Social Engineering
Social engineering exploits human psychology to bypass physical security controls. It is often the most effective way to gain entry.
Pretexting Scenarios
- IT Support - "I'm from IT, here to fix the printer/network issue"
- Fire Inspector - "Routine fire safety inspection" (requires props)
- Delivery Person - Package delivery, uniform + clipboard
- New Employee - "First day, badge isn't working yet"
- Contractor - HVAC, elevator, pest control service
- Vendor/Supplier - Scheduled meeting with fake name
- Health Inspector - Food service areas only
Tailgating Techniques
- Hands Full - Carry boxes, ask someone to hold the door
- On the Phone - Appear busy, look like you belong
- Following Groups - Enter with a crowd after lunch
- Smoking Area - Exit through, re-enter with smokers
- Loading Dock - Often less secured entry point
- Emergency Exit - May not alarm or be monitored
Vishing (Voice Phishing)
Common pretexts for phone-based social engineering:
IT Help Desk Pretext
"Hi, this is [Name] from IT Security. We detected unusual activity on your account and need to verify your identity. Can you confirm your username and the last 4 digits of your password?"
HR/Payroll Pretext
"This is [Name] from HR. We're updating our records and need to verify your employee ID and date of birth for tax purposes."
Executive Assistant Pretext
"I'm calling on behalf of [CEO Name]. They need the [document/access] urgently for a board meeting. Can you help expedite this?"
Vendor Support Pretext
"This is [Vendor] support. We need to push a critical security update to your system. Can you provide remote access credentials?"
Caller ID Spoofing Tools
Use responsibly and only with proper authorization:
- Spoofcard
- SpoofTel
- Burner phones with prepaid SIMs