An unfamiliar face walks into your office wearing a high-vis vest and carrying a laptop bag. He says he’s from IT — there’s a critical network issue and he needs five minutes with a workstation. Three employees hold the door open for him. Nobody asks for ID.
Twenty minutes later, your client database is on its way to a server in Eastern Europe.
The IT persona is just one flavor. The same result happens when it’s the catering crew arriving early for a board meeting, the scaffolding team from the renovation two floors up, the legal courier who needs a signature, or the facilities contractor checking the fire suppression system. The uniform changes. The outcome doesn’t.
TL;DR
- The FBI warned in May 2026 that Silent Ransom Group sends physical operatives to insert USB drives into law firm computers after remote access fails
- Physical social engineering follows a predictable chain: phishing email → IT impersonation call → in-person operative
- Tailgating accounts for 71% of physical breach entry methods; the average breach costs $4.07M
- Defenses are organizational, not just technical: challenge culture, visitor policies, and USB port lockdown
- Physical pen testing reveals that most organizations that pass cyber audits fail physical ones — badly
Why This Is No Longer a “Niche” Threat
Most organizations have invested heavily in their digital defenses. Firewalls, EDR (Endpoint Detection and Response), MFA — the technical perimeter is harder than ever to crack remotely. So attackers are taking the shortcut that doesn’t require zero-days or sophisticated malware: they walk in.
This isn’t a hypothetical. The FBI issued an alert in May 2026 warning that the Silent Ransom Group (SRG) — a financially motivated threat actor active since at least 2022 — has added a new tactic to its playbook: sending real people, in person, to insert USB storage devices into victim computers when remote access fails.
The target? U.S. law firms. The payload? Sensitive client data used for extortion.
The Attack Chain: From Inbox to In-Person
Physical intrusions rarely start at the front door. They start much earlier. Understanding the full chain is essential for defenders, because breaking any link in it stops the attack.
Stage 1 — The Phishing Hook
SRG’s campaigns typically begin with callback phishing (also called telephone-oriented attack delivery, or TOAD). The target receives an email claiming there’s an unauthorized subscription charge or an IT support issue that requires them to call a phone number. The email looks legitimate — it might spoof the company’s own IT helpdesk or a known software vendor.
The goal of this email isn’t to get a click. It’s to get a phone call.
Stage 2 — The Voice Layer
When the target calls, they reach an SRG operative posing as IT support. The “helpdesk agent” builds trust rapidly — they have the target’s name, the company name, maybe even the person’s manager’s name scraped from LinkedIn.
From here, the operative has two routes:
- Remote access: Convince the target to install a remote monitoring tool (like AnyDesk or ScreenConnect) and hand over access directly
- Escalation to physical: If remote access is blocked, denied, or the data can’t be extracted remotely, the operation shifts to in-person
Stage 3 — The Physical Operative
This is where SRG diverges from most threat actors. According to the FBI alert, when remote exfiltration is insufficient, SRG dispatches a physical person to the target location. This person — posing as IT support, a contractor, or a technician — arrives at the office and requests brief access to a workstation.
Once at the machine, they insert a USB drive. WinSCP or Rclone — tools already staged on the device — begin pulling files. The operative leaves. The theft goes undetected for days or weeks.
The Psychology Behind the Door
Why does this work so consistently? Three cognitive mechanisms:
Authority — A person in a polo shirt with a company logo who speaks confidently about “a critical network issue” triggers deference. We’ve been conditioned to trust IT staff with physical access to our machines.
Urgency — “I need to fix this in the next 15 minutes or the whole floor goes offline” short-circuits the part of the brain that asks for verification. Urgency and critical thinking are inversely proportional.
Social proof — If one employee escorts the visitor past reception, the next person who sees them assumes legitimacy. The mere act of being inside the building is itself a form of authorization in the minds of other employees.
Physical pen testers describe this as “blending in by the second door.” Getting past the first checkpoint is hard. Once you’re inside, most people assume someone else already verified you.
Real Cases: When the Attack Goes Physical
Silent Ransom Group vs. U.S. Law Firms (2022–2026)
SRG, also tracked as Luna Moth, Chatty Spider, and UNC3753, has been systematically targeting U.S. law firms since at least Spring 2023. Their data exfiltration then turns into extortion — pay up, or sensitive client data gets published on their clearnet leak site.
At least 38 firms that refused to pay had their data publicly leaked. The FBI has issued two major warnings — May 2025 and May 2026 — as the group’s tactics evolved from pure callback phishing toward hybrid physical operations.
The shift to physical operatives marks a significant escalation. It means these groups are now willing to accept operational security (OpSec) risk — sending a real person into a hostile environment — because the payoff justifies the cost.
The Coalfire Incident: When the Defenders Got Arrested
In September 2019, security consultants Justin Wynn and Gary Demercurio from pen testing firm Coalfire were hired by the Iowa Supreme Court to test the physical security of courthouses across the state. They had a signed contract and documented authorization.
At the Dallas County Courthouse, after midnight, they used a plastic cutting board to slip a door latch — a standard physical pen test technique — and triggered an alarm. The local sheriff arrived, reviewed their authorization letter, and arrested them anyway. They spent nearly 24 hours in jail, faced burglary charges, and were held on $100,000 bail.
Charges were eventually dropped in January 2020, but the case illustrated a critical point: even authorized physical pen testers can face arrest when organizational communication breaks down. The sheriff’s office hadn’t been properly notified. The right hand didn’t know what the left hand had authorized.
Defenders need to think about not just “who do we let in” but “do all stakeholders know who is supposed to be here.”
What Attackers Look for When They Arrive
A skilled physical social engineer doesn’t improvise. They’ve done reconnaissance — probably from OSINT (Open Source Intelligence) sources — and know what to expect before they arrive:
- Reception procedures: Is there a visitor log? Does reception call ahead to verify?
- Badge systems: Are badge readers enforced or decorative? Can someone tailgate through a badge door?
- Floor layout: Where are the servers, the unattended workstations, the network closets?
- Staff behavior: Do employees challenge unfamiliar faces, or do they hold the door and move on?
The pretext determines which door gets opened — literally and figuratively. Different roles have different natural access patterns, and a skilled operator picks the one that fits the target environment:
| Persona | Natural access | Why it works |
|---|---|---|
| IT / network technician | Server rooms, comms closets, workstations | People assume IT has universal access |
| Facilities / maintenance | Plant rooms, ceilings, floors, any locked space | ”Checking the pipes” is almost never questioned |
| Cleaning / janitorial | Entire building, after hours | Staff are conditioned to ignore cleaners |
| Catering / delivery | Kitchen, boardrooms, reception | Carrying boxes signals busyness, not threat |
| Construction / scaffolding | Adjacent access points, roof, external entry | Hard to verify, presence expected during works |
| Legal courier / auditor | Executive floors, finance, legal | Carries documents, appears time-sensitive |
| New employee | Everything | Nobody wants to embarrass the new hire by asking for ID |
Props reinforce the persona. A work order on a clipboard, a branded polo shirt, a hi-vis vest, a fake ID that gets glanced at but not read — all of these short-circuit verification instincts. The bar isn’t “looks official enough to fool a security expert.” It’s “looks plausible enough that nobody feels comfortable asking.”
Building Your Defense: Layers That Actually Work
Physical security failures are organizational failures. Technical controls help, but they don’t substitute for people who know what to do when something feels wrong.
1. Challenge Culture — The Most Important Defensive Tool
Most employees feel awkward challenging someone who appears to belong. Organizations need to make asking for verification the default behavior, not an act of suspicion.
This requires explicit messaging from leadership: “If someone enters a restricted area without proper verification, it is always acceptable — and expected — to ask who authorized their access.” Practice this in drills. Reward employees who challenge unfamiliar visitors.
Physical pen testers consistently report that organizations with strong challenge cultures are significantly harder to breach, regardless of how good their technical controls are.
2. Visitor Management That Has Teeth
A visitor log is not a visitor management system. Effective visitor management means:
- Every visitor is pre-registered in a system before arrival
- Reception verifies against the register before issuing a badge
- Visitor badges are visually distinct and time-limited
- Escorts are mandatory in sensitive areas — not optional
- Unescorted visitors in restricted areas trigger an alert
If your “visitor policy” consists of a paper log at reception, you don’t have a visitor policy.
3. Clear IT Communication Policies
SRG’s attack works because employees genuinely can’t tell whether the IT call is real. Organizations should establish — and communicate — explicit rules:
- IT will never call employees and ask them to install remote access tools
- Legitimate IT requests are initiated through the ticketing system, not cold calls
- Any in-person IT visit must be pre-approved and logged; employees should verify against the ticketing system before granting access
This single policy, if enforced, breaks Stage 2 of SRG’s attack chain.
4. USB Port Control
USB-based data exfiltration requires a physical USB port. This is an unusually solvable problem:
- Software controls: Group Policy (Windows) or MDM policies can disable USB storage devices. Legitimate IT tools still work; random USB drives don’t.
- Physical locks: For high-sensitivity workstations, physical USB port locks eliminate the attack surface entirely
- Device allowlisting: Some EDR platforms support hardware device allowlisting — only pre-approved USB devices can mount
Physical security breaches cost an average of $4.07M and take 223 days to identify on average. Disabling USB storage costs close to nothing.
5. Physical Security Audit
If you’ve never had a physical pen test, you don’t know what you’re defending. Physical pen testers routinely find:
- Badge doors that close too slowly, enabling tailgating
- Reception desks that accept verbal authorization (“I’m here to see John in IT”)
- Server rooms accessible to anyone with an employee badge
- Unattended workstations with logged-in sessions
- Network ports in public areas (lobbies, meeting rooms) that provide LAN access
The Verizon DBIR has consistently shown that organizations are far better at detecting remote intrusions than physical ones. Physical audits reveal the gap.
| Control | Stops Stage | Difficulty | Cost |
|---|---|---|---|
| Challenge culture training | 3 (in-person) | Medium | Low |
| IT communication policy | 2 (vishing) | Low | Very low |
| Visitor management system | 3 (in-person) | Medium | Medium |
| USB port lockdown | 3 (exfil) | Low | Very low |
| Physical pen test | All | High | Medium-High |
What You Can Do This Week
- Write the IT communication policy. One page: how IT contacts employees, what they’ll never ask for, how to verify an in-person visit. Send it to all staff.
- Test your reception. Have someone unfamiliar walk in without pre-registration and see what happens. You’ll learn everything you need to know in 10 minutes.
- Audit USB controls. Check whether Group Policy or MDM blocks unauthorized USB storage. If you don’t know, assume it doesn’t.
- Run a phishing simulation with a callback element. Standard click-rate phishing simulations don’t test the vishing vector. Use a simulation that includes a callback phone number and see how many employees call.
- Schedule a physical pen test. Even a one-day assessment will surface findings that months of cyber hardening missed.
Related Posts
- The Human Remains the Weakest Link – But Now It’s AI-Assisted — AI-powered social engineering and how it amplifies the same psychological levers used in physical attacks
- OSINT Recon Methodology for Security Professionals — How attackers build target profiles before showing up at the door
- Red Team Engagement Debrief: 72 Hours to Domain Admin — A real engagement where physical access played a role in the attack chain
Sources
- FBI: Silent Ransom Group Targeting Law Firms
- SecurityWeek: FBI – Hackers Sending Operatives In Person to Insert USB Drives and Steal Data
- Cyble: FBI Warns Silent Ransom Group Targeting U.S. Law Firms
- CNBC: Iowa paid Coalfire to pen test courthouse, then arrested employees
- Krebs on Security: Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security
- Dark Reading: Pen Testers Who Got Arrested Doing Their Jobs Tell All
- Halcyon: FBI Alerts on Silent Ransom Group Targeting Law Firms
- Sectricity: Physical Pentesting — What Testers Find Inside Your Building