While most traditional social engineering is used to exploit the vulnerabilities of the HumanOS over phone or online communications, we can’t rule out the possibility that social engineering can be most successful when it is face-to-face (plus it is a heck of a lot of fun!). Even though it puts the social engineer at direct risk, it offers the most reward for their efforts since it gives them direct access to your company’s office and hardware.
For years now, forward-thinking companies have been performing their own social engineering penetration tests to discover bugs in the human hardware. In these cases of face-to-face social engineering at your company office, these techniques can be divided into the following roles:
The Service Technician
The service technician is a social engineer who poses as person with a legitimate reason to enter your office. They usually impersonate a service technician or repairman who has been hired to fix some company hardware, but they may also pose as co-workers, police, bankers, tax authorities, or insurance investigators. This kind of criminal will often take their time to investigate the right thing to say and who to ask for. In some cases, all they need is an authoritative, earnest tone of voice. After all, they only need to be able to fool your receptionist.
The Tailgater
The tailgater is someone who bypasses physical security by allowing others to use their security cards to let them in an office. The tailgater may simply grab the door before it closes as an employee enters the office, or they may casually ask for an employee to hold the door for them. With a nonchalant tone of voice, many employees just assume that they are supposed to be there.
The Aggressor
The aggressor is not really a social engineer, but he does use his tricks while face-to-face with your employees. The aggressor simply attacks one of your employees to steal their security card, and then uses it to casually enter the building. The aggressor will investigate the physical security around an office building to determine where the security cameras are and chose an unseen place to hide.
The Charmer
In 2007, a thief broke into the ABN Amro bank in Antwerp and made off with $21 million in diamonds. This single thief bypassed one of the most hi-tech security systems in the world not with brute force or an Ocean’s 11 level of complexity and organization, but with a stolen passport, a box of chocolates, and personal charm. The charmer, who was never caught, posed as a successful businessman and visited the bank frequently, befriending the staff and gradually winning their confidence. He even brought them chocolates. He ultimately gained VIP access and used his passcard to walk right into the vault he knew contained the uncut diamonds. If this charmer can successfully bypass a $2 million security system, what chance does your company have?
While it does put the social engineer in direct risk, face-to-face social engineering is obviously one of the easiest and most rewarding scams for criminals. If you are implementing social engineering assessments at your organization, make sure they do some face-to-face social engineering!
Email This Post
Print This Post
You must log in to post a comment.