Skip to main content
What is Physical Social Engineering?

Today's businesses typically devote many resources towards ensuring the logical security of their information systems. However, the devastating effect of even a single security breach also requires these organizations to consider their physical security, which they often overlook. Physical social engineering assessments evaluate a company's ability to prevent unauthorized physical access of assets on their premises or to prevent someone from taking an unauthorized action based on someone requesting it in person. Experienced consultants can provide their clients with a great deal of information regarding their physical security. This aspect of social engineering is becoming increasingly popular in the U.S., but only a few consultants have the expertise needed to conduct this increasingly important assessment.

A physical social engineering test assesses the difficulty that an attacker would have in the people component of an organization to access an organization's physical premises, generally for the purpose of obtaining sensitive information or control over internal systems or to get them to perform an action (sending a message, canceling a service, providing a refund, providing confidential information) that may not be in their best interest. It also includes advice on ways to mitigate these threats, which organizations often overlook when developing their information security strategy.

A physical social engineer's job is to get a target to take an action that may be in the companies best interest, such as allowing physical access to an organization's premises by convincing someone to admit them or by bypassing people controls (i.e., tailgating into a building) and performing a series of predetermined tasks that assess the organization's physical security posture. The goal of these tasks is typically to obtain network access, often by planting devices that the attacker can operate remotely, to obtain access to a sensitive area of the building or to get a person to take an action. A physical social engineer also attempts to gather evidence of an organization's security vulnerabilities in real-time. This evidence could include the presence of sensitive information left in the open, workstations left logged on, and clean desk policies.

The most challenging aspect of physical social engineering is convincing clients that physical social engineering is just as important to security as penetration testing. Mature organizations often conduct penetration testing of both their application and network security on a regular basis without ever assessing their physical security. The primary reason for this disparity is that the consultants who test security typically have expertise in logical security rather than physical security, so they simply aren't capable of performing these tests. Furthermore, cyber security organizations usually don't offer physical social engineering services, giving their clients the impression that their current measures are adequate for protecting their network and data.

Get a FREE security evaluation today and reduce your organization's security risk.
Schedule My Call Schedule My Call

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at 612-234-7848 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.