skip to top

Ins & Outs of Due Diligence using OSINT

All organizations conduct some form of due diligence. It enables decision-makers to identify relationships that will serve in the best interests of their shareholders, customers, employees, and brand. Incorporating OSINT into your due diligence process will be key to getting the information you need.

It’s hard to predict the future but as humans, we like to think we can get pretty close. Much of business involves divining future success based on decisions made at the moment. For example, before inviting new partners and people into inner circles or connecting to third-party systems, organizations use past behavior to foreshadow future business outcomes. People who do this type of investigation, known as due diligence, walk a narrow line between multiple conflicting outcomes and principles.

What Type of Due Diligence Are You?

All organizations conduct some form of due diligence. It enables decision-makers to identify relationships that will serve in the best interests of their shareholders, customers, employees, and brand. Calling references for a fast food restaurant job is one form of due diligence. When it happens, odds are it is happening for one of these reasons:

Know Your Customer (KYC) 

Depending on your industry, customers might be your weakest link. A key component of fraud and anti-money laundering strategies involves assessing suspicious customer behaviour and investigating persons of interest. Investigators use publicly available information to make risk-based fraud prevention decisions by identifying red flags in background information and personal connections.

Partner & Vendor Integrity

In addition to the financial and legal state of a potential business partner, OSINT practices are used to provide insight into their reputation and integrity. Obtaining critical information early can be useful to decision-makers when deciding, first off, whether to enter into a business relationship, but also to the extent that intelligence can be powerful leverage in a negotiation.

Strategic People Vetting

The same rules that apply to partners and vendors apply to key appointments within an organization, except double. For people in the public eye, and in a position of influence or trust within an organization, a little more than a reference check is required. The lasting footprint of social media, for example, has had a newsworthy impact on the careers of many people over the past few years, leaving companies no option than to distance themselves. 

due diligence and background investigationsDisputes

Open-source intelligence can also be used to settle legal or contractual disputes or to support internal investigations. Where fraud, intellectual property disputes or breaches of contract are concerned, OSINT data is often highly useful and can fill in pertinent details and parts of the story. Don’t overlook it.

Obstacles & Opportunities

While there are limitations to OSINT capabilities, it is fairly obvious that this gap will grow increasingly narrower as more information is digitized. What globalization wants, globalization gets, after all. 

Data Sources

Information is generally gathered from two distinct sources – open information and public records. Open information might include public social media messages, a listing in a directory, or a news article. Public records, on the other hand, are filed or recorded with an external agency in order to notify the public. This could include deeds to property, patents, or court documents. 

This vast amount of data available online from public records and open sources has made the investigator’s job infinitely easier. There’s a catch though – a lot of this information is hidden and doing much more than a glance at a few sources takes time. It requires investigators to not only know what sources will be pertinent in advance so that they can be accessed quickly, it often means that a lot of information goes unseen. If Google only visits 4% of the Internet, where is all that information going? This is one of the biggest challenges of using OSINT to feed the due diligence process. The data sources, however public, are not easy to find. Investigators have to think outside the box and understand the limitations of manual OSINT investigations in order to work around its shortcomings.

Distinguish between the Surface, Deep & Dark Web and understand where to get started with Online Investigation. Access Whitepaper.

Always Check Yourself

Sometimes too much information can be a bad thing. Judging by the number of completely insane conspiracy theories proven on the Internet, there is enough information out there to come to all conclusions with data laid out in a specific way and the right bias. We’re better than that, aren’t we? The first bias is one you have to check at the very beginning. If you want to find something you will if you don’t want to find something you won’t. Do go into it with expectations about what you are going to find or what the outcome will be. In addition to this, there are a number of typical cognitive biases that can influence analysts and in turn, lead decision-makers astray.

Rinse & Repeat

Anyone can look into anyone online. It’s in the finished product that the real skills of the investigator come into play. Unlike a standard Google and social media search, investigators use surface data to uncover risks, dig deeper to validate those assumptions, and then asking specific questions that could lead to further inquiry. Of course, some due diligence is more transactional in nature, but for strategic intelligence inquiries, decision-makers need a more tailored assessment. This rinse and repeat methodology is crucial in ensuring that no stone is less unturned in obtaining a broader analysis and enhanced visibility.

GDPR & Privacy 

External regulations and guidelines have as much influence on due diligence practices as internal ones, on one hand demanding increased rigor and on the other placing rules on how information is collected. GDPR, for example, ensures that the rights of the person that is the subject of inquiry are understood and honored. It can be tricky. Investigators first off need a legal reason to proceed. Secondly, the data collected should be no more than is relevant to the inquiry. The final point we will make is that this data, when collected, can only be used for the purpose and initial reason for which it was obtained. It’s a little more complicated than that, but that is the key idea.

On Financial Institutions

Despite popular belief, financial institutions are not really in the business of money. It’s the ocean they swim in, but it’s not what they do. It’s financial institutions that take due diligence to the next level. Every decision, whether it be approving a transaction, issuing credit, or making an investment, is made using data from past behaviour to predict future outcomes. Financial institutions like banks, mortgage lending firms, and insurance companies have a whole slew of industry regulations to consider. They do the same type of due diligence as the rest of us, but it is also woven into the way they do business. While a lot of what we’ve discussed here applies to risk management in financial institutions, it’s also a whole other ball game.

If it’s so easy, why is it so hard?

There are obviously many challenges to overcome and pitfalls to avoid when conducting due diligence from an organization’s perspective. The vast number of data sources, the conflicting demands of internal imperatives and external laws, the bias that comes with any inquiry, it is a lot to manage. We know that there is rarely enough time to find everything, there is always a margin of error.

While open information and public sources can be obtained manually, the Media Sonar platform helps investigators overcome a lot of the challenges to reduce the amount of missed information. Footprint data for persons and organizations can be quickly captured and classified from hundreds of public directories and data sources online. Investigators can use the platform to access millions of publicly available but hidden sources online and search it all within a single screen. If a search yields results, Media Sonar’s entity extraction makes it easy to follow a link in the chain of intelligence. If you are conducting due diligence investigations on a regular basis, you might need to look beyond manually intensive practices. After all, the speed and efficacy of due diligence investigations could always benefit from the right toolkit.

Book a demo to see how Media Sonar threat detect & investigation software can help your security team perform due diligence.