Social Engineering: What is Tailgating?
Tailgating or piggybacking is a physical Social Engineering attack where a person seeks to enter a restricted area where they are otherwise not allowed to be.
Basically, tailgating definition is when someone sneaks into a restricted area by using someone else.This can be by following someone real close carrying something and asking them to “Hold the door please!”. Or, an attacker can fool people by pretending to be someone else, just like phishing or pretexting (for instance a pest exterminator)
Tailgating is different from other Social Engineering attacks, though. Indeed, it is a physical intrusion, in order to access sensitive data, money, …. This way, it’s closer to baiting.
Some piggybacking attack examples
A person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee ‘hold the door’. Thereby gains access to the company through an authorized person.
The impostors can take many roles, such as repair guys, individual pretending to hold heavy boxes. Anyone that you wouldn’t think twice to hold the door to. Once inside, they can use other social engineering attacks like shoulder surfing to steal information from unsuspecting employees.
However, tailgating does not work in all corporate settings. For instance, in large companies, everyone entering a building need to swipe a card. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to pass.
The core focus of an attacker in this type of social engineering is to get physical access to the site. Entry to a restricted area, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access. Following common courtesy – the legitimate person will usually hold the door for the attacker.
The most famous tailgating attack example is probably the well-known story of Frank Abagnale, whose story you have probably discovered in the movie “Catch Me If You Can”. Abagnale scammed many people and entered many restricted areas where he was not allowed. Acting with confidence made him go many places and fool many people.
How to prevent tailgating or piggybacking in your company?
A tailgating attack can be especially dangerous to mid-sized and larger organizations as there is too much at stake. Some examples are: stealing company secrets, money, and equipment. Another severe example is to install a backdoor to the server to eavesdrop on every conversation on the company’s network.
If you are working for a mid-sized company then you should start challenging everyone who wants to get access to the premises. It may seem rude and awkward however it is in your company’s best interest. Ask management to install biometric scanners and turnstiles to prevent a tailgater from just walking in the building.
Biometric scanners and turnstiles prevent the tailgater from walking with you inside the building as they only allow for one person at a time. Additionally, you should challenge that individual and ask questions that only employees would know.
Although it looks simple and, tailgating or piggybacking can be an effective way your competitors can use to spy against your company. Learn more about securing your company from data spying and protecting your computers.
Knowledge is power
While one probably can’t waltz into a military base announcing “Exterminator!”, tailgaters often take advantage of unaware employees. It is absolutely vital that you train your employees and arm them with knowledge that will help them prevent such social engineering attacks.
You can provide them with a free security & privacy awareness course to make sure they never fall for a tailgating attack again. Every time your company gets a new intern you should make sure you provide them with basic cybersecurity training, as 99% of interns are completely unaware that such attacks exist.
None of these tips will matter if you don’t stay vigilant and be suspicious of everyone you don’t know. Holding the door for a person who is “running late” seems harmless but that decision carries a lot of weight. As an employee, you are responsible for making sure that nobody except authorized personnel enter the building(s).
The key to stand against this type of social engineering attack is to
KEEP YOUR EYES WIDE OPEN and STAY VIGILANT in the work-premises!
Check out this article on how to avoid social engineering schemes.
– Mailfence Team
Share This Article
Vlad has been writing online privacy and security-related content for companies in email privacy, VPN, cloud computing, DNS/WHOIS and other fields since 2014. He started working in email privacy in 2018 before joining Mailfence in 2021. You can follow him on LinkedIn @vladimircovic and on Twitter @covic_vladimir