Decoy personas extend honeytoken thinking to user accounts and public profiles. The technique gives defenders a tripwire on the identity surface that other detection layers don't cover.
A decoy persona is a fake identity established to catch attackers as they probe your workforce. Plant it wherever threat actors look for employees to pursue in scams and other attacks. The unexpected interaction lets you detect the incident, so you can curtail it before it escalates.
No one legitimate should touch a decoy persona.
An effective decoy is a privileged-looking user account in your directory that fires when someone tries to use it. You can set up your SIEM tool to alert you when someone accesses the account. Customers of Microsoft Defender for Identity can also achieve this through the product’s honeytoken tagging feature.
On the public web, you can apply the same pattern to a LinkedIn profile representing a fictional employee (consider LinkedIn’s terms of use). Connection requests, recruiter outreach, and InMail attempts all become signals because the person doesn’t exist. A fake executive email address in a public org chart offers similar value after you filter out the spam. So does a decoy press contact an attacker reaches for during a social-engineering pretext.
Decoy personas rely on asymmetry. Since you know which identities are decoys and the attacker doesn’t, any contact with one is a useful alert.
A convincing decoy needs a backstory and isolation from production.
Attackers can fingerprint thin LinkedIn profiles and dismiss them as bait. A convincing decoy incorporates prior employers, posting activities, and a social network that fits the role. The same principle applies to internal directory accounts: names like test_admin or decoy01 give the bait away. Researchers cataloging Canarytoken fingerprints make a similar point about file-based bait.
Isolate identity paths between the decoy and the production environment. A decoy account should never share SSO, MFA, or directory backends with production accounts. Use disposable credentials and a separate identity store. If session cookies, VPN configs, or outbound rules overlap with production services, the decoy can enable lateral movement.
Plant a decoy persona this week.
Decoy personas are an identity tripwire in your deception architecture, alongside honeytokens and decoy MCP servers. They alert you early in the attack chain, giving you a chance to intervene before it escalates.
