As many people know from reading the news over the last month, Epsilon, a permission-based email marketing provider, suffered a major security breach. Their clients’ customer data was exposed as a result of an unauthorized entry into Epsilon’s email system. Their customers include big brand names such as Target, Red Roof Inn, Best Buy, Chase, Marriott and Brookstone.

It’s safe to assume the people that launched this attack on Epsilon are no script kiddies that accidentally hit the jackpot. The recent breaches at Epsilon as well as RSA have proven that there are individuals or groups out there that are willing to commit significant resources to hacking and anticipate a decent return on their investment. The Epsilon breach is essentially part of a criminal business model that simplifies the attackers’ task in crafting e-mails targeted to specific people. Sadly, we can only expect that these so-called spear-phishing attempts will soar.

In light of the upcoming “capture-the-flag type” type contest at DEF CON, this is as good a time as any to talk about social engineering. There is no technical solution to this issue. Humans cannot be patched (I am paraphrasing from a t-shirt that I saw at a conference). So, we need to help people recognize a scam when they see one.

In a CSO Online article they talk about the favorite ‘pick-up’ lines of social engineers. These and some stories shared by the publication’s readers are pretty instructive, so I will mention a few of them here for everybody’s benefit.