The Writing King Your Ethical Ghostwriter. Your Story, Done Right.

The Fake Printer Guy: Social Engineering in Person

TL;DR

The countermeasure that stopped a live payment-terminal swap was not technology. It was one phone number and permission to use it. Attackers walked into our locations as printer technicians and vendor reps. One arrived with hacked payment terminals, our exact model, ready to install. A simple policy, anyone touching equipment means you call IT first, ended that attempt with the attacker dropping his gear and running.

A note before the stories: I do not name companies or locations in these articles, and I generalize identifying details. Specifics are a gift to attackers, even decades later, and the discretion is part of the trade. It is also, not coincidentally, what my ghostwriting clients rely on when they hand me their own war stories.

Social engineering has a physical branch, and at a major national retailer we met it repeatedly. The classic was the printer guy. A man walks into a location in work clothes, says he is here to service the laser printers, replace the cartridges, the big bulky units everyone had back then. The person on site does not know any better, and why would they? Printer service visits are real things that really happen.

Except the printer guy does not want the printers. He wants the building. Once inside, he can look at what is on desks, what is on screens, what is plugged into what, and sometimes he can swap equipment while he is at it. The printer is the pretext; the access is the payload.

The POS swap that almost worked

The serious version of this attack came for the payment terminals. A man showed up at one of our locations to service the point-of-sale terminals, carrying replacements. Hacked replacements: the same model we ran, modified to intercept cards and capture the card verification data, the security code that makes stolen numbers usable.

What stopped him was a policy we had just rolled out, and its power was its simplicity. We did not train staff to evaluate technicians or inspect equipment; frontline staff cannot be equipment inspectors and should not have to be. The policy was: anyone shows up wanting to touch equipment, you call IT. Here is the number. That is the whole policy.

The staff called. Something in the exchange spooked the man, because he dropped his gear and ran. We did forensics on what he left behind and confirmed it: a compromised terminal, our exact model, ready to skim every card in the store. We never caught him. We never had to; the attack died at a phone call.

The phone version of the printer guy

The same pretext works by telephone. Callers claiming to be printer vendors would ring locations and ask who was in charge of what: who runs IT, who approves purchases, who is the manager’s manager. That is reconnaissance for spear phishing. Map the hierarchy, then craft emails impersonating the right names to the right targets. Those attempts failed with us for the same unglamorous reason: staff had strict instructions not to give out organizational information, full stop.

The attack that swaps your payment terminals arrives dressed as a service call. The defense is a phone number and permission to use it.
Share on X

Why the physical version endures

Decades of firewalls have not retired the man in the work shirt, and the economics explain why. A physical pretext attack costs a uniform, a clipboard, and nerve. It defeats, in one stroke, every network control the target owns, because it does not touch the network; it touches the loading dock. And its failure mode is gentle: a technical intrusion leaves logs, while a challenged impostor leaves a building, as ours did, and is simply gone. Low cost, high yield, graceful abort. Attackers are rational, and the rational move against a well-defended network is frequently the front door.

The pretexts evolve with office equipment, printers then, network gear and access points now, but the play is constant: arrive as someone whose presence requires no explanation, and let normalcy do the work a exploit would otherwise have to. The defense is equally constant, which is the encouraging half of this story. Verification procedures do not rust the way software does. The call-IT policy that stopped our terminal swap would stop the same attack today, unmodified.

The design principle

Both defenses share a shape worth stealing. They do not ask frontline people to detect deception, which is a losing game against a professional. They give frontline people a single cheap action that routes the decision to someone equipped to make it. Call this number. Do not answer that question. The attacker’s craft is defeating judgment; the defense removes judgment from the encounter.

When executives write about security, they gravitate toward the digital and skip the man in the work shirt. Their readers run warehouses, stores, and offices where the man in the work shirt is the live threat, and a chapter like this one is the chapter those readers photocopy for their staff.

For more from this series, see the The Cybersecurity Hub: breaches, audits, and hard-won security lessons from four decades in the trenches.

The Guides That Get Your Book Written, Published, and Sold

Four short, practical guides on writing, publishing, and selling your book, plus the occasional note when there's something worth your time. No fluff, no daily inbox clutter. Drop your email and they're yours.

We use MailerLite to manage our list and send these emails. Your address is used only to send you what you signed up for. We will not sell it, share it, or use it for anything else, and you can unsubscribe anytime.

Frequently Asked Questions

What is physical social engineering?
Deception conducted in person: attackers pose as vendors, technicians, or service staff to gain building access, gather information, or swap equipment. The stated purpose, like printer service, is a pretext for the real objective.
How do POS skimming attacks work?
Attackers replace legitimate payment terminals with modified units of the same model that intercept card data, including the card verification code. Installation requires physical access, which is why the attack arrives dressed as a service visit.
What policy stops fake vendor attacks?
A single-action rule: anyone requesting access to equipment triggers a call to IT at a posted number. It removes the judgment burden from frontline staff and routes the decision to people who can verify the visit.

📁︎ Cybersecurity

🏷︎ Retail Security🏷︎ Social Engineering🏷︎ Security Awareness🏷︎ Phishing

📝 Disclaimer

The views and opinions expressed in this blog post are solely those of Richard Lowe and are based on personal experience and research. This content is for informational purposes only and should not be construed as professional legal, financial, accounting, or business advice. Always consult with qualified professionals before making important business or legal decisions. Richard Lowe is not a lawyer, accountant, or licensed professional advisor, and this content does not establish any professional relationship.