What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Cloud, Telecom, 5G and more!
What's Up with Tech?
How Data Brokers Fuel AI-Driven Social Engineering
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Interested in being a guest? Email us at admin@evankirstel.com
Personalized phishing is no longer “spray and pray.” It’s targeted, multi-channel, and increasingly powered by exposed employee data that’s sitting in plain sight. We sit down with Paul Mander, Chief Commercial Officer at Optery for Business, to unpack what’s driving the next wave of AI-driven social engineering and why so many security teams are rethinking where the real attack surface begins.
Paul walks us through eye-opening survey findings from more than 400 cybersecurity leaders: social engineering attempts are rising sharply, most attacks are moderately or highly personalized, and a large share of those successful attempts lead to credential compromise. We also dig into why there’s no single channel to defend anymore. Email still matters, but attackers are mixing phone calls, SMS, social media, and impersonation to make their stories feel “verified” from multiple angles.
The biggest shift is where attackers get their homework done. Data brokers and people search sites compile dossiers that include phone numbers, home addresses, relatives, employment history, and even org chart details that help threat actors pick high-leverage targets. We talk about why IT, HR, and finance often take more heat than executives, and what practical teams can do today: strengthen MFA and training, then get proactive by finding and removing exposed PII through opt-out and deletion workflows at scale.
If you’re a CISO, IT leader, or security practitioner trying to reduce phishing risk, social engineering risk, and account takeover risk, this is the playbook for treating privacy exposure as a core cybersecurity control. Subscribe, share this with your team, and leave a review with the one data source you think attackers rely on most.
More at https://linktr.ee/EvanKirstel
Why Social Engineering Is Surging
SPEAKER_01Hey everyone. I'm really intrigued for this discussion today as we talk about the next wave of phishing and missing and AI-driven social engineering attacks that are being fueled by a lot of things, including exposed employee data. We're talking to a true expert innovator in the field from Optory. Paul, how are you?
SPEAKER_00Doing well, Heaven. Thanks for having me on.
SPEAKER_01Great. Well, thanks for being here.
Meet Optery And The Problem
SPEAKER_01Um before we dive in, if you could introduce yourself, your journey, and uh how do you describe Optory these days?
SPEAKER_00Yeah, so uh Paul Mander, I'm chief commercial officer here at Optory for Business. And my journey, so I've had numerous go-to-market leadership roles at different companies in the ad tech and the marketing technology space. So I spent many years helping businesses use data and personal data for all things advertising and marketing. So during that time, I learned how data traverses the internet and gets to places, uh, and in this case, in today's day and age, it gets to places that you really don't want it to from a security perspective. So I'm excited to be here on now at Optery on the other side of this and helping solve the problem created by that personal data traversing the internet and going to places that uh you don't want it. So, what does Optery for Business do? We help organizations close a major security gap, and that is that expose employee data on data broker websites. Uh this security gap because threat actors use that information to identify their target and then conduct the and use it to conduct the social engineering campaigns across various different channels. So, what we do is we help organizations reduce the risk around that exposed information by submitting opt-out requests at scale and and reducing the attack surface that's made available uh that's exists because of the this personal data being made available.
SPEAKER_01Amazing. And uh I've been the victim of social engineering attacks, and it's uh not fun. Uh, it's pretty scary stuff.
Survey Findings That Change Priorities
SPEAKER_01Um you recently completed a uh a sort of survey on social engineering in the enterprise. Um I took a quick look, pretty eye-opening findings. But what surprised you and the team most?
SPEAKER_00Yeah, there were a few things, right? So the survey went out to about 400 different, over 400 cybersecurity leaders across uh mid-market and enterprise companies and mostly senior leaders. So these are folks that are really on the front lines, if you will. They're the types of organizations that are being targeted and attacked quite a bit. Uh there were a few things that really jumped out. I think the first was 96% of respondents, so that's pretty much everyone we surveyed, reported an increase in social engineering attempts within the last 12 months. And and of those 96%, uh 90% almost said that those social engineering attempts were moderately or highly personalized. The other, and as we dug further into the data, uh a few other things, uh, the the ones that so of those almost 90% that uh you know who were attacked with those highly or moderately personalized attacks, 74% of them said that those social engineering attacks led to credential compromise. So that means the majority of the ones that when they were attacked and the attacks were successful, there were consequences for organizations in terms of credentials, compromised credentials. The other thing that jumped out at us in the survey was there's no single channel that dominates, right? Traditionally, people think of phishing uh emails, and and it was really uh it was uh no single channel dominated. It was pretty split across email, uh, phone, SMS, social media, impersonation. So I think it was telling us that people are seeing that this isn't just an email or a phishing problem, it goes across multiple channels. And and the last thing, and I think this was this was the thing for us at Optree that we were really uh believed, and it was good to get see data that confirmed this, is that the the enterprises said that the data brokers and people search sites were the most significant source of attacker intelligence for the threat actors. So these this means people get what this problem is. Traditionally everyone thinks, okay, it's the dark web or so you know, data being available on social media is a bigger threat. Those weren't the biggest sources for attacker reconnaissance. It's data broker data, and the industry uh is realizing that is understanding the threat that these data brokers pose.
Data Brokers As Attacker Intelligence
SPEAKER_01You hear this term data brokers. Who are these shadowy data brokers? Uh don't have names that any of us would recognize. And what exactly makes them such a gold mine for attackers?
SPEAKER_00Uh yeah, there there are certainly ones that are shadowy, like you you uh like you said there, right? There's uh you know a shell company of a shell company of a shell company, and you need someone like Brian Krebs to find out who exactly works there. But there's others that are legitimate publicly traded companies that that are operating in an honest way as well, right? Uh someone like a Zoom Info is a company I think many people have heard of. So, but uh no matter whether they're shady or legitimate businesses, but data brokers are companies that compile detailed dossiers of personal information on people. So these are things like people's names, addresses, phone numbers, uh for companies that are org charts, um, people's names of people's relatives and and such. And they sell that information. And that data and in the act of selling that information, it's often put on their website and then indexed by search engines and LLMs. So it's very easy to find this data. So because of how easy it is to find this data, then data brokers pose this big threat uh for social engineering attacks. How so? If you're a threat actor and you want to conduct a social engineering attack, I gotta find out where you work. Okay, maybe I can go to LinkedIn, sure. But then I need to know how to contact you and then how to make my message convincing. So that's when the content of these data broker profiles uh create such a threat for enterprises, in that now threat actors can create very detailed messages and know their entire company's org chart and rapid fire these social engineering attacks.
SPEAKER_01Amazing.
Which Exposed Details Matter Most
SPEAKER_01And what what kinds of exposed data are some of the biggest red flags? Obviously, phone numbers are key. Phone numbers are tied into everything uh almost these days, home addresses, easily found, I guess, family connections, social profiles, what what else?
SPEAKER_00Yeah, honestly, I don't know if I would say there's a hierarchy. Everything out there has a risk, right? So, in the from the B2B perspective, uh there's companies that publish org charts. And that for a threat actor who's looking to conduct social engineering against an enterprise, knowing the org chart, knowing who reports to who, that's a proxy for understanding, okay, who would have if I breach this person, they would potentially have access to this type of information, right? There's other data brokers that have the names of people's relatives, uh, so your spouse, right, your kids. And okay, maybe for a social engineering attack on the service, you're like, ah, that's not good, but how will that help? But an enterprise social engineering attack, well, often people use those things as passwords, right? Or uh at a personal level, certainly uh identity challenges are you know, mother's maiden name and those sorts of things. And if people who answer those questions honestly, it poses that sort of risk. Uh obviously, like you said, phone numbers, email addresses, home addresses, those are the direct means by which to contact and find people. But all these data points, um, your employment history, all these data points can be used in some way, shape, or form for social engineering, because even if it's not a way by which to contact someone, I have this information about you. And if I'm trying to craft a social engineering attack, this information can be used to make my message more convincing or to help me impersonate someone you may know. I was like, oh, this person knows me and they would know this thing about me uh based on my employment, right? The data broker may have given me this one piece of information about my past employment, and I can then connect other dots as a threat actor to make my message more convincing.
SPEAKER_01Scary
Privacy Shifts Into Cybersecurity
SPEAKER_01stuff. So privacy, security are kind of two sides of the same coin. I haven't actually worked in a large enterprise in 10 years, but what is the state of play these days with employee privacy? Is this still treated separately from security? Or are they, you know, companies starting to look at all aspects of these things?
SPEAKER_00Yeah, I, you know, that was uh from the survey, I think it's clear that we have moved beyond that, okay, this is a privacy thing and not a security thing. Uh academically, there was always that conversation well, privacy is security. And I say academic, because it's not wrong in and of itself, but in practice, I don't think it was ever put into practice. But this is clearly being viewed as a cybersecurity problem now because of the fact that the availability of data is in and of itself the security risk, right? If this data was not available, it's I don't want to say it's impossible, it's certainly not impossible to do without this data, but it's definitely more difficult to conduct a social engineering attack without the availability of this data. So it there are privacy benefits for people being protected by it, but it is certainly a security issue. And I think the biggest telltale sign of that is that the budget for attacking this personal data problem is coming from the cybersecurity budget. It's not coming from a compliance budget or anything like that. Uh so when the businesses put their money where their mouths is mouths is, then that then you know the things are shifting.
SPEAKER_01Interesting.
Who Attackers Target Inside Companies
SPEAKER_01And I assume many employees can be at risk. It's it's not just executives. Typically, that was the juicy target, but you know, people in operations and and security themselves, right?
SPEAKER_00Yeah, that was you know, that's certainly something I I've mused quite a bit about in in many different forums. Uh, traditionally, this hey, will action thing for enterprises, and the reason for that is absolutely more related to physical security. Executives are the public face of the company, and if someone has a disagreement, they might come and dox or harass the executive or their families. So historically, it was these this sort of solving, this desire to solve this data broker data problem was limited to executives. Uh, but the fact is, and the survey data showed that attackers are in fact executives were the fourth most targeted uh role in the survey. We uh IT was number one, HR was number two, and finance was number three, then executives. And and the reason for that is that the attackers really they're looking for access, relationships, operational leverage, right? The uh IT, of course, has access to you know privileges, uh uh source code, right? Those sorts of things. Uh obviously HR has all the some of the juiciest data at any enterprise about people the actual people there and who's there. Uh the finance team often targets of fake invoices. They can move money, right? So they're always going to be targeted. And then executives, of course, yeah, they have access to a lot of privileged information. And the joke, joke I always made as well is that you know, executives never really answer emails or phone calls anyway, right? I mean, if you work with executives, they're always hard to reach. So I think maybe attackers perhaps realize that as well. But you know, all kidding aside is uh, yeah, it traditionally what has been executives and um uh you know, but the data showed that other groups are being attacked. And I think the you know, at this point, companies are just beginning to realize this and think of it not just as an executive protection problem, but let's think about which of these groups uh pose the greatest risk for the company and expand its protection beyond executives.
How Optery Removes Data At Scale
SPEAKER_01Fascinating. Um so talk a little bit about Opera for Business. Uh you know, if you want to get proactive, not just reactive here. How do organizations work with you and how should they start?
SPEAKER_00Yeah, so what we do at Opera for Business is we have patented technology that will continuously scan these data broker websites for instances of personal data. And then at scale, we will submit opt-out or deletion requests to get that data removed. So that effectively, uh I meant alluded to this earlier. You know, a lot of enterprises think about the attack surface and are thinking about their endpoints and uh the the you know the website and other ways you can get their infrastructure. But this personal data is really part of the enterprise attack surface because these are the entry points for social engineering attacks. So by working with Opera for Business, it's really saying we're thinking about our attack surface that to include this exposed employee data. And it, as you said, it is being proactive, right? By removing this data, you're making your enterprise not as easy a target for social engineering, right? Because if we, you know, we're we're many minutes into this and we haven't said the word AI yet, right? And it's it's 2026, and I guess that's maybe not allowed, right? But AI is, I think, another big piece of this. We we certainly use AI to submit some of these opt-out requests at scale. And um, but AI also makes this a bigger threat for enterprises, and uh because now threat actors can leverage AI and create uh social engineering attacks of speed and scale that they've never what we've never seen before, with way less technical sophistication that was required before. So um by yeah, by partnering with uh with Opera for Business, it's about uh being proactive, as you as you mentioned, and and reducing that PII-based attack surface for enterprises.
SPEAKER_01Interesting.
What CISOs Can Do Today
SPEAKER_01And in addition to that, I mean, what other words of wisdom or takeaways can you offer CISOs or IT teams, security teams? What can they get started with today if this is an area they haven't, frankly, even considered?
SPEAKER_00Yeah, I mean, you know, of course, do the things that I think many people are already doing with uh and what people traditionally think of when they're defending against social engineering and breaches that may result from it. Deploy MFA, deploy email security tools, do the user training, uh, and then start thinking proactively, as you said. So start playing offense. And the way to start doing that is understand where this data is exposed and don't just limit the thinking to executives, as is as the survey data showed, right? Executives are only the fourth most targeted group. Uh, think about what are the highest risk roles at your company, and depending on the type of company you are, there might be some other types of roles that a healthcare company, someone who has access to PHI is a role that's higher risk, right? So think about the highest risk roles at your company and treat their exposed data as part of your tax surface, just as you do those API endpoints and uh and so forth.
SPEAKER_01Well, fantastic advice.
Events Product Roadmap And Wrap
SPEAKER_01Really important mission. What are you uh up to the next few weeks, month, couple of quarters? What's on your radar? I assume you're out in the world at events and meetings and other get-togethers getting the word out.
SPEAKER_00Yeah, uh, yeah. I think the the next big one for us is we'll be at the GSX conference uh in in mid-September, the Global Security Exchange down in Atlanta. So we'll we'll have a presence there. And uh yeah, we're working on some new product releases as as well and better data and better reporting of uh uh around the exposures and the removals that we're doing, and constantly adding more support for additional data brokers. So quite a few you know interesting things we're working on here at Optery, and yeah, hopefully we'll you know see people around at TSX.
SPEAKER_01All right. Well, important work. Thanks for what you do, and uh good luck to us all, onwards and upwards. Thanks, Paul.
SPEAKER_00See ya.
SPEAKER_01And thanks everyone for you know listening, watching. Also check out our TV show, techimpact.tv monthly on Bloomberg Television and Fox Business. Thanks, everyone.