We Socially Engineered Our Way Into a Dutch Law Firm in 2 Phone Calls
No zeroβdays. No malware. No phishing links. Two phone calls. Twenty minutes. We were inside.
The target: a respected Dutch law firm. Twelve partners. Dozens of lawyers. Client lists that read like a who’s who of Dutch industry. They had firewalls. They had endpoint protection. They had compliance checklists.
They didn’t have a defense against a confident voice and a believable story.
Your MKB’s weakest link isn’t a firewall misconfiguration. It isn’t an unpatched server. It’s the friendly receptionist who wants to help. It’s the IT support guy who’s had a long week. It’s every human in your organization trained to be helpful, not suspicious.
The Target β A MidβSize Law Firm in Utrecht
This wasn’t a tech startup. It was a professional services firm. Lawyers, paralegals, support staff. They handled mergers, contracts, and sensitive client data. Their security policy was standard: strong passwords, MFA on email, regular backups.
They had never run a social engineering test. They assumed their people were too smart to be tricked.
The Attack β Two Phone Calls
“Hi, this is Mark from the new litigation team. I just started yesterday. I’m locked out of my laptop. I think I typed the wrong password too many times.”
β IT support reset the password without verifying identity. No callback to a manager. No second factor.
“Hi, this is Mark again. IT just reset my password, but my authenticator app isn’t syncing. Could you read me the backup code from my file? HR should have it.”
β The receptionist found a sticky note with the attorney’s backup codes. Read them over the phone.
We now had a working account with MFA bypass. Within an hour, we were reading confidential client emails, merger documents, and internal strategy notes.
β The firm never suspected a thing until the debrief.
2 phone calls + 20 minutes + 0 technical skills = full access to a law firm’s confidential data.
The fix would have cost β¬0: a simple callback policy and staff training on verification.
Why This Works Every Time
- “Helpful” is the default. Receptionists, IT support, administrative staff β their job is to solve problems, not create them. Attackers exploit that instinct.
- No verification culture. “Who is this?” is asked. The real question β “how do I know you are who you say you are?” β never gets answered.
- Authority bias. Attackers sound confident. They use internal jargon. They create urgency. Human brains are wired to comply with perceived authority.
- No one wants to look stupid. Asking “can you verify your identity?” feels awkward. Most people skip it. Attackers count on that.
You spent β¬50,000 on a firewall. You spent β¬10,000 on endpoint detection. You have MFA on every account. None of it matters if your receptionist reads backup codes over the phone to a stranger with a confident voice.
The attacker doesn’t need to break your tech. They just need to break your people.
Why Professional Services Firms Are Prime Targets
- Law firms hold secrets. Mergers, litigation strategies, client data. One breach can end a firm’s reputation.
- Accountants have financial data. Tax returns, audit details, payroll information. Gold for identity thieves.
- Consultants have trade secrets. Strategy documents, competitive analysis, internal plans.
- These firms have lower security maturity. They’re not tech companies. They’re professional services. Security is an afterthought.
π Openβsource intelligence (OSINT) β who works there, what’s their structure, what tools do they use?
π Phone pretexting β call IT, call reception, call HR. See who breaks protocol.
π§ Email simulation β send a fake “password reset” or “HR update” and see who clicks.
π Report β not 200 pages of noise. A short list: who helped, what they gave away, how to fix it.
How to Fix This β Cheap and Simple
- β Implement a verification callback policy. IT support never resets a password without calling back on a known number. Not the number the caller provides. The number on file.
- β Train reception and admin staff. Helpful is good. Helpful without verification is a breach waiting to happen.
- β Ban sharing backup codes over the phone. Codes should be in a password manager, not on a sticky note. Never read aloud.
- β Run social engineering tests. Not just technical pentests. Call your own staff. See who breaks. Train the ones who do.
- β Create a “suspicious call” protocol. A simple script: “I need to verify your identity. Can you ask your manager to call our help desk?”
You’re a law firm. You’re an accounting firm. You’re a consultancy. Your clients trust you with their deepest secrets.
Your security posture is only as strong as your receptionist’s ability to say “no” to a convincing voice.
Firewalls don’t answer phones. Your people do. That’s where the real breach starts.
The Bottom Line
Two phone calls. Twenty minutes. Full access to a law firm’s confidential data.
No hacking. No zeroβdays. Just human nature.
Your MKB’s weakest link isn’t tech. It’s the friendly receptionist who wants to help. The IT guy who’s had a long week. The paralegal who doesn’t want to be difficult.
Attackers know this. That’s why they call. That’s why they win.
Train your people. Test your people. Or watch someone else do it for you.
Think your team is too smart to be tricked?
Social engineering test: included in retainer. Full pentest: β¬3,000. Security retainer: β¬1,500/month.
π© DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your human firewall.
Leave a Reply