Pretexting and Physical Security
Not all social engineering arrives by email. Pretexting — inventing a believable scenario to extract information or access — plays out over the phone (vishing), by text (smishing), and in person, and it shades into physical security: tailgating through a door, dropping a malicious USB, impersonating a vendor.
This topic covers the non-email human attack surface and the process-and-culture defenses that counter manipulation no email filter will ever see — because a confident phone call to the help desk has caused some of the largest breaches on record.
Pretexting Across Channels
A convincing story plus urgency and authority extracts passwords, MFA codes, or access. Vishing on the phone and smishing by text scale it, and help-desk impersonation — calling IT posing as an employee to trigger a password or MFA reset — is a top real-world intrusion path, precisely because it turns a support process into an authentication bypass (the recovery weakness from Chapter 3, exploited by voice).
Physical Intrusion
Tailgating through a badged door behind a helpful employee, posing as a delivery or contractor, and accessing an unattended workstation all shortcut every digital control — which is why the badge reader and the locked screen are security controls, not facilities concerns. Physical access to a machine is often faster than any remote attack, so it belongs squarely in the security program.
Baiting and Media Drops
A malicious USB dropped in a parking lot exploits curiosity, and a plugged-in device can auto-run a payload or emulate a keyboard to type commands (BadUSB). Device-control policy — restricting removable media — is the counter, because the human impulse to plug in a found drive is reliable enough that attackers count on it.
The Help Desk as a Target
Attackers call IT posing as an employee to reset credentials or enroll a new MFA device, and strong identity verification for support actions is the defense — its absence has caused major breaches. Meridian's human perimeter is a set of concrete controls: verified help-desk identity-proofing, visitor and badge policy against tailgating, clean-desk and auto-lock, USB and device control, and out-of-band verification for any unusual request, whatever authority it claims.
- Help desks that reset passwords or enroll MFA on a convincing phone call without strong identity verification — a documented path to major breaches.
- Treating physical security as facilities' problem, not security's, so tailgating and unattended-workstation access bypass every digital control.
- Allowing unrestricted USB and removable media, enabling baiting and BadUSB attacks.
- No out-of-band verification norm, so a confident caller or an email with authority and urgency gets compliance.
- Leaving account recovery and support actions weaker than the login they can reset (Chapter 3).
- Enforce strong identity verification for all help-desk credential and MFA actions, and treat reset and enrollment as high-risk operations.
- Make out-of-band verification a cultural norm for unusual or sensitive requests, regardless of claimed authority.
- Cover physical security as security: badge and visitor control, anti-tailgating, clean-desk, and enforced screen lock.
- Restrict removable media and device access to counter baiting and BadUSB.
- Hold help-desk and recovery actions to the same strength as the login they can change.
Knowledge Check
Why is the help desk a favored social-engineering target?
- A convincing caller can trigger a password or MFA reset
- Help-desk staff hold direct access to the encryption keys
- Inbound phone calls cannot be logged or traced at all
- The help desk directly controls the company firewall
Why does a malicious USB drop work as an attack, and what counters it?
- It exploits curiosity; removable-media device control counters it
- It works only if the drive is encrypted; disk encryption counters it
- It needs the user's password to run; MFA counters it here
- It only affects servers, so network segmentation counters it
What is the durable defense against a confident caller who claims authority and urgency?
- Out-of-band verification through an independent channel
- Complying quickly so as not to upset an apparently senior person
- Checking that the caller knows the employee's job title
- Asking the caller to repeat their request louder
You got correct