Skip to Main Content
menu
04/28/2026

Understanding and Preventing Cyber Crimes

Writings on the wall.

Social engineering continues to be one of the most successful methods used by attackers to infiltrate organizations-not by ground- breaking technology, but by exploiting trust, authority, and routine behavior. Housing authorities can be especially appealing targets because they manage public funding, work closely with vendors, handle sensitive tenant information, and provide services that communities rely on every day. Understanding how these tactics work is an important step in reducing risk and helping everyone play a role in keeping our organization secure.

Tailgating

A man holding the door open for another man.

Tailgating occurs when an unauthorized individual gains access to a secure facility by following an employee through a controlled entry point. Common pretexts include:

  • "I forgot my badge"
  • "I'm new and don't have access yet"
  • "My card isn't working - Can you hold the door?"

Once inside, an attacker may roam freely, observe workflows, access unattended workstations, note passwords written down, or collect sensitive documents from desks. Physical security policies are only effective when consistently enforced at all levels, including leadership.

Whaling

A man looking at a computer screen that says whaling on it.

Whaling is a targeted form of social engineering aimed at individuals with high authority, system access, or financial approval power. Attackers conduct extensive reconnaissance using:

  • Public records and websites/Meeting minutes and agendas
  • Social media posts
  • Casual conversations with staff or vendors

Once confident, perpetrators launch short, high-impact attacks-often requesting urgent fund transfers, banking changes, or confidential information. Staff becomes conditioned to act quickly on executive requests, especially when urgency or confidentiality is emphasized.

Baiting

A person plugging a USB into a computer.

Baiting involves leaving or offering an item-most commonly a USB drive or electronic media-that appears harmless or enticing. These devices are often preloaded with malware and include:

  • USB drives labeled "Payroll," "Audit," or "Tenant List"
  • Promotional items handed out at events
  • "Found" devices left in offices or parking areas

Once plugged into a computer, malware can silently install itself and provide attackers access to internal systems. Convenience or curiosity can unintentionally bypass technical safeguards. Clear policies and consistent messaging are essential.

Remote Admin Tool

A woman looking at two computer screens.

The victim is told there is an urgent issue that must be resolved immediately. The attacker then instructs them to download a legitimate remote administration tool (often commercially available support software) to "fix" the problem. This begins with a phone call or online interaction where the attacker poses as:

  • A bank representative
  • An internet service provider
  • A trusted technical support entity

Even after the session appears to end, the attacker may retain persistent access, enabling long-term monitoring, credential theft, and financial exploitation. Remember that legitimate organizations do not request unsolicited remote access to resolve issues.