A series of high-profile computer crimes has grabbed headlines this year. An elaborate CEO email scam netted fraudsters almost $100 million from Bangladesh's central bank in February. In the spring, the Panama Papers leak of stolen electronic files exposed thousands of individual and corporate offshore bank accounts. The U.S. Democratic National Committee and state election commissions were hit by hackers who intercepted email communications. But a warning from the FBI office in Houston in early October reminded corporate security professionals not to overlook a well-worn tactic: the physical theft of sensitive material by people who intrude into workplaces. Much like the hackers who threaten companies' efforts to keep information secure, the old-fashioned "office creeper" can use a variety of methods to penetrate physical security and gain access to company property and secrets.
A Creeping Threat
On Oct. 4, the FBI issued an appeal to the public for help in investigating intrusions from 2015 into an unnamed international energy firm's Houston offices. The FBI released surveillance footage of the two incidents: one on June 25, the other on Dec. 30. In the June incident, a man wearing a dress shirt, slacks and a baseball cap entered the company's offices at about 3 a.m. through an unlocked security door. He can be seen walking the halls, getting in an elevator and leaving with two bags that he did not possess earlier. The man moves confidently — like an employee familiar with the building, not like a thief. The FBI is concerned that he may have taken sensitive material in a possible case of industrial espionage. (In the second break-in, the culprit is shown trying but failing to enter the company's main office suite and takes a security radio off a desk on his way out.)
It is easy to imagine the value of information that a major energy company would possess. Choice pieces of information could be worth millions of dollars to corporate rivals or foreign governments. Chinese intelligence services in particular have demonstrated an appetite for insider knowledge they could use to benefit state-owned enterprises. Recent revelations of an office intrusion at a renewable energy firm in Edinburgh, Scotland, appear to link an official Chinese state visit in early 2011 with an overnight burglary two months later that netted several thousand dollars' worth of laptops. A Chinese prototype of a wave energy machine similar to the Scottish company's design was released three years later. Authorities have not confirmed that the 2011 break-in was tied to Chinese industrial espionage, but the details surrounding the case suggest that the theft was more strategic than a simple burglary.
In contrast to the Scotland burglary, several factors indicate that the Houston incident was more likely the work of an opportunistic office creeper than a sophisticated spy. Electronic infiltration is the tactic of choice for leading industrial espionage powers such as China and Russia because of the broader access and lower risk it offers. If a human source is needed, foreign intelligence agencies or rival companies tend to recruit a current or recently departed employee to access proprietary information. When a state intelligence service directly engages in physical intrusions, its operatives demonstrate higher degrees of tradecraft (such as the ability to pick locks) than did the Houston suspect. In addition, sending an agent to nose around in the middle of the night is a high-risk/low-reward operation, an unlikely task for a well-trained professional.
Office creepers are like computer hackers in that they seek access to unauthorized areas they can exploit for their own gain. Some are opportunistic, like the thief in Southern California who, in 2015, targeted offices during lunch hours, entering and stealing electronics when workers were most likely to be away from their desks. If confronted, he would claim that he was lost and ask for directions. Other intruders are more organized. One Ohio thief, Larry Cobb, would wear a homemade ID badge when he targeted offices during the early 2000s. Cobb was caught and sent to prison in 2007, but within a few months of his release in 2013, he returned to his old ways — this time with added sophistication. He recruited others to help him commit systematic fraud using credit cards filched from wallets and purses left unattended in the offices he burgled during regular business hours. Victimized employees rarely confronted him, even though they later said they had a strange feeling about him, and authorities say Cobb was involved in hundreds of office creeper cases over the years.
Office creepers are like computer hackers in that they seek access to unauthorized areas they can exploit for their own gain.
The tactics employed by office creepers and computer hackers often parallel one another. In at least one case, Franks used a stolen security access card to enter secure parts of a building — much as a hacker uses stolen or cracked passwords to access secure computer networks. The man who broke into the Houston firm in 2015 took advantage of a faulty door, like a hacker who exploits a backdoor system vulnerability. But the most common tactic used in both office creeping and hacking seems to be social engineering.
Social engineering is a type of confidence trick. An intruder convinces an authorized worker to give him or her access to an off-limits area. Franks repeatedly used this tactic to gain access to secure government buildings. She flirted with security guards, convinced people that she had left her badge at her desk, chatted up employees outside buildings and then tailed them inside, or stood outside entryways smoking while waiting for someone to open the door. Franks relied on her ability to convince people she was someone who she was not. More extreme versions of social engineering can involve the use of props, such as wearing a hard hat and carrying a clipboard, or carrying a toolbox and ladder, which gives employees a reason to open the door for the imposter.
A Deeper Danger
Many office creepers are simply out to steal personal property. That is just the tip of the iceberg, however, when it comes to the damage an intruder can inflict on a company and its employees. Espionage is a form of surveillance, and all of those familiar with the attack cycle know that pre-operational surveillance is critical to staging a successful attack. Energy companies, for instance, are often targeted by protesters to make a political point. If the protesters gained access to a restricted office building, they would have many opportunities to wreak havoc through sabotage, disruptions or both in a bid to generate adverse publicity. A disgruntled former employee, an extremist with violent motives or a delusional individual could even take lives. In June, police arrested a man carrying firearms and explosive devices on a Google corporate campus. He had attacked the company's offices several times before because he thought Google was spying on him.
Much as social engineering operations have been the root of many successful electronic intrusions, hacking groups also can benefit from gaining access to restricted areas to fill in information gaps about a company.
There are many reasons for people to enter unauthorized areas, including mundane curiosity. Though mechanical security systems are an important tool for countering intrusions, no system is perfect. Humans can override nearly all automated security measures, ensuring that social engineering will remain a threat to physical and network security alike. Companies can deter office creepers and the threats that they pose by practicing standard facility security measures: enforcing badge policies, restricting access with door codes and timers, and, most important, encouraging employees to confront people who try to follow them into restricted areas.
Confronting a Creeper
In many successful office creeper cases, employees cited the social difficulty of challenging people they do not recognize when working in a large office. More often than not, the stranger following you onto the elevator turns out to be a new employee or a co-worker from a different department. Calling someone out as a potential intruder risks embarrassment and offense, but there is no need for the interaction to be hostile. Regular workplace trainings can create an environment in which security enforcement is normal. For reasons that transcend good security practices, encouraging employees to introduce themselves to fellow workers makes for a better workplace. If you do not recognize the person following you into a restricted area, use the opportunity to meet him or her. If someone is not displaying an ID badge, make it a learning moment and remind the person that wearing badges is required. If the person's story does not check out or if he or she cannot produce the proper credentials, alert a security manager.
General awareness on the part of employees can dramatically improve corporate security and deter the majority of opportunistic office intrusions. Increased awareness of the social engineering threat can deter many electronic intrusion attempts as well. Practicing common-sense security measures will help preserve employees' property, work or, in extreme cases, their lives.