Social engineering expertise
The survey also found that social engineering is being used in highly targeted attacks on key business players to masquerade as higher ups. Most often, the end result is money being transferred to fraudulent bank accounts.
That may sound unbelievable. Who would send money to a stranger? But the hacker doesn't look like a stranger. One kind of scam, which Epstein calls "low level sophistication," will involve 10-15 emails between the potential victim and the attacker.
"It's not an attacker opening with 'hey this is your CEO please transfer money.' They opened with a 'John this is Sally. I had some questions about a recent invoice,' and then John responded to 'Sally' and then some other things, and in the course of conversation it got down to a transfer situation."
A more sophisticated version of this kind of attack is that John would receive an attachment based email, and the attachment would modify John's email settings so that the next time John gets a message from CEO Sally, it wouldn't go back to Sally but to the attacker who would then forward it to Sally.
"At some point, the attacker would then insert into one of the CEO's emails an extra paragraph or two," he says. "These are not blunt, easily detectable things. These are emails that are written in the native language adopting the tone of the executive's email addresses that appear to be exactly the same, modifying very slight or using hidden settings that you don't see."
It's a higher tech version of an old scam, Epstein adds. "2014 was the year of figuring out how to bypass the alarm system and sneak in," he says. "2015 was the year of showing up with a package under your front arm and knocking on the front door."
Your information is out there
Social engineering is what is making these kinds of scams possible and, says Hamman, not surprising given how much of our information there is to engineer. "So much of our personal identifying information is out there," he says. And he's not just talking that to what you post on twitter. In the last three years, he's been alerted that he's been a victim of a data breach four times.
"My information – who knows where it is and if my information ends up in the wrong hands, they know my birthday, social security number, may or may not know my credit card numbers," he says. When someone is targeted by a criminal who knows this information, the target is more likely to think that the person is who they say they are. "These are sophisticated attacks that people are falling for because the attacker has done their homework," he says.
Sign up for Computerworld eNewsletters.