Lately I have been doing a couple of social engineering attacks . One of the attacks I did was fairly simple. I had access to a big screen showing me a nice typical Windows background.
When I checked out the back of the screen I found a USB port so as one does when something is in scope, you start having fun with it. I plugged in a USB keyboard and hit the Windows+R combination. A nice window popped up and I opened a notepad so I could write a nice little message to the system administrator with my contact details. I unplugged the keyboard and continued what I was doing.
Later in the afternoon when the message got enough attention I took the message down. It had had the attention of the managers and I was already looking with the infosec-team for solutions.
Funny enough one person from the IT staff came up to me and said that it wasn't a hack since it required physical access to the machine. I pointed out that to a threat agent it doesn't really matter how it gets done, the only thing that matters to a threat agent is that his or her job gets done.