Onsite Social Engineering: Up Close and Personal - WST

Most everyone is aware of phishing, vishing, and other forms of electronic social engineering. It’s important to remember that social engineering can occur in-person as well. Responding appropriately in these situations can be an important part of an organization’s security stance.

Some common forms of in-person social engineering include:

• Pre-texting: Pretending to be someone else, with a plausible scenario. These kinds of attacks can take advantage of a person’s good nature or accommodating customer service. A threat actor may use fear, confusion, even compassion while attempting to generate a harmful action, which could be as simple as getting someone to visit a malicious website under false pretenses.
• Tailgating: Following behind someone to gain access (hold the door!) This may be combined with pre-texting (a delivery person, or a false vendor) trying to gain access into controlled areas
• Baiting: Trying to entice someone to take an action that appears beneficial. This could be USB drives left in a common area, containing malicious content. It could also be literature with links to topics of interest that are actually malicious websites.

How to reduce these risks?

• Default to being safe (deny access). If a situation seems out of the ordinary, be suspicious. Unannounced/irregular visits should generate suspicion. You can ask for a business card or other documentation, but DON’T go to any links presented – such documents can be easily faked and may contain malicious links.
• Verify who a visitor is AND confirm with their contact at your organization. Verify IDs. Ask who the visitor’s contact is for the visit, and then verify before going any further. If the visitor doesn’t know or doesn’t have a contact, that’s a problem – they should most likely have one.
• Get help/escalate. It’s always a good idea to escalate and get help if you are unsure or “feel funny” about a situation or a person. Get a manager or supervisor, or even another co-worker to help you assess the situation.
• Watch out for pressure tactics. Pressure doesn’t have to be “mean” – it can come in different forms. Hurry, urgency, fear (on the part of the visitor), or trying to generate compassion can be effective techniques. Smooth talkers are out there, too.
• What’s in a name? A prepared malicious actor may do research beforehand, trying to get names and positions of people within an organization, and may play a name-dropping game to gain trust. “Well, if the visitor knows that person, they must be OK, right?” Be wary.
• Escort/keep an eye on the person. Even if a visitor is just waiting in the waiting area, keep track of what they are doing, and where they are going. They may try to tailgate into more secure areas. Even if it’s a legitimate visit, don’t let the person be alone in your facility – considering keeping an escort with them.
• Consider over-communication. If everything seems legitimate, and the visit proceeds, consider communicating again about the visit to a manager or supervisor.

It’s always better to slow a situation down and confirm appointments before granting access, even if a visitor must wait longer or come back later. Follow your visitor management procedures and stay safe.

Authored by: David Bentley, CISSP