Being Physically SE'd

Be Mindful Of Physical Social Engineers.

When you read about social engineering methods and techniques, be It whilst navigating on the net across multiple websites or actively Involved In a community such as an Internet forum, for the most part, It relates to executing attacks on victims via phone, chat or email. The reason for this Is quite obvious- the target Is simply not within physical range to perform the SE. And If they were, a lot of SE'ers feel more comfortable & confident social engineering by (for example) phone, than face-to-face communication.

However, did you know that physically social engineering someone, Is In fact a lot more effective than the aforementioned gateways? How so you ask? Well, an elite SE'er can grab your credit card details, driver's license and possibly a handful of cash In less than 30 seconds! You may find this hard to believe, but let me assure you that "you can fall victim at any given time". As such, the purpose of this article, Is to make you aware that not everyone you happen to come In contact with, Is who they claim to be and as a result, I will demonstrate how simple It Is to SE you In person. So let's have a look at a few of the most typical and effective types of physical SEs, and how the attacks are performed.

How Physical Social Engineers Operate:

* Door-To-Door Salesmen.

No doubt there are honest salesmen looking to make a living, but this role Is also used by SE'ers and Is the most effective In grabbing your personal details. How many times have you answered a knock at the door with a salesman offering a deal that was so cheap, that you signed up there and then by "filling out a form with your full name, date of birth, phone number and credit card details?" From a social engineer's standpoint, your Identity has been built from the ground up within the hour, and you can say goodbye to whatever funds you had left In your credit card.

* Passerby Asking To Use Your Cell Phone.

So you're walking home from work on a Monday afternoon when "a gentleman dressed sharply In a suit and tie" approaches you, and "politely asks" to use your cell phone just for a minute to make an urgent call to his wife. Given his appearance and pleasant manner, you unlock the PIN number on your phone and have no hesitation In handing It to him.

The next thing you know, he's ran off with your cell phone never to be seen again. The social engineer now has your phone contacts, personal Images stored on your device and given you're already logged Into your Facebook account, he's compromised that as well! If he's someone with malicious Intent, he'd "SE your Facebook contacts & friends Into giving up their confidential Information by claiming It's a trusted person who's requesting It, namely "you".

* Selling Raffle Tickets.

You've just walked Into the local mall, and a very attractive woman approaches you, asking If you'd be kind enough to purchase a raffle ticket- with all proceeds going to a charitable organization. At the cost of only a few dollars, It's well worth the money spent for the chance of winning a brand new car that's on offer, so you've decided to go ahead with the purchase by filling In your name, address, date of birth and phone number and paid the requested amount.

One week later, you've received a call from your bank advising you of suspicious activity performed on your account, and that around $5,000 In cash has been withdrawn. As such, the bank has put a cancellation on all funds pending an Investigation. Yes, you guessed It, "you've been social engineered by the woman who seemingly sold you the raffle ticket". The credentials you provided at the time of purchase, were enough for her to create your Identity and use It to open a credit card account under your name! 

* A Dating Couple Asks To Take Their Photo.

You're sitting alone at a nice restaurant on a Sunday afternoon, and waiting for a good friend to arrive. A passerby with his partner, asks you to take a photo of them by handing you their cell phone and given they seem like such a charming couple, you oblige by "standing away from your seat, take the photo and hand back their phone"

However, during the course of your actions, a third person "being a friend of the couple", has walked by and taken your handbag that you left unattended on your seat whilst you were In the process of taking the photo. "Within a space of less than 30 seconds, you've been social engineered!" Say goodbye to your credit cards, driver's license, cash, and whatever else your handbag contained. 

In Conclusion:

Taking all the above scenarios Into account, how many times has It crossed your mind that you can be social engineered In that fashion? I'd say It's safe to assume that your answer Is "zero". Sure, for the most part, those actions are Innocent and without malicious Intent, but believe me, social engineers use very similar (If not the same) methods to physically SE you. The equation Is pretty simple- "do not trust anyone unbeknownst to you, and never hand out your personal Information". Period. 

Now you might be asking: "What about the door-to-door sales? How do I know they're for real?". Easy! If you do In fact want to sign up for a good deal, ask for the salesperson's Identification and phone number to their office department. Perform a quick Google search to make sure that the company name and number match, and then call the company and ask to speak with the salesman "who's currently at your home". If they say he's not In the office, then he Is In fact legit