What is Diversion Theft? Attack and Defense Strategies | EasyDMARC

What is Diversion Theft? Attack and Defense Strategies

5 Min Read
call me fred pPyHkWYSFbk unsplash scaled

As organizations’ security defenses become more robust, cybercriminals look for ways to use social engineering and exploit the weakest link in the security chain—the human. 

Diversion theft in social engineering is one of the many techniques attackers use to manipulate their victims. Read on to learn more about it, how it works, and prevention tips.

So what is diversion theft?

What is Diversion Theft?

Diversion theft is a social engineering technique used to manipulate human psychology. It started as an offline attack, where the thief tricks a courier or delivery company into going to a wrong drop-up or pick-up location. 

This type of attack is also known as the “round the corner game” or “corner game,” and it originated in the East End of London before the introduction of the internet. 

How Does Diversion Theft Work?

Diversion theft can happen offline or online. Although it’s commonly committed online due to technological advancement, criminals can still execute the attack offline. Regardless, diversion theft means intercepting a transaction. 

With offline theft, a van carrying goods can be redirected to a location different from the real address. The attacker will often plant their subordinates at the new location, who then have easy access to the goods, which can be substituted or stolen. 

The introduction of the internet has made diversion theft via social engineering even easier. Scammers work to access information about items you’ve ordered online. This can include the delivery date, address, and the item to be delivered. With this information, attackers pose as the delivery person to supply fake items, then wait to receive the real parcels. 

Attackers also use online diversion theft to trick users into sending them information. They utilize social engineering techniques like pretexting and phishing (including its other types like whaling or spear phishing). 

Examples of Diversion Theft

To effectively counter this attack, it helps to familiarize yourself with examples of diversion theft. The attacker aims to either steal goods and sensitive information or deliver fake or infected goods.

If you order a laptop, the attacker can deliver a malware-infected one. This can be a double profit for the scammer—they get a new laptop and can spy on the victim to steal sensitive data.

In real life, diversion theft can get quite high-profile. In extreme cases, it can involve pharmaceuticals and high-risk materials, and the actors turn out to be extremists and terrorist organization representatives. That said, individuals and small businesses are still at risk of becoming victims of this social engineering attack.

Why is Diversion Theft Effective?

Diversion theft can only be effective with impactful social engineering techniques. Offline diversion is only successful if it’s convincing. High-profile diversion theft involves a coordinated attack strategy from a group of malicious actors. 

Online diversion theft is more targeted with enhanced efficacy on a more personal scale. The best way to counter this attack is to understand how social engineers think and what they need from you.

How to Avoid Diversion Theft

Diversion theft often exploits the human factor to steal goods or access sensitive data. Still, prevention is possible. There’s no single solution but the following tips are vital to mitigate such attacks.  

Get Confirmation From the Original Source

If you get an email from a supposedly legitimate representative asking for sensitive information or to redirect an item to a new location, then something’s up. Ask the proper authority before taking action. Also, the delivery agent should confirm everything with the recipient before releasing the package. 

The recipient should also ask for the courier’s ID and contact the organization to verify that the order is the original one. 

Educate Your Staff

Even with the implementation of sophisticated security measures, the human factor can still be manipulated. In “The Art of Deception,” Kelvin Mitnick mentions that security is merely an illusion, which is intensified through human ignorance and gullibility.

Indeed, diversion theft is a social engineering technique that can succeed when people are ignorant.

That said, it’s imperative that organizations educate their employees on the different social engineering tactics attackers use to compromise systems and how to avoid them. 

Physical Security is Important

Diversion theft can also happen offline, and attackers can execute it in many ways. An attacker can create a physical diversion to gain access to an organization’s offices and resources.

Like with tailgating, protecting your company’s physical space is crucial to prevent diversion theft. While the former is usually more subtle, the latter can cause mass chaos with the goal of obtaining massive amounts of data or causing more damage. With competent security in place, businesses can be much more vigilant about who enters the premises and stop such assaults before they happen.

Final Thoughts

Diversion theft is a serious issue, especially when gullibility and ignorance come into play. Both individuals and organizations can counter such attacks by staying vigilant, verifying delivery details, and securing their premises. 

Most importantly, organizations should carry out proper awareness programs to educate their staff on diversion theft and its impact on business continuity. 

You can check our post on social engineering and its types to understand the various attack vectors and how to prevent them.

Content Team Lead | EasyDMARC
Hasmik talks about DMARC, email security, and cyberawareness. She finds joy in turning tough technical concepts into approachable and fun articles in plain language.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us