THERE are criminals lurking in cyberspace, analysing your every move and waiting to attack.

It is all part of a sophisticated shift in the way hackers are gaining access to your personal details and money.

A new report from next-generation cybersecurity company Proofpoint has discovered attackers are tricking people into infecting computers themselves, rather than relying on automated exploit technology.

Vice president of Threat Operations for Proofpoint Kevin Epstein said the past 12 months have seen a plethora of social engineering attacks across email, social media platforms and mobile apps.

“People’s natural curiosity and gullibility is now targeted at an unprecedented scale. Attackers largely did not rely on sophisticated, expensive technical exploits,” he told news.com.au

“They ran simple, high-volume campaigns that hinged on social engineering. People were used as unwitting pawns to infect themselves with malware, hand over key credentials, and fraudulently wire money on the attackers’ behalf.”

A recent example of social engineering is an ever-evolving phishing scam targeting mobile banking customers in Australia.

According to an alert from the Australian Communications and Media Authority, links to internet domains that closely resemble the legitimate URL’s of Australian banks are being sent to customers across the country via text message.

If the URL is clicked, customers are presented with a fake website that is almost indistinguishable from the authentic page of their banking provider.

By using the service as they usually would, customers are unwitting accomplices in the hackers quest to their steal information and money.

“It appears that the criminals behind this campaign are constantly refining their messages and the associated fake imitation banking websites to increase their chance of success,” the ACMA said.

While our reliance on technology makes life easier, it also provides more opportunities for cyber criminals who are becoming increasingly smarter.

“Criminals have a financial and evolutionary incentive to improve their tactics on a constant basis and some of those tactics include compromising apps and sites, leading to more opportunities for exposure,” he said.

“Threat actors continuously assess and modify every aspect of their campaigns in order to adapt to changing defences and new user behaviours, including as a result of user education and adoption of new services and programs.

“While this may make it seem that threat actors are getting smarter or more aggressive, it’s really a reflection of their use of a sophisticated, adaptable ecosystem that excels at making the most of new opportunities.”

Making things even scarier is the fact these criminals are becoming so advanced, they are developing methods to ensure victims are attacked when they were at their most vulnerable.

“Attackers study the science of human behaviour at least as much as the science of code,” he said.

“Threat actors continuously use a combination of testing and free or underground tools to determine not only the most effective delivery times, but also which messages are most effective at reaching their targets.

“Like any business, they do multivariate testing and study the analytics of which lures result in the highest returns on their investment.”

In addition to mimicking financial institutions, there is a growing trend of cyber criminals posing as Australia Post to scam victims.

Using email addresses that appear to be from the service, the scammers contact victims with messages regarding undelivered postal items.

Through the use of subject lines such as “a courier did not redeem package” or “agent was unable to deliver the item to your place for the reason: the receiver was absent”, scammers attempt to get lure victims.

Once the email is open, the cyber criminals will encourage the reader to click on the web link, login and provide their personal information.

The Australian Post website warns this is not standard practice as the service will never send an email asking people to click an attachment.

It warns anyone receiving these emails should delete them immediately.

Mr Epstein said even though experts are getting better at recognising threats, they will continue to exist as long as there’s financial incentive.

“There will be cybercrime as long as there is a way to profit from stealing information online, and every individual and organisation are a potential target,” he said.

“Understanding that, we can move on to using intelligence, education and solutions to focus on threats, risks, and response.”

In terms of ensuring you don’t fall victim to social engineering attacks, Mr Epstein said the fist point of call is to be wary.

“A healthy dose of suspicion towards any unsolicited email is a good first line of defence, especially if the message is from someone you do not know,” he said.

“If there’s a plausible reason for receiving the message, then verification can provide an important additional check: for example, check with your purchasing department to see if that invoice corresponds to an actual order.

“It’s also important to have a process with multiple checks in place in order to prevent unauthorised purchases or transfers — attackers are counting on people responding to the message’s sense of urgency to bypass both checks and suspicions.”