My Favorite Physical Social Engineering Examples & How to Stop Them
If you’ve ever watched the movie “Sneakers”, you may remember a scene where Robert Redford needs to get to the 4th floor of a building that requires badge access (If you haven’t watched it yet, please stop reading and go watch it now. I’ll wait.) River Phoenix’s character creates a distraction with building security – doggedly insisting on delivering an order that wasn’t placed – while Redford, hands full with a cake and balloons, loudly and frantically, insists that he can’t reach his badge. In the chaos, Redford angrily shouts, “Push the goddamn buzzer, would ya!” and the beleaguered security guard does just that without further thought and without confirming that Redford belongs there. This is an oustanding physical social engineering example, and it’s a fun movie.
What is Social Engineering?
Social engineering is hacking the human mind. It is the psychological manipulation of someone in an effort to get them to disclose confidential information or perform specific actions usually for fraudulent purposes. Phishing is one of the most common examples of social engineering, but it can take many forms – in person, by phone, through the mail, etc. Since we already have articles on how to avoid online social engineering ploys, we’re going to focus on prevention of physical social engineering in this article. (If you have not already read our blogs on phishing, spear phishing, and vishing, you should checking them out.)
At LMG Security, we perform social engineering tests to assist our clients in learning where their vulnerabilities are and how they can improve their security and train staff to resist social engineering. We’ve done phone (voice phishing = vishing) tests, email tests, and in person tests. We attempt to gain information that we should not be able to get, get employees to click on links, or gain access to secure locations. We’ve seen employees walk out with keys to the ATM, mobile phones, computers, and paintings. More than once, a member of our staff has been escorted to a bank’s vault and allowed to take photographs or wandered a secure building all day wearing an ID badge that looked nothing like her. (In one memorable case, the only reason the LMG team member was “discovered” was because he drank the last of the coffee and didn’t start a new pot.)
How Does Social Engineering Work?
Social engineering takes advantage of predictable human reaction and/or plays on human emotions. Here’s a simple phishing example:
“Your password is expiring. However, if you click the link below and log in to your account before the end of the day,
we’ll let you continue to use the same password.”
The attacker offered something the user wants: continue to use the same password and avoid the need to remember a new one, and created urgency: to get this ‘reward’ the user must click before the end of the day.
The goal of the successful social engineer is to get their target to react without taking the time to think. If we look again at the example from Sneakers, the security guard is faced with two men, both of whom appear frustrated and are looking to him to solve their problem. When Redford escalates and yells a solution – to push the button – the security guard does so without thinking. He was placed in a stressful situation, Redford created a sense of urgency, and offered the guard a simple solution to eliminate at least one of the problems confronting him. This is but one of many different tactics in the criminal’s arsenal.
My Favorite Physical Social Engineering Examples
Clearly, the physical social engineering techniques I mentioned from the movies, are some of my favorites. But, the easiest technique (and a favorite technique among our consultants during physical social engineering tests) counts on the natural human response to be helpful. Our social engineers – much like Redford – approach the badge-secured door with their hands full, either slightly ahead or slightly behind (a move called ‘tailgating’) an authorized person with their badge out. As the consultant approaches the door, he or she pretends to be attempting to reach into a pocket or bag for a badge while juggling the full load they are carrying. Most of the time, the person with the authorized badge will then hold the door for our consultant, even though they are not supposed to have access. And, Bingo, we’re in.
My next physical social engineer example uses a very different approach (and makes many of our consultants feel a little bit like Robert Redford). One of the more successful ways to get past security or reception desks during physical social engineering tests, is to appear to be engrossed in an angry conversation on a mobile phone while walking past. Most people are reluctant to interrupt or confront someone in the middle of such an intense conversation and will allow the person to pass without question.
Social engineers use a variety of “tools” to gain information or access they should not have, but the common thread through all is confidence. If you carry a ladder and wear a tool belt, very few people will stop to question you. If you carry yourself as if you know where you are going or appear to belong, people assume you do. If you speak (or write) confidently and with authority, people will follow your instructions. It’s important to understand the strategies and tricks used in physical social engineering, so you can avoid becoming a victim.
How Can You Combat Social Engineering?
Now we get to the meat of this article – which is not to tell you how to socially engineer someone, but to tell you how to help your team resist these scams. Since we already have several articles that focus on how to avoid social engineering online, we’re going to focus on physical social engineering prevention tips. If you have great online cybersecurity, but an attacker can just walk into your building, grab a laptop, and leave, you will still face a data breach. Implement these tips to increase your security:
- Set Expectations – Make sure that every member of your team knows that they have permission and the responsibility to question any person they do not recognize and ask for identification and the name of the member of your team who authorized their visit. Then verify with that team member. I don’t think many of our LMG team members will forget the day a new intern stopped our CEO and questioned her presence in the building (She had been speaking in another part of the country, and they had not yet met). The intern was mortified, but the rest of us lauded his diligence. Yes, even as an intern, he was expected to question strangers and he did exactly that.
- Create Processes – Should visitors be escorted everywhere? Do they have a particular visitor’s badge that they should wear at all times? Do they need to hand it in? Is it secured or destroyed once returned? How do you verify that visitors are who they say they are? Do you ask for ID? Should you call a team member who authorized the visit? If you see a phishing email, get a strange call, or find someone in the building, who should you notify? Make sure that everyone on your staff knows your processes and the answers to these questions.
- Provide Alternative Behavior – We were all taught from a young age that polite behavior means holding the door for someone. Unfortunately, that creates a security risk. Share polite but safety-conscious alternative behaviors with your employees. For example, if an unknown person approaches the door and can’t reach their badge because their hands are full, suggest that your employee offer to hold something while the person locates their badge. If the person claims that the badge is lost, teach your employee to escort them to security, or HR, or the appropriate place to get a guest or replacement badge.
- Write a Script – Provide a script for your employees so that they know what to say (or how to react) if someone is attempting to get information from them or gain access. Give them phone numbers to call, processes to follow, and straightforward messaging to deliver. “I’m sorry that I can’t hold the door for you, but I’d be happy to hold your bag (drink, etc.) while you find your badge.”
- Training – Practice the behavior through scenario-based training, online phishing training, and social engineering assessments. Provide regular reminders through emails, team meetings, chat notifications, posters, and more. Read this blog on what to include in your security awareness training, our blog on 3 ways you can quickly and affordably increase your cybersecurity, or more about our easy, turn-key cybersecurity awareness training for employees.
When it comes to security, employees want to do the right thing, but to do so sometimes it requires that they overcome years of ingrained behavior, and they want to avoid confrontation. Empowering them with the tools to respond will ensure their success. We hope you enjoyed these physical social engineering examples and we hope these tips help you to build a stronger security culture within your organization.
Finally, I can’t resist sharing a video of one of the best social engineers I know, Rachel Tobac. In this video, she easily demonstrates the art of social engineering by hacking a CNN reporter’s life: