Article image Logo

The Caricature Trap - A harmless AI trend that hands attackers your org chart

The trend looks innocent on purpose. Someone posts a template telling you to ask ChatGPT to “create a caricature of me and my job based on everything you know about me,” then you share the result to Instagram and collect the predictable comments: “That’s so you,” “Lol accurate,” “AI is wild.”

Security people saw something else: a crowdsourced employee directory where the employees happily attach their names, roles, company hints, and social handles to a stylized image that screams, “I work here, and I’m online.” The Register, quoting Fortra security analyst Josh Davies, framed it bluntly: the trend increases the odds of social engineering, LLM account takeovers, and prompt-injection-style follow-on abuse. The punchline is that the “caricature” is not the risk by itself. The risk is the package you unknowingly ship alongside it.

Why attackers love it 

Most phishing attempts still fail for the same reason they always have. It’s generic. It doesn’t know who you are, what you do, what you call your boss, which project name makes you flinch, or what internal system you secretly hate because it breaks every Friday. 

This trend helps attackers fix that. 

A job-themed caricature plus your profile is a targeting accelerant. It can reveal your role, seniority, tools, and even the types of work you handle. A sales leader gets a different set of lures than a payroll specialist. A “revops” person gets different bait than a security engineer. A caricature that includes a laptop sticker, a badge, a headset, a hospital floor, a trading desk, a lab bench, a hard hat, a flight deck, or a courtroom aesthetic narrows the script.

And if your post is tied to a real handle with a real bio, the attacker doesn’t need to guess the organization’s structure. You just demonstrated your place in it.

The email guess is the boring part

Davies’ warning in The Register included a detail that matters because it’s so mundane it's easy to overlook: once an attacker has a username and enough profile context, they can often infer the email format. Firstname.lastname. First initial plus last name. Something with a number because there were already three Peters.

That’s not the “hack.” That’s the setup.

From there, the attacker shifts to account recovery, credential stuffing, or old-fashioned persuasion. If you can be convinced to click one link, approve one login, read one “urgent” message, or copy one “verification code,” the attacker gets what they actually came for: access.

The new prize is your prompt history

The trend is specifically tied to ChatGPT. That matters because the trophy isn’t the image. The trophy is whatever sits behind your account: your chats, your files, your pasted snippets, your “quick questions,” your drafts, your accidental secrets.

If an attacker takes over an LLM account, Davies argued, they can review prompt history and search for sensitive information that never belonged in a consumer tool to begin with. Even disciplined teams leak through convenience. People paste meeting notes because it’s faster than rewriting them. They paste client names because they assume the model “doesn’t really keep it.” They paste a chunk of code because it’s just one function. They paste a contract paragraph because they want a cleaner rewrite. They paste an error message that includes internal URLs, environment names, or identifiers.

The corporate risk isn’t theoretical. It’s the very human habit of treating the chatbot like a private notebook.

Prompt injection isn’t just for developers anymore

“Prompt injection” is often discussed as a problem only for teams building complex agentic systems. But the underlying idea is simpler: a model can be manipulated by instructions hidden inside content that looks harmless. Security groups like OWASP now rank prompt injection as a top risk category for LLM applications, precisely because models struggle to reliably separate “instructions” from “data.” 

Microsoft has identified indirect prompt injection as a practical enterprise risk: the model processes untrusted content and treats embedded instructions as instructions to follow, potentially leading to unsafe behavior depending on the system's environment.

That’s the bigger point Davies is gesturing at with this caricature trend. It’s not only that attackers can phish you. It’s that attackers can use socially engineered context to steer what you ask the model next, what you paste into it, what you trust from it, and what you do with its output. The “injection” can be a narrative, not just a string.

Shadow AI is the real villain in the story

The uncomfortable subtext of this trend is that many companies still pretend consumer LLM use isn’t happening. Employees use it anyway. They do it on personal accounts. They do it on corporate devices. They do it for real work, then they do it for memes, and those two behaviors share the same identity layer: the person.

Fortra’s write-up framed the trend as a teachable moment about shadow AI. Not because people are bad, but because systems are leaky. The boundary between “harmless fun” and “work-related exposure” is usually one copy-paste away, and the attacker only needs you to be the kind of person who mixes the two.

What competent teams do with a “silly” incident 

A mature security team doesn’t handle this by yelling at employees for having a personality. They handle it like any other exposure pattern: reduce the blast radius, tighten identity controls, and remove the incentive to use uncontrolled tools for controlled data.

That means treating LLM accounts like real accounts with real value, because they are. It means a clear policy on what can and cannot go into consumer chatbots, along with an approved alternative that doesn’t penalize productivity. It means enforcing strong authentication and monitoring for suspicious logins. It means training that reflects modern lures, not the tired “Nigerian prince” cartoons everyone can spot from orbit.

CISA’s phishing guidance remains relevant here for the fundamentals: social engineering works when the message feels specific, urgent, and plausible. This trend helps attackers manufacture “specific” at scale.

The takeaway

The internet loves a cute template because it lowers the effort to participate. Security attackers love a cute template because it lowers the effort required to target it.

If your employees are posting AI-made “work caricatures,” you’re not looking at a harmless trend. You’re looking at a new kind of public metadata exhaust: identity, role, social graph, and a likely path to the most under-protected vault in the modern workplace, the chatbot account full of “quick questions” that were never supposed to become discoverable.

The caricature is the joke. The prompt history is the punchline.

©2026 Copyright by Markus Brinsa | Chatbots Behaving Badly™

Sources

  1. The Register - Posting AI caricatures on social media is bad for security theregister.com
  2. Fortra - What Can the AI Work Caricature Trend Teach Us About the Risks of Shadow AI? fortra.com
  3. eSecurity Planet - Viral AI Caricatures Highlight Shadow AI Dangers esecurityplanet.com
  4. OWASP - OWASP Top 10 for Large Language Model Applications owasp.org
  5. Microsoft Security Response Center - How Microsoft defends against indirect prompt injection attacks microsoft.com
  6. CISA - Phishing Guidance: Stopping the Attack Cycle at Phase One cisa.gov

About the Author