Published: March 23, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
Social engineering is a method of using human interaction to convince people to break their normal security processes. It can utilize technology, but that isn’t necessary in order to reach a goal. It’s been around since the beginning of time and although it has a modern name, it really is just a game for hackers. When people hear the term Social Engineering, it’s likely they think of email Phishing attacks. While remote social engineering attacks are extremely popular, what people often forget is that on-site social engineering attacks can be just as dangerous and in many cases, just as easy for a criminal to pull off.
An on-site social engineering attack is when a criminal physically comes to a facility and using deceptive behavior finds a way to gain access to the facility, gain access to sensitive items or information and then leave the facility without anyone ever catching on to the attack.
Who uses social engineering tactics and why? A social engineering criminal is not necessarily the stereotypical hacker sitting in a dark room at a computer. Now nation-state actors, curious kids, identity thieves and terrorists alike all use social engineering tactics and strategies. The motivation is varied for whomever is performing the activity, but the most obvious is for financial gain. However, others could be self-interest, such as modifying information about themselves that would be otherwise detrimental or changing it to something beneficial to them. It could also be for political gain or in many cases to get revenge against an organization an individual believes has done them wrong.
Your Desk Area Is Not Just Your Domain When it comes to keeping your organization / facility secure, the most important place is to start with your desk. You see, depending on the access to information that you have, what is contained on your computer or that could be placed on your desk might be exactly what a criminal is looking for. Even if you don’t personally have access to private / confidential information, that does not mean that your desk is safe from putting everyone else at risk. Obviously, your desk itself is not going to be the problem; it is everything that is on, around or in your desk that creates the issues and in this article we are going to focus on the biggest areas of risk and what you can do to avoid falling victim.
Let’s Talk About Those Phones A social engineering trick that is often used by criminals once inside a facility, and that is gaining traction, is to carry their mobile device around in their hand. While it simply appears as though they are just holding their phone, in reality their phone’s camera is turned on and they are recording a video. This allows the criminal to walk by desks and simply hold their phone over any documents that have been left laying out. This can be done very casually and unless you’re specifically watching for this type of attack, you likely would never even notice. If you think about an office full of employees with potentially confidential information on monitors or printed out laying on desks, you can see how a person walking around filming everything could gather a large amount of private data very quickly.
When you walk away from your desk, never leave out any documents containing confidential information. Even when you’re sitting at your desk, if you are not using certain documents, turn them over so the data is face down. In addition, if you have the ability to lock the drawers on your desk, make sure you put any documents containing confidential information into those drawers and lock them before you leave for lunch or to go home for the day. And when escorting visitors, if they are holding their phone, simply ask them to put it away. It’s a simple request that will greatly increase your organization’s security.
Your Computer Should Not Be An Open Book Your computer is a threat to the organization and no matter what access level you have. Simple mistakes can put your organization at risk. By now it’s pretty safe to assume that you understand there are risks with emails and when you browse on the Internet, but you might not realize that even when your computer is simply sitting on your desk, it could be putting the organization at risk.
When I am hired to break into a facility, one of my goals is to gain access to the computers of the users in that facility. If I see a person get up from a desk and walk away, I immediately walk over to that desk and see if the computer was left logged in. If so, I open a web browser and head to a webpage that I have created and set up on the Internet. When the browser lands on this webpage, malware is quickly installed on the user’s computer. It takes only seconds. I close the web browser and walk away.
When the user returns, they have no idea that anything has happened. From that point on, I now have access to that person’s computer and whatever they have access to, no matter where I am in the world. If I am lucky, the user has access to confidential information, which now means I have that same access. But even if the user turns out to have limited access, I still have access to their email. That means I can now use their computer to contact other people in the organization on their behalf, sending malware to users. And because the emails are coming from someone they trust on an internal computer, I have a much higher probability that the recipients will click links or open attachments which will lead to the compromise of their computers. This means that if even just one employee leaves their computer logged in while I am in the facility, eventually I will be able to compromise many other computers using this technique.
Fortunately, this is quite easy to prevent. When you leave your desk, lock your computer. It takes one second and it prevents anyone else from having access. It does not matter how long you plan to be away; five seconds or five minutes, no matter what, lock your computer. It really is that simple.
Location, Location, Location In some facilities, customers are required to walk by certain desks to access public areas. For example, restrooms that are located in one area of the facility and require customers to walk by employee desks to get to those restrooms. If you sit at a desk that can be easily seen or accessed by the general public or in a high traffic area, then you are sitting in a high-risk area and need to be even more cautious. Avoid ever leaving any documents on the desk that contain private or confidential information and install privacy screens to monitors so people passing by are unable to read what is on the screen. Also, confirm that visitors cannot overhear confidential conversations either in meetings or by employees on the phone. If a visitor is required to be in an area for an extended period of time, employees should move to other areas if they are to carry on conversations that involve confidential information.
It's important to remember that while your desk might be your personal space at the office, for a criminal your desk is a treasure-trove of potential. All it takes is a simple mistake and just a few seconds of time for a criminal to put your entire organization at risk.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org