Credibility #1: Knowing your name. Credibility #2: Knowing what department you work in or interact with. Credibility #3: Basic knowledge of your technology usage (to impersonate a vendor). Credibility #4: Knowledge of personal and/or professional relationships to impersonate mutual friends or colleagues. Credibility #5: Incorporating environmental sound clips to enforce life-like situations; e.g., playing the sound of a crying child in the background of a phone call.

All of these sources provide information that the hacker can use to create an opening, and when they have finished their research the organization will make contact. In an elaborate scam, the hacker might develop a relationship with the victim that lasts for weeks. They use their knowledge of the target to build trust or, in some cases, inspire fear. (It is not uncommon for hackers to blackmail their victims or prey on financial insecurity.) Eventually, either way, the victim drops their guard.

The bigger worry is attacks that last for weeks, months and even years, undetected until an external entity calls to notify the victim that they’ve been compromised. Hackers who go unnoticed and undetected aren’t attacking for fun or to fulfill some cyber-sexual urge; they’re attacking because it’s how they make their living, and they’re good at it.