Physical social engineering attacks: how ready are you?

Social engineering is the biggest cybersecurity threat there is. And social engineering attacks, such as phishing, are on the rise. But with so many people talking about phishing in a cybersecurity context (attackers attempting to steal your data via electronic communications), people forget about ‘physical phishing’ (when the attacker’s right there in front of you). Although in-person hacks are less common, they happen more frequently than you’d think and, when they do, they’re devastatingly effective.

How aware are your security teams of the risks of a physical social engineering attack? Are they ready and equipped to avoid them? If they’re not, this article will help you get them up to speed.

What is social engineering?

Let’s start at the beginning. Social engineering is, put simply, exploiting human weaknesses to gain access to sensitive and/or confidential information and protected systems. Normally it involves some kind of psychological or emotional manipulation.

Phishing is the prime and most common example. This is where a hacker sends an electronic communication posing as a trustworthy entity to trick the receiver into handing over passwords and credit card details. Typically these hackers impersonate big brands such as Amazon, Apple and PayPal and direct users to enter personal information into fake websites matching the look and feel of the legitimate site.

But social engineering doesn’t just happen over the internet.

Examples of physical social engineering

The fake IT guy

This is where a hacker shows up at your workplace pretending to be an IT technician, there to check a computer, server, printer or other network device. Many smart devices automatically ‘cry for help’ when they need maintenance, which gives these kinds of attacks plausibility.

Sometimes these attackers will give fake serial or device numbers to lend credence to their visit. And sometimes that will be enough to let them through. Most companies will run a check on the numbers first, but what if the attacker has done some ‘dumpster diving’ beforehand? If they’ve waded through your company’s rubbish skips and found legitimate serial and device numbers on discarded boxes, they’ll be able to pass your first test. And if it’s the only test required, they’re in.


Tailgating is where an unauthorised person follows an authorised person into a secure area. This happens naturally when multiple people pass through doors. The person at the front swipes an ID card or taps in a code and the person behind follows through the open door, entering the area without having presented any kind of identification. This is most likely to happen in residential buildings, but happens frequently in commercial buildings too.

The ‘coffee trick’

The ‘coffee trick’ is a more sophisticated form of tailgating. It’s where an unauthorised person holding a cup of coffee in each hand walks towards an office door. An unsuspecting person passing through or walking nearby will, wanting to be helpful, hold it open for them. Voila, the attacker has access. This is classic social engineering—preying on people’s proclivity for kindness.

Shoulder surfing

This is as it sounds: watching the unsuspecting victim while they’re entering passwords and other sensitive information. But it doesn’t have to be at close range—literally looking over their shoulder. It could be from a distance—using binoculars or hidden cameras.

Dumpster diving

As mentioned earlier, dumpster diving is where attackers go through your company’s rubbish skips looking for documents containing sensitive or confidential information. They then use this information to gain access to your company.

Theft of documents

This can happen if you leave papers and documents lying around and a visitor to your building sees something they shouldn’t. Or worse, they steal the document on their way through.

Why are shoulder surfing, dumpster diving and theft of documents classed as social engineering attacks?

These three examples seem different to the first three, don’t they? That’s because the first three—pretending to be someone you’re not, tailgating and the coffee trick—consist of an attacker actively manipulating the victim. Shoulder surfing, dumpster diving and the theft of documents don’t.

But remember how we defined social engineering at the beginning? It’s the exploitation of human weaknesses to gain access to protected information and systems. And what is the fundamental weakness we’re talking about here?

Unfortunately, it’s trust. Trust is not a weakness in other contexts, but in the world of cybersecurity and physical security, it absolutely is. The natural human impulse to trust those around us is what makes employees and their companies vulnerable to a social engineering attack.

So, dumpster diving attacks happen because people trust that their sensitive information is safe if it’s been thrown away—no one’s going to go rooting through your rubbish. Document thefts happen because people trust that the visitors walking around their office won’t walk by and pinch things off their desks. And shoulder surfing attacks happen because people enter sensitive information into their devices trusting that the people around them aren’t looking.

So, avoiding a social engineering attack is all about knowing where, when and in whom to place your trust, and being very careful not to misplace it.

Tips for avoiding physical social engineering attacks

Practical measures

There are a few practical measures you can introduce to help stop social engineering attacks. Anti-tailgating doors, for example, make tailgating virtually impossible.

Another easy practical solution to the risk of document theft is a clear-desk policy—ensuring all documents are put away at the end of the workday. You should also direct your employees to shred any sensitive documents in their possession after they no longer need them. Dumpster diving attacks can also be prevented by shredding sensitive documents when they are discarded.

In particular, you should make sure that your access control system is strong, to reduce the risk of unaccounted-for visitors entering your workplace.

But the real solution is—make people aware

Practical measures are all well and good, but in the end, it won’t be security barriers, anti-tailgating doors and clear-desk policies that keep your business safe from a social engineering attack. It will be your employees knowing what the risks are and how to avoid them.

The best way of making them aware is through training. More than that—through fostering a security culture within your organisation so that employees are more alert. This involves providing them with a rigid physical security policy and continually raising awareness of the importance of upholding it. Include guidance on clear desks and shredding as well as not holding doors open for people they don’t recognise and reporting any tailgating attempts to your security teams.