Scammers working overtime trying to hack Hoosiers, security expert says

INDIANAPOLIS, Ind. – Cyber thieves are working to hack into Hoosiers’ personal accounts.

Rook Security, out of Carmel, showed CBS4 some of the new ways scammers are scheming.

“I would say 99 percent of attacks come via email,” said Tom Gorup, who provides security operations worldwide.

He performs simulation exercises and penetration tests for companies to show them what their weaknesses are.

“We’re getting much better crafted phishing attacks compared to five or ten years ago,” he explained.

Gorup pulled up a page where would typically send someone if another person tried logging into their email account. On the page was an alert, claiming the account was compromised. It prompted the user to enter their email address and password.

“Is there anything that stands out to you?” Gorup asked CBS4 anchor Angela Brauer.

The browser bar read, https://, indicating a “secure” site, and there was a green tab at the top left reading the word, “secure.”

“Traditionally, we’ve been teaching people to make sure there is a green pad there,” Gorup pointed out.

With a careful inspection and a double take, it appeared that the browser bar read, not Gorup nodded his head.

“It looks like a legitimate email,” he said.

Gorup, being a professional “good guy” hacker, said he set up the page within minutes. He said he could send it out to thousands of people within a half hour.

The biggest problem, though, is that if a person were to fall for the fake site and enter their personal account information, they would be forwarded to their email account like normal. They would have no idea that they just gave away those details.

“If I use ‘password123’ for my banking, as well as my email and credit cards, that is the first thing an attacker does,” Gorup explained. “They have this automated where once they get these credentials they’re hitting Chase, Citibank, all these different ones to see which one works and then they can start taking dollars.”

Gorup said phishing schemes are coming by phone call and text messages now, too.

“We should be teaching this in schools,” he said.

Gorup said schools need to have a safe surfing course teaching kids how to secure themselves. He added that hackers also use social media. In some instances, they’ve hacked into one person’s account and blackmailed others for their information.

Gorup suggests using a password manager to come up with unique and different passwords for each account. He also recommends never clicking questionable links. If people do fall for a fake, Rook Security insists that they change their passwords right away.