Data available in physical format represent an important source of information for cybercriminals - things like passwords written on paper or cards, as well as information susceptible to theft that moves through social networks and computers. Here are some of the different social engineering techniques designed to extract information available in non-digital format.
Among these techniques, certain methods stand out, such as ‘trashing’, ‘shoulder surfing’, ‘clean desks’ and ‘vishing’. As the definitions of each of these terms explain, the hacker’s goal is to take advantage of the weakness of the targeted person or company from whom they hope to extract the information. Normally these weaknesses result from putting documents with sensitive information (bank statements, financial balance sheets, project details, family data or auditing reports) within hackers’ reach.
Criminals also attempt to take advantage of people’s carelessness when introducing certain passwords or information on phones, computers, tablets, etc. The hacker can also obtain information due to a lack of caution when discussing confidential details about their personal, family or professional lives in public places like public transportation, an airport, a coffee shop, or anywhere that is not appropriate for private conversations.
Some of the techniques used to obtain confidential information or invade privacy are:
- 'Shoulder surfing': this technique consists of looking over the victim’s shoulder when they introduce information in phones, computers, ATMs or other devices. This allows the criminal to get information like the victim’s password, debit or credit card pin, and other personal data. This technique can involve approaching the victim or take place remotely with tools like cameras, microphones or binoculars to see from afar.
- 'Trashing': or looking in the trash. With this technique, the criminal looks for information among the waste in trash bins, recycling centers, computer media discarded incorrectly, and in general any kind of discarded documents or data that allow them to establish structured or coherent information.
- 'Vishing': technique through which the criminal pretends to be a bank on the phone, tricking the victim to get information such as card numbers, expiration dates, verification codes, etc. They may have partial information obtained from one of the physical techniques, which earns the victim’s trust and convinces them to provide more information.
- ‘Desktop diving’: This technique involves obtaining data from papers, reports, post-its, and documents in general that have been left on desks, in meeting rooms, in printers, correspondence boxes or by stealing devices like computers, phones and storage units and memories not protected with passwords or encryption techniques. This information is useful to build information profiles that help the criminal obtain confidential data. To avoid this, experts recommend keeping desks free from confidential information, and never leaving documents where others can see them. Confidential documents and information should always be stored in a secure corporate location.
In conclusion, it is important to keep physical information properly stored, establish procedures to discard data in physical and digital formats, be cautious in conversations, and always be aware of questions about confidential data and transgressions into personal space. Protecting information, regardless of its format, should be a priority.
Remember, when it comes to the theft of information in a physical format, you are the best defense.