Tailgating (also called piggybacking) is a physical social engineering technique in which an unauthorized individual gains access to a restricted area by closely following an authorized person through a secured entry point. The attacker relies on social norms - politeness, the expectation that someone holding a door is being courteous - to bypass physical access controls without presenting credentials..
What is Tailgating?
Tailgating (also called piggybacking) is a physical social engineering technique in which an unauthorized individual gains access to a restricted area by closely following an authorized person through a secured entry point. The attacker relies on social norms - politeness, the expectation that someone holding a door is being courteous - to bypass physical access controls without presenting credentials.
How Tailgating Works
The attacker typically approaches a secured entrance while carrying items (boxes, coffee, a laptop bag) to appear as a legitimate employee. They time their approach to arrive just behind someone who has already badged in, and walk through before the door closes. Variations include pretending to be a delivery person, a contractor, or a visitor who 'forgot their badge.' In many organizations, employees feel uncomfortable challenging someone who appears to belong.
Why Tailgating Matters for Human Risk
Tailgating demonstrates that social engineering extends beyond digital channels. An attacker who gains physical access to a building can plug into the network directly, install hardware keyloggers, access unattended workstations, steal documents, or plant USB devices. Physical access often bypasses the most sophisticated digital security controls entirely. Organizations that only test their employees against email phishing miss an entire category of human vulnerability.
How to Protect Against Tailgating
- Train employees to challenge unknown individuals at secured entrances
- Implement mantrap or turnstile entry systems that allow only one person per badge scan
- Use security awareness training that covers physical social engineering, not just phishing
- Conduct physical penetration tests to measure tailgating susceptibility
- Establish a culture where challenging someone's access is expected, not rude
Frequently Asked Questions
Why is tailgating effective despite being a simple technique?
Tailgating exploits social norms and politeness. Employees feel uncomfortable challenging someone who appears to belong, especially when carrying items that suggest legitimacy.
What can an attacker do with physical access to a building?
Physical access enables attackers to plug into network jacks, install hardware keyloggers, access unattended workstations, steal documents, or plant USB devices for later exploitation.
How do mantrap and turnstile systems prevent tailgating?
These systems allow only one person per badge scan by creating a narrow space where a second person cannot physically follow before the door closes.
Should employees feel rude challenging someone at a secure entrance?
No. Organizations should explicitly encourage employees to challenge unknown individuals. Establishing this culture requires framing security questions as normal and necessary, not rude.