Mission

Fake IT Workers Show Up In Person: Verify Access

by Oscar Six Security
Fake IT Workers Show Up In Person: Verify Access

Someone walks into your office carrying a laptop bag and a smile. They tell your front desk they're from your IT vendor, here to "run some updates." Nobody called ahead. But they seem confident, they know your vendor's name, and your office manager doesn't want to be the person who held up a scheduled maintenance window.

So they get buzzed in.

This is not a hypothetical. It is happening right now, to businesses your size.

The Silent Ransom Group Is Walking Into Offices

A ransomware group known as Silent Ransom Group — also tracked as Luna Moth — has been caught combining phone-based impersonation, fake IT support calls, and in-person office intrusions to steal data and extort victims. Their recent targets include US law firms, where operatives posed as IT personnel to gain physical access to workstations and internal systems.

This isn't a smash-and-grab. It's a layered social engineering campaign that starts with a vishing call to establish trust, escalates to a fake IT worker showing up on-site, and ends with data exfiltration and extortion demands. The group specifically targets organizations that lack formal vendor verification procedures — which describes the majority of businesses under 250 employees.

If you've read our breakdown of how social engineering leads to employee account breaches in small businesses, you already know how effective impersonation is over the phone. Now imagine that same attacker standing in your lobby.

Why Five Minutes Alone With a Laptop Is All It Takes

The physical access problem is compounded by what's happening on the vulnerability side right now.

According to The Hacker News, Microsoft's most recent Patch Tuesday addressed a record-breaking 206 vulnerabilities — including 56 remote code execution flaws and three zero-days that were already publicly disclosed before patches were available. That means attackers had working exploit code in the wild before most organizations had a chance to patch.

Making it worse: according to The Hacker News, a zero-day in Microsoft Defender dubbed RoguePlanet allows an attacker to gain SYSTEM-level access on a fully patched Windows machine. An impersonator who sits down at an unlocked workstation for five minutes — under the guise of "running updates" — has a ready-made toolkit to own your entire network before they stand up again.

This is why the physical access question isn't just a front-desk etiquette issue. It's a ransomware exposure issue.

The Verification Gap at 50 Employees

Large enterprises have gatekeeping baked in: visitor management systems, escort policies, vendor credentialing portals, and security staff. A 50-person company typically has none of that. What it usually has is one office manager, a shared calendar, and a culture of assuming good intent.

That gap is exactly what Silent Ransom Group and groups like them are exploiting.

The good news: closing this gap doesn't require enterprise budget. It requires a written procedure and about 30 minutes of staff training.

The Vendor Verification Checklist for Small Businesses

Here's a practical checklist you can implement this week:

Before anyone is let in:

  1. Require advance notice in writing. Any legitimate IT vendor or technician should be scheduled in advance via email or ticketing system. Walk-ins from vendors should be treated as automatic red flags — not rudeness, policy.

  2. Verify against a known contact. When someone shows up claiming to be from your IT vendor, call the vendor directly using a number from your records (not a number the visitor provides). Confirm the person's name, the work order, and the scope of access.

  3. Check photo ID and match it to the work order. The name on the ID should match the name on the confirmed work order. Document it.

  4. Never leave them unsupervised. Assign a point of contact from your staff to remain present during any on-site IT work. "I'll just let you work" is not an acceptable handoff.

For remote access requests (phone or Teams):

  1. Hang up and call back. If someone calls claiming to be IT support and asks for credentials or remote access, end the call and call your IT provider back on a verified number. We've covered the Microsoft Teams helpdesk impersonation vector in detail — the same logic applies to phone calls.

  2. No credentials over the phone, ever. Legitimate IT support does not need your password. If they ask for it, that's the tell.

Access hygiene that limits blast radius:

  1. Lock workstations when unattended. Screen lock should be automatic at 2-3 minutes of inactivity, enforced by policy. A visitor who gets two minutes alone with an unlocked machine has enough time to deploy a payload.

  2. Audit who has physical access to server rooms and network closets. If your key list hasn't been reviewed since the last employee left, review it today. Our employee offboarding security checklist walks through access revocation in detail.

  3. Log all on-site vendor activity. Date, time, name, company, work performed, systems accessed. A simple spreadsheet is fine. The habit is what matters.

Make This a Written Policy, Not a Verbal Norm

The reason these attacks work is that small businesses operate on trust and informal norms. "We all know each other" is not a security control. When someone new walks in with confidence and a plausible story, informal norms collapse.

A one-page written vendor access policy — posted at reception, reviewed during onboarding, and referenced when someone shows up unannounced — gives your staff the cover to say "I need to verify this before I can let you in" without feeling like they're being difficult. That policy is your first line of defense.

Your Digital Perimeter Matters Too

Physical access is the entry point, but the damage happens in your network. An impersonator who gets hands on a machine is looking for credentials, open RDP sessions, unpatched vulnerabilities, and lateral movement paths. The more exposed your digital environment is, the more damage five minutes of physical access can do.

Knowing what's exposed before an attacker finds it is the difference between a contained incident and a ransomware event.

Take Action

Physical security procedures stop the walk-in. Vulnerability management limits what an attacker can do if they get through.

Oscar Six Security's Radar gives small businesses a continuous view of their exposed attack surface — open ports, unpatched services, misconfigured systems — for $99 per scan. If an impersonator does get five minutes with a machine, you want to already know what they'd find.

Focus Forward. We've Got Your Six.

Frequently Asked Questions

How do I verify an IT technician who shows up at my office?

Call your IT vendor directly using a phone number from your own records — not one the visitor provides — and confirm the technician's name, the work order number, and the scope of the visit. Ask for a photo ID and match it to the confirmed work order before granting access. Never allow an unscheduled technician to work unsupervised.

What is Silent Ransom Group and how do they attack businesses?

Silent Ransom Group (also known as Luna Moth) is a ransomware and extortion group that combines vishing calls, IT staff impersonation, and in-person office intrusions to steal data from victims. They have recently targeted US law firms by sending operatives posing as IT workers to gain physical access to workstations. Small businesses without formal vendor verification procedures are especially vulnerable.

Can an attacker really compromise my network in just a few minutes of physical access?

Yes. A recent zero-day in Microsoft Defender (RoguePlanet) allows an attacker to gain SYSTEM-level access on a fully patched Windows machine, and Microsoft's latest Patch Tuesday addressed 56 remote code execution vulnerabilities. An impersonator with even a few minutes alone at an unlocked workstation can deploy a payload, harvest credentials, or establish persistent access. Running a vulnerability scan with a tool like Oscar Six Radar helps you understand what an attacker would find if they got that access.

What should a small business vendor access policy include?

At minimum, your policy should require advance written scheduling for all vendor visits, identity verification against a confirmed work order, prohibition on unsupervised access, and a log of all on-site activity including systems accessed. Staff should be trained to treat unannounced IT visitors as a red flag, not an inconvenience to accommodate.

How much does a vulnerability scan cost for a small business?

Enterprise vulnerability management tools can cost hundreds to thousands of dollars per month, but Oscar Six Security's Radar offers vulnerability scanning for $99 per scan — designed specifically for small businesses and MSPs managing client security. Regular scanning helps identify exposed services and unpatched systems before an attacker — or a fake IT worker — can exploit them.

Step-by-Step Guide

  1. Require advance scheduling

    Establish a policy that all vendor and IT technician visits must be scheduled in advance via email or ticketing system. Treat any unannounced walk-in as a red flag requiring escalation before access is granted.

  2. Verify via a known contact

    When a technician arrives, call your IT vendor directly using a number from your own records to confirm the person's name, work order, and scope of access. Do not use contact information provided by the visitor.

  3. Check photo ID against the work order

    Ask for a government-issued photo ID and verify that the name matches the confirmed work order. Document the visitor's name, company, arrival time, and the systems they are authorized to access.

  4. Assign a staff escort

    Designate a staff member to remain present and supervise all on-site IT work from start to finish. No vendor or technician should ever be left alone with business hardware or network equipment.

  5. Enforce workstation lock policies

    Configure automatic screen lock at 2-3 minutes of inactivity on all workstations and enforce it via group policy. An unlocked machine left unattended for even a few minutes is enough for a malicious actor to establish persistent access.

  6. Audit physical access to server rooms

    Review who currently holds keys or badge access to server rooms and network closets, and revoke access for anyone who no longer requires it. Cross-reference against your employee and vendor roster, especially following any recent offboarding.

  7. Log all vendor activity

    Maintain a simple log — a spreadsheet is sufficient — recording the date, technician name, company, work performed, and systems accessed for every on-site vendor visit. This creates accountability and an audit trail if an incident occurs.

Related Articles

Mission

Social Engineering Breach: 4.9M Records Lost

 Mission

npm Supply Chain Attacks: What to Check Right Now

 Mission

Why We Won't Scan a Domain You Can't Prove You Own
← Back to Home