When you work in an office, there’s nothing better than when someone brings in their new baby or puppy for a meet and greet.
Everyone immediately stops work and is temporarily wrapped up in a bubble of excitement.
If an attacker wants to enter your building, they can form a plan to tap into these emotions, and use them to manipulate and distract you.
And whilst they might not have a baby or puppy on hand, they can always turn to the next best thing: a bunch of flowers.
Stranger Danger
Social engineering is based on one simple concept – our natural inclination to trust people.
Criminals exploit this to gain unauthorised access to confidential data, passwords, and even physical spaces.
This is where the flowers come in.
Stroll into reception with a huge bouquet of flowers, and the atmosphere will instantly change.
“Oh wow! I hope those are for me!”
“Look at those! Who are they for?!”
No one is going to question the flower delivery person.
…but they should.
Be the Bad Guy
In the heat of the moment, it can be easy to forget that you’re not supposed to let anyone in the building without verifying who they are.
Are you really going to interrogate the delivery person and stand between your colleague and their flowers?
The problem is, that once you open the door and allow that person to go and hand over the flowers to someone on the second floor, how do you know they can be trusted?
Most companies have policies in place when it comes to letting strangers and visitors into the building, so the number one rule should always be to check that this person is legit.
Do they have ID?
Is their visit expected?
Can a member of staff verify them?
Even if they genuinely work for the company they claim to represent, you can never guarantee that they won’t do something that could harm your business.
So, if the delivery person insists that they need to deliver the flowers in person, or if a chap with a mandolin turns up telling you he’s been hired to serenade Gail in Accounts – that’s fine, but make sure they have an escort.
Never allow a stranger to be left to their own devices.
We’re speaking from experience here.
Flower Power
A few years ago, Richard, our social engineering consultant, was tasked to visit an office complex and plant a bug in the conference room.
This is, of course, legitimate, as we offer expert penetration-testing services.
His job was to use whatever method or tactic he liked in order to get past the receptionist, and get unaccompanied access to the boardroom.
What the story could have looked like if Richard was played by a fashion conscious assassin. Photo by cottonbro from Pexels.
Things Didn’t Go To Plan
For this particular job, Richard decided to go with the flower method.
He called to a florist on his walk to the office and purchased the biggest, fanciest bunch of flowers money can buy.
A quick press of the buzzer and a response of ‘flower delivery!’ was all he needed in order to gain entry. He walked straight up to the receptionist desk, confident that this plan would work.
Everything soon began to fall apart. He announced to the receptionist that these flowers were for Carol, head of their HR department (as learnt through investigating the company on LinkedIn), as a thank you for some work she had done with their firm recently. Richard asked the receptionist if he could quickly nip through to her office and say hello, and give her the flowers in person.
The receptionist informed Richard that Carol had taken an unexpected day of annual leave so wouldn’t be in until tomorrow.
Thinking on Your Feet
Penetration testing is much more than just following a script and if things don’t go to plan thinking “oh, well maybe next time”. It’s about thinking on your feet, reading peoples’ body language, and staying in control of the situation. Criminals are well-practiced at this, so it’s important to be ready for anything.
Richard asks the receptionist if she can put the flowers in some water so that they’re ready for Carol when she returns to work. The receptionist happily obliges and is caught up in cutting off the bottom of the stems and neatly arranging everything into a vase.
Under the guise of calling Carol to say he’s sorry he missed her, Richard begins to pace up and down whilst on this fake phone call. The receptionist is busy tending to the flowers so doesn’t even look up.
Never Let a Stranger Out of Your Sight
Still pacing, and pretending to talk to Carol on the phone, Richard meanders off around the corner and out of sight. He opens the door to the rest of the office and bolts through without a second thought.
He quickly found the right place and managed to plant a small, easy-to-hide bug, which captured audio from within the conference room.
Before the receptionist even noticed he’d disappeared, Richard was back and wrapping up his imaginary phone call.
Richard tells her the flowers look great, thanks her for her time, and goes on his way.
He now has full, unadulterated access to everything that goes on in the conference room – all for the price of a bunch of flowers.
Of course, this was an ethical penetration test, and Richard was hired to do this. This process helps highlight gaps in a firm’s security and offers an opportunity for further staff training.
If you want to learn more about what steps you can take to ensure security is a priority within your business, check out our Knowledge Lab.