In-Person social engineering threats during COVID still has us concerned.

This is Part II of a three-part series on the cybersecurity risks presented by social engineering.

Part I: Social Engineering – Email and Phishing

In this era of social distancing, we’ve become more reliant than ever on technology to communicate. In this environment, social engineering techniques are creating heightened risks from a cybersecurity perspective. Social engineering is broadly defined as the use of deception or manipulation to lure others into divulging personal or confidential information. Cybercriminals use social engineering to harvest access login credentials, financial information or other personal data that can then be used for profit, ransom, or as a wedge to open even further security holes.

In part two we discuss in-person social engineering threats. With many businesses closed or on shortened hours or split shifts, such in-person social engineering attacks are way down: however, the concern is still real due to heightened anxiety and the dramatic changes in the usual routines we’ve come to know.

Here are some of the most common in-person risks, and how to mitigate them:

Tailgating: This approach is used by attackers attempting to gain access to a secure office or other facility. The individual may be carrying parcels or equipment, hoping that a friendly person will hold the door for them on the way into an office. Once inside the office, the attacker can attempt to gain access to individual computing equipment, drop USBs (see more on this below), or conduct more routine theft or vandalism.

Impersonation: Tailgating will also often be accompanied by impersonation. The attacker may wear a security uniform, a courier outfit, a supply delivery uniform, or other branded apparel in an effort to convince reception to allow facility access. Service technicians can present themselves as having been called for repair to an HVAC system, electrical, or computer technology in order to gain access to a network wiring closet, server room, or other sensitive areas. From here, they can launch attacks, steal equipment, or cause damage. Confident scammers may also simply come in a suit and tie: the air of professionalism may cause people to let their guards down, never guessing that a con artist is at work.

Once in the facility, scammers can attempt to access local Wi-Fi services, or even connect to wired networks through an unsecured network jack. Some offices will have courtesy jacks in reception areas or meeting rooms that can be exploited unless properly secured.

Some defenses against tail-gating and impersonation:

·       Encourage your workplace to have a visitor badge system. Anyone accessing your facility should have dated credentials that should be returned when the visitor leaves.

·       Never allow a guest to have unescorted access to the facility. Savvy social engineers will drop a name of a staff member and ask to head into the office to find them – this can be trouble. Instead, always insist that the visitor wait at reception and be received personally by their host.

·       If there is an unfamiliar person in your facility, or someone without appropriate credentials, approach them to (delicately) challenge their presence. Don’t be adversarial, of course: simply offer assistance and enquire who the person is, or with whom they are meeting. Assess the response, validate, or contact HR or security if you have concerns. Authorized guests or service personnel will not be offended by a double-check, they should be appreciative that you are being attentive.

·       Always direct someone who claims to be lost to a reception desk or security concierge where they can wait for assistance.

·       For surprise service calls, determine who placed the call, or contact the service organization directly to validate that a call was placed.

Eavesdropping: Always be circumspect in your discussions on an elevator, public transit, or other common spaces. Personal information can be harvested from these casual conversations and flipped over to use as intelligence to be exploited. Even conversations within an office or work facility can be overheard by passing visitors: be careful about the use of hands-free conversations unless you are in a closed office or meeting room space.

Shoulder-surfing: Having people peeking at your computer or phone screen is a concern when using devices in public places. Particularly if you are logging into an account or accessing sensitive materials, take an extra moment to ensure no one is immediately behind you potentially watching what you are doing. This could be at an ATM, on a mobile device while in an elevator or public transit, or in a common area like a breakroom, coffee shop, or airport. (And while it’s a not a social engineering issue, this is an excellent time to remind everyone not to use public Wi-Fi services for sensitive logins or to review confidential information. The security on public hotspots may be poor, and you may be exposing everything you do to others on the network.) Shoulder-surfing or casual screen viewing can happen in a home office or workplace environment as well: never leave your screen attended. Consider a privacy screen for your computer, or even your mobile phone, depending on your use of these devices. Finally, be extra cautious about posting your home office activities on social media. With many people working remotely, there have been numerous accounts of people posting selfies of themselves in their home offices – with sensitive materials on their computer screens! That’s shoulder-surfing on a massive level.

USB Dropsor Baiting: This technique is increasingly rare, but still a tactic used by social engineering cyber attackers. Here, a USB device will be dropped in a parking lot, common area, or left on a table. The device may be labelled with something enticing, or is more commonly left blank in the hopes that the finder will insert it into their computer in order to view its contents. Once connected, the device may then have the opportunity to download malware, scan hardware or networks, or damage the host computer by launching an attack. In rare cases, so-called “USB killers” can even overload the USB port and circuitry with an electrical charge when plugged in. Defending against a USB drop is very straightforward: don’t pick up the USB drive! However, if there is genuine concern that a dropped USB could belong to a colleague, pick it up and return it to a lost and found or reception desk with the date/time/location of the discovery. The person who lost it can come back to claim it, otherwise it won’t have an opportunity to cause any problems.

The bottom line: be aware of your communications and use of technology at all times. You never know who might be watching or listening in.