicate characteristics that are associated with fraudulent behavior, like being disposable or VOIP, or being associated with zero messaging and social media apps – very likely an account set up hastily by a fraudster, as opposed to a real customer. Red flags like this can then be automatically set to stop a suspicious customer’s journey in the marketplace or escalated for manual review by a fraud team.

Assuming that inbound digital traffic moving through an e-commerce experience will ultimately relinquish more than one data point, fraud prevention tools will also attempt to combine datasets to fill out a user’s digital footprint – data enrichment. 

Indeed, the more data points that can be audited by an OSINT program, the more likely the program is to come to a definitive conclusion about the user’s validity (or nefariousness). 

Who You Gonna Call? What Reverse Phone Lookup Tools Exist?

Receiving a call from an unknown number with an unrecognized area code is a suspicious situation for a lot of people, and Googling the number seems a standard first step when it happens. 

Indeed, a Google query is probably the standard first OSINT investigation for most things, in general. That tool, however, requires you to comb through results to (hopefully) find an answer to the question, and as often as not, the answer is dubious or only marginal.

Here are some OSINT-based reverse phone lookup tools that can help shed light on even the most suspicious unknown number.

SEON for Fraud Prevention and Data Enrichment

SEON’s fraud prevention suite is aimed primarily at e-commerce businesses and is powered largely by meticulous OSINT investigations. 

To determine the risk associated with an individual user, SEON’s platform looks at identifying data points like email and phone numbers. From these points, SEON populates a list of over 50 social media platforms to look for accounts attached to those identifiers, an easy way to determine if the email or phone number being dealt with represents a real human or a potential bad actor. 

As most cybercriminals will be operating at scale, perhaps with dozens of false identities, emails, and disposable phone numbers, the likelihood that they would go to the time and trouble to set up an ostensibly real social media presence for them is very low, especially when the average real user has multiple social accounts associated with their profile. Suspiciously socially-absent users can be put on hold for manual review or barred outright from interacting with the marketplace.

To maximize confidence in the risk analysis of a user, the OSINT returns information about the phone and email address enriched with identifiers from the device, IP origin, and expected behavior by SEON’s machine learning algorithms. The returns of these inquiries are all fully accessible and explainable and can provide insights into the customer base for the purposes of customer segmentation or targeted marketing, well outside of their potential for fraud.

IntelTechniques for Accessible OSINT Lookups

Michael Bazzell’s simple tool allows users to search multiple, multi-sector OSINT search tools at once to get results on specific data points. For example, the reverse phone lookup tool populates a list of 30 websites that host personal data, which can then be checked for the signs of a legitimate internet user. Similar search aggregators exist on Bazzell’s site for a long, meticulous list of OSINT metrics like email, images, IP analysis, and historical data breaches.

Like OSINT itself, this tool is invaluable for both security professionals and criminals. A cybersecurity officer and a hacker might be using tools like this to test for vulnerabilities, with essentially the same goal in mind. 

For example, one of the phone lookup services that IntelTechniques utilizes is That’sThem, which, in turn, produces personal information starting at a full name but ending at the time spent living at a current address, as well as the estimated income and net worth of the phone number holder. Other services included in the IntelTechniques list reveal other information that is similarly granular but similarly damning in terms of positively identifying the account owner. 

For a company investigating a potentially malicious user, this amount of information (or the lack thereof) could provide a lot of context when conducting a manual check. 

SpiderFoot for Security Investigations

SpiderFoot advertises itself as a tool for “professionals who want to automate OSINT for threat intelligence, asset discovery, attack surface monitoring or security assessments”. 

The software suite comes in both paid and free versions, with the paid version offering insightful visualizations, as well as their proprietary SpiderFoot HX tool, which automatically pulls insights from raw data to then deliver to a security team. This is the main functionality of SpiderFoot: running scans on set parameters of domains to look for warning signs, such as a likelihood to be involved with an account takeover fraud. 

The insights generated are particularly valuable because SpiderFoot leans heavily on flagging identities that have been involved in PII-exposing data breaches and exposures. Compared to a reverse phone lookup OSINT investigation, where the results yielded are fairly easy to interpret – the user has an active AirBnB account, for example – SpiderFoot digs into things like the personal data exposed through poorly-safeguarded AWS S3 buckets (digital container assets where AWS stores files). 

Drawing conclusions from these sources requires a computer to draw out usable discoveries, and in SpiderFoot HX’s case, the computer tries to present immediately actionable insights, allowing cybersecurity officers to focus on response and remediation, rather than research. 

Summing Up

The more of our lives we live on our mobile devices, the more information those devices and the associated phone number can be forced to reveal. As we increasingly post and share and connect, the more vital it becomes to be aware of how our connections and uploads can be leveraged both for and against us. In the complicated calculus of our digital footprint, the naked eye is not as good as software assistance, and finding a tool to keep secure is of huge importance.

About the Author


Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He's the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what's happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.

August 4, 2022


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023