Social Engineering In The South vs. The North

I’m starting to get more opportunities to use social engineering as part of penetration testing jobs, and after a recent success in the Southeastern United States I began pondering something:

Is it easier or harder to do social engineering in the South?

When you first think about it your gut reaction is that it’s easier, but it turns out that it’s all based on what type of attack is being performed. Getting information over the phone and such is most likely much easier, but attempting to physically access a building and roam around might actually be harder. Here’s why.

Southerners are very personable people. They want to know who’s working near them, who just got fired, who the new person is, etc. They don’t often work in close proximity to someone without having made contact with them in some way, shape, or form. This often manifests as extreme kindness, i.e. inviting new acquaintances to eat with their family, etc.

For a pentester trying to go unnoticed, this presents a problem. As I was on one of these engagements earlier this week I wondered if it would be easier in say, the Northeast, where, as I understand, people commonly don’t care at all who the people are around them.

But then I realized that while Southerners are more likely to be familiar with those around them, they’re also probably less likely to challenge someone who’s not supposed to be somewhere. I ran into this during this job as well; someone found me in their server room and didn’t say anything, most likely for fear of being rude.

Anyone have any additional anecdotal evidence to offer?