A USB drive left in a car park — illustrating a physical social engineering baiting attack targeting business employees

The most dangerous attacks don't come through your firewall. They walk through your front door. 🚪

Social engineering attacks: how to protect your business

In 2016, researchers from the University of Illinois dropped 297 USB drives across the campus of a large organisation. The drives were unlabelled, ordinary-looking, and left in car parks, corridors, and common areas. Nearly half were plugged into company computers within hours. One in five were picked up and connected within six minutes of being dropped. The researchers hadn't sent a single phishing email. They hadn't exploited a single vulnerability. They'd just left a curiosity on the ground and waited.

That experiment is now a decade old. The technique is still being used today.

Social engineering is not just email — the physical threat landscape

Most people, when they think about cyberattacks, picture a hooded figure at a keyboard. The reality is often far more analogue. Social engineering — the art of manipulating people rather than systems — happens in lobbies, car parks, phone calls, and corridors just as readily as it happens in inboxes.

The digital defences most businesses have invested in — firewalls, spam filters, endpoint protection — do nothing to stop an attacker who walks through the front door carrying a clipboard and a confident expression.

Physical social engineering works because it exploits human instincts that are genuinely good ones: helpfulness, trust, politeness, curiosity. An attacker doesn't need to break your systems if they can borrow your employee's better nature for five minutes.

Tailgating, baiting, pretexting, and vishing explained in plain English

These are the four most common physical and hybrid attacks your team is likely to encounter:

Tailgating (also called piggybacking) is the simplest. An attacker follows an employee through a secure door before it closes — arms full, looking busy, occasionally apologising for not having their badge to hand. The employee holds the door. It's basic courtesy. It's also a security failure.

Baiting is the USB experiment. Something is left — a drive, a disc, sometimes even a device labelled with something tempting like "Salary Review 2025" or "Redundancy List." Curiosity does the rest. Once plugged in, the payload executes automatically. 🎣

Pretexting involves constructing a believable false identity to extract information or access. The attacker calls your office posing as a supplier, an IT support technician, or a building inspector. They've done their homework. They know names, reference numbers, and enough jargon to sound credible. They ask questions that individually seem harmless but together build a useful picture — or they ask for access directly, and get it.

Vishing (voice phishing) is the phone-based variant. A call arrives for a member of your finance or HR team. The caller claims urgency — a payment needs to be authorised, a password needs to be reset, a compliance deadline is looming. Stress and time pressure are engineered into the script deliberately. Careful thinking is the casualty.

How attackers research targets before attempting physical access

The most effective social engineers don't improvise. They research. And most of what they need is already public. 🔍

Before ever setting foot near your premises, an attacker may have reviewed:

  • Your company's LinkedIn page — org structure, staff names, job titles, recent hires, and who manages what
  • Your website's About and Team pages — photos, bios, and sometimes direct contact details
  • Job listings — which reveal what software, systems, and processes your business uses
  • News articles or press releases — office moves, new contracts, leadership changes
  • Physical reconnaissance — a drive past the office to note delivery windows, access points, and whether reception is staffed

By the time the attacker picks up the phone or walks into your building, they may know your IT manager's name, your ticketing system, your cloud provider, and the name of your CEO. They sound like they belong. That is entirely by design.

Building a human firewall — staff training that actually works

Technical controls are essential. They are not sufficient. The honest reality is that no firewall stops an employee who has been convinced they are helping a legitimate visitor, and no email filter catches a phone call.

Effective security awareness training doesn't lecture staff about what not to do. It puts them in scenarios — real, plausible, close to home — and builds the instincts to pause, verify, and escalate. The goal is not suspicion of everyone. It's a simple habit: verify before you trust.

Practical measures that make an immediate difference:

  • A clear, written policy for verifying visitor identities — and the confidence to enforce it politely
  • A single number or contact for staff to report suspicious behaviour without fear of overreacting
  • Regular, short training sessions covering social engineering scenarios specific to your industry
  • Simulated physical and phone-based social engineering exercises to test and reinforce awareness
  • A culture where questioning an unfamiliar face or an unusual request is encouraged, not awkward

The businesses that handle social engineering best are those that treat security awareness as an ongoing conversation, not an annual compliance tick. Andi-Tech's cybersecurity solutions include staff awareness training and security policy development — because the most important layer of your defence is the one that answers the door.

🧠 Is your team trained to spot an attack that never touches a keyboard?
Andi-Tech designs and delivers security awareness programmes for SMBs — covering social engineering, phishing simulation, and the practical policies staff need to make the right call under pressure.

Contact us at info@andi-tech.com — let's make sure your people are as secure as your systems.