Always attack at five to five
I did defence work, so I had to take a lot of security courses, including both physical security and cyber security, over the years.
I remember one course where the teacher started off by telling us not to let his course make us paranoid. He then spent three hours listing real world security horror stories. By lunch break, pretty much the entire class of 30 people wanted to go home, lock and barricade the doors, brick up the windows, turn off the lights, and spend the night in the fetal position in bed.
One of the lines that stuck with me was "always attack at five to five". That is, five minutes before close of business. If you get people just as they're about to leave for the day, it's a lot easier to convince them to turn over sensitive material. That's because they are in a rush to leave, and if you're calm and patient, they'll be the ones trying to pressure you, not the other way around.
One of the "try this at your company when you get back" tricks the instructor gave us as a to-do was to try and get a VP's email password before the end of the week. Students were all from different companies, so we weren't all trying the same thing at once at the same company.
The approach was simple. Look up the calendars for the VP, directors, and other high value targets in your company. See which ones are heading out of town. The day before he's leaving, just before end of day, after he's left, call his secretary/admin pretending to be IT support. You tell her you're working on his email problem ticket, and you need him to verify that he's can send binary attachments. She can log in as him (this was back in the 1990s) and confirm that he can now receive email, but to confirm he can send, he needs to go to this internal web site, download this patch file, and apply it. Don't worry, you tell the admin, you can do it through the S2MR interface, just be sure have have PGP privacy enabled, and if he's using MD5 encryption, use the 2FA model, but he has SHA256, then you'll need to-
That's as far as I got with the admin I was talking to before she was overwhelmed with the tech jargon and asked me "can't I just give his password and have you do it?". Sure, I said, and she did. I logged in to the mail system, as the VP, took a screen shot of the page to prove I'd done it, and logged out as quickly as I could.
Out of the 30 or so students, I think only 4 weren't able to get into one of their executive's email.
Defences have gotten more sophisticated, and secretaries likely don't know the passwords of the VP they work for any more. But the social engineering attacks have become more sophisticated, too. And with work from home, companies with hundreds, or thousands of employees, aren't going to be know to the IT staff they're calling.
That 1990s-era attack wouldn't work today (crosses fingers and hopes), but I have no reason to believe that the success rate is any better now than it was then.
Biting the hand that feeds IT
