When Social Engineering Gets Physical

How your employees can be vulnerable to Physical Social Engineering (PSE) attacks

Thanks to the continued success of phishing, vishing, ransomware and other types of social engineering attacks… your employees continue to be the weak link in your security framework. While phishing and vishing are becoming more publicized, physical social engineering attacks—where the attacker is standing right in front of your employees—are still flying “under the radar.” Awareness of this fact is growing, and more and more of our customers want to include social engineering tests of their “human network” as part of the overall information security plan.

Here are a few examples of physical social engineering commonly used …

  • Tailgating Attack: Tailgating is a social engineering ploy by cyber threat actors to trick employees into helping them gain unauthorized access into the company premises. The attacker seeks entry into a restricted area where access is controlled by software-based electronic devices. Since only authorized people hold the authority to gain access, cyber-criminals simply trick or fool one of the authorized people by following behind him/her for entry. Some examples of successful tactics to be aware of:
  • Filling their arms in hopes someone will hold the door for them.
  • Sneaking in behind someone before a door closes or locks.
  • Planting a device to prevent a door from fully closing after opening.
  • “The IT Guy” Attack: Impersonating a third-party “IT Guy” is a common physical social engineering tactic. The hacker shows up at a facility pretending to be an IT support technician who’s here to check on a printer, copier or other network-connected device. In today’s “smart everything” world, many devices can “call home” to the vendor thru automated alerts, making these types of attacks highly probable & very believable. “I’m here to fix your slow internet” gets most people ready to let you in anywhere.
  • “The Cable Guy” Attack: Similar to the IT Guy Attack, a threat actor may also pretend to be a service technician that would normally need access to highly controlled spaces (i.e. cable, phone, electrician, HVAC, etc.). These spaces often prove to be very valuable because they have access to bypass normal electronic controls (i.e. firewalls) and are often unmanned, providing opportunity for an attacker to roam through the facility unnoticed.

  • These in-person hacks are less common than remote or automated attacks, but they nevertheless happen frequently and can be devastatingly effective. A few example results of a successful physical social engineering attack are:

    • Direct access to physical devices (physical theft or electronic tampering).
    • Uncontrolled access to network ports in offices, conference rooms, shared spaces.
    • Ability to plant “phone home” devices – for example under desks or hidden behind large multi-function printers.
    • Steal or copy/photograph physical documents (i.e. invoices, checks with account numbers, HR employee info, etc.)

    In the current information security world, physical cyber security really is the missing piece of the puzzle and without taking it seriously, companies are literally leaving the front door open for threat actors to walk straight in. This has not escaped the criminal profession either, with a higher probability for success, criminal groups are quickly adding this to their tactics with physical attacks rapidly on the rise.

    Find out how we can make your world more secure by calling us at 833-ALPHA-ONE or 334-245-3125.