Phishing emails and fake calls are nothing new. But one hacker group has gone a step further - sending fake IT workers straight into the offices of their victims, where real people walk in the door, pose as technical support, and steal data with an ordinary USB stick. Google and the FBI are warning about it.

On Friday, Google's security teams - Mandiant and the Google Threat Intelligence Group - published a report accusing the group known as the Silent Ransom Group of trying, between January and May this year, with „in-person physical access," to steal data from „dozens" of victims. The targets are most often law firms.

The scenario is frighteningly simple. Someone calls, poses as IT support, leads you into a screen-sharing session under the pretext of fixing a security problem or migrating data. And in some cases, the fake „technician" simply shows up at the office, connects to a computer, and with a USB stick or a remote-access tool carries off contracts, personal data, social security numbers, financial and tax records.

Then comes the extortion. The group threatens to publish the stolen data on its site if the victim doesn't pay - and it actually does publish it. The message to victims is direct: „In case of ignoring or disagreement, we will notify your employees, partners, and clients, after which we will publish your data."

Charles Carmakal, Mandiant's chief technology officer, reminds us this isn't as new as it looks: „Mandiant has investigated various cases where attackers embedded insiders, bribed employees, or physically entered buildings to enable cyberattacks." The lesson is as old as security itself: the weakest link in any system isn't the software, but the person who'll open the door to someone who looks like they came to help.