Skip to main content
Security Assessment

Impersonation Attacks

By November 14, 2023August 17th, 2025No Comments

In the summer of 2023, a man dressed as a Walmart worker stole around $7,000 in items from one of the company’s stores. This man was able to enter the store and steal 173 items out from under the noses of real Walmart employees. This story has a good ending. The authorities caught the man in question and recovered the stolen items. This kind of attack, which we at Social-Engineer, LLC (SECOM) refer to as an “impersonation attack,” has been on the rise in recent years. And unfortunately, not all such attacks have such happy results. Impersonation attacks can exhibit themselves in many ways. From online impersonation emails to phone calls or on-site attacks like the one above. Today, let’s go behind the scenes and delve into an on-site impersonation attack that SECOM employees were hired to perform. By doing so we’ll learn how companies can guard against such attacks.

Impersonation Attacks

On-site Preparation

SECOM employees were hired to gain access to two facilities. These were not Walmart-esque facilities, they were facilities that could potentially cause loss of life if malicious attackers breached them. So, the stakes were high. The goal of on-site impersonation attacks by good actors is to test the security of a building and see where improvements can be made.

With that goal in mind, the team launched into the planning phase. During this phase of the engagement, the team performed hours of Open-Source Intelligence (OSINT). In this time, the team discovered the facilities Internet Service Provider (ISP). It was on this discovery that our pretext became based. We decided to impersonate the ISP and see how far it could get us.

On Location

Upon arriving at the location, we made some prop runs that would help aid us in looking the part of our pretext. We bought polos that were the color of the target company we were impersonating, clipboards, and printed badges with our aliases. Armed with these props, we made our approaches.

Impersonation Attacks

On-site Approaches

We approached the first building by walking up to a group of people standing outside and gave them our pretext. They were kind enough to point us to the office building without checking our badges or ID’s. The employees inside the office were even nicer, allowing us to plug in USB devices to their computers to run “speed checks.”

The second building was trickier. It had a gate and security checkpoint where you would call in for access. We pulled up, gave our pretext, and before we even showed our badges, we were buzzed in. Five minutes later, we were standing in their computer control room, unsupervised, collecting evidence.

Takeaways

There were great takeaways for this client. What were they, and how can we learn from them? First, we must ensure that all employees are familiar with the proper procedures for verifying unknown people. It is also important that employees feel empowered to check ID’s, badges, and enact any other processes your company has in place. It should be impressed upon employees that verification MUST take place even if the person claims and appears to be from a familiar company or vendor.

Hand-in-hand with verification, it is vital to encourage employees to ask questions of people even if those people have already made it past security. On a previous occasion, SECOM employees made it through security only to be caught by another office employee. This was a great example of someone following proper procedures!

How to Better Secure Your Company

These takeaways are great jumping off points to begin better securing your company. However, real, hands-on training is the best way for you and others to gain the experience needed to protect your company properly. All of the employees we spoke to on this engagement now have interactions they can look back on to see areas for self-improvement, along with training tailored to them individually. This type of training is the best way to ensure that you’re taking the necessary steps to secure your assets.

For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:

https://www.Social-Engineer.com/Offensive-Security/

Written by: Shelby Dacko

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now