Can you hold the door for me? I don't have my key/access card on me."
In the same exercise where Nickerson used his shirt to get into a building, he had a team member wait outside near the smoking area where employees often went for breaks. Assuming his team member was simply a fellow-office-smoking mate, employees let him in the back door with out question.
This kind of thing goes on all the time, according to Nickerson. The tactic is also known as tailgating. Many people just don't ask others to prove they have permission to be there. But even in places where badges or other proof is required to roam the halls, fakery is easy, he said." I usually use some high-end photography to print up badges to really look like I am supposed to be in that environment.
But they often don't even get checked. I've even worn a badge that said right on it 'Kick me out' and I still was not questioned."
"Hi, I'm from the rep from Cisco and I'm here to see Nancy."
Nickerson recently pulled off a successful social engineering exercise for a client by wearing a $4 Cisco shirt that he got at a thrift store.Criminals will often take weeks and months getting to know a place before even coming in the door. Posing as a client or service technician is one of many possibilities.
Knowing the right thing to say, who to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility, according to Nickerson.Well, cookies can't hurt either. Nickerson said he always brings cookies when he is trying to gain the trust of an office staff.
In fact, a 2007 diamond heist at the ABN Amro Bank in Antwerp, Belgium involved an elderly man who offered the female staff chocolates and eventually gained their trust with regular visits while he pretended to be a successful businessman."It was just plain old chocolate," said Nickerson. "Sweets loosen everybody up."Ultimately the bank lost 120,000 carats of diamonds because the man was able to gain enough trust to be given off-hours access to the bank's vault.