A hacker doesn't need a phishing scam or some crazy malware package to affect your business. Sometimes, they need to be in the building.
Tailgating
Tailgating or piggybacking is a type of social engineering attack when a person allows an unauthorized person into a restricted area.
This usually happens in businesses where people let someone follow them inside the building without paying attention.
Scammers who tailgate might dress up as delivery drivers, say they forgot their badge or that they're "new."
If they're not properly checked at the front desk by reception or security, they can spy on other employees, access computers, or snoop around to gather sensitive information for a future hack.
Pretexting
Pretexting occurs when someone creates a fake persona or someone who abuses their job title.
When data breaches happen to businesses from the inside, it's usually because of pretexting.
These scammers establish trust using their titles. They convince employees to give them sensitive information; it could be an IT guy requesting a password, or HR asking for an address.
They know people will hesitate to question them or push back, even if something seems weird.
Dumpster Diving
Dumpsters and trash bins are often left unlocked in back alleys or parking lots. Scammers love taking advantage of this.
If a hacker can't enter the building directly, they'll dumpster dive.
Scammers will search for bank statements, pre-approved credit cards, or other sensitive information.
This leads to compromised devices, accounts, and identity fraud.
How to Protect Yourself
To prevent tailgating attempts, make sure there anyone not on staff goes through some sort of check-in process. Physical barriers like turnstiles are great for places with a lot of traffic.
If possible, use a video monitoring system and sensors that count the people entering and leaving.
Training your staff on recognizing pretexting attempts is key. They should be able to recognize emails or texts that have urgent language ("immediately" "right away" "ASAP"),
Pretexting attempts usually request sensitive information or transfer of funds or files.
And to deal with dumpster diving attempts, have a plan in place to properly dispose of data. This includes shredding paperwork, and erasing disk drives.
You and your team should decide on a data retention policy - how long should your data be stored before it's deleted?
If possible, a certificate of destruction should be created and filed for legal tracking.
