Fraudsters have countless tricks up their sleeves to bypass security measures and access sensitive information. In most cases, this refers to cyber crime, but organisations cannot overlook the threat of scammers gaining physical access to their premises.
Although it’s a much bolder method – given that a criminal could get caught in the act – many organisations don’t protect their physical perimeter in the same way that they stay safe online, presenting opportunities for attackers to strike.
One of the most popular techniques is tailgating. In this blog, we explain what tailgating is, how it works and the steps that organisations can take to prevent it.
What is tailgating?
When you hear the word ‘tailgating’, you probably think of someone who drives close behind another car so that they are almost touching its tailgate.
The same principle, believe it or not, applies in a cyber security context. A tailgater here is someone who stays close to a person as they enter or exit a building. Their goal is to be near enough to the door so that they can walk through without a key.
The fraudster’s ultimate goal is to gain physical access to a secure part of the premises so that they can steal confidential information.
They might do this by timing their approach so they can grab the door before it closes. Alternatively, they might use social engineering techniques to persuade an employee to hold the door open for them.
Social engineering is a collective term for the ways people manipulate others into performing certain actions. In information security terms, it refers to the ways that crooks trick people into gaining privileged access.
For example, phishing is a type of social engineering, with the attacker sending an email that masquerades as legitimate correspondence. Tailgating can work in the same way, with the interloper appearing to be a trusted individual.
But unlike phishing attacks, the fraudster doesn’t always need a clear pretext to trick people – as we explain in the next section.
Tailgating attack examples
In the most basic form of tailgating, the fraudster simply waits by a door until someone with legitimate access opens it, then follows them into the building.
They often get away with this because people will assume that the person has a right to enter – provided they act as though they belong. Sneaking around or loitering will make people suspicious, which is why timing and confidence are crucial.
Often, the attacker will attempt to blend in and create subtle clues as to why they are loitering outside the door. For example, they might find a back entrance where employees go for cigarette breaks, or approach staff as they enter the building, which helps them pass through reception unnoticed.
Alternatively, the tailgater might stand out of sight and make a move as soon as someone comes through the door. They could explicitly ask the person to hold the door open, appearing rushed and banking on the other person being too polite to close the door on them.
The scammer might even have their hands full – perhaps with paperwork or takeaway coffee – which would explain why they need the door held open.
These are the simplest forms of tailgating, because at no point does the fraudster have to say why they are trying to enter the building; it is simply assumed that they belong there.
However, it’s also the riskiest technique, because an employee might question their credentials or ask why they don’t have a key or passcode to the building.
Given that attackers often spend days researching premises to break into – knowing that they need a clear plan to steal information and get out again as soon as possible – they won’t want to risk getting caught. As such, many take a more complex route but one that holds up better to questioning.
The most common example is to pretend to be a delivery driver or tradesperson. This requires them to bring props such as a uniform, van, package or toolbox to appear legitimate.
This gives them a clear pretext for entering the building while also explaining why they don’t have a key or passcode. It also helps them move around the building without anyone asking them who they are or what they are doing.
However, making their presence in the office more explicit limits their ability to act surreptitiously. You would be more likely to notice a delivery driver or tradesperson enter the server room than someone dressed like any other employee.
How can organisations prevent tailgating attacks?
There are several ways for organisations to prevent tailgating attacks. The most important step is to ensure that there are measures in place to prevent unauthorised people from entering parts of the building that contain sensitive information.
One such measure – which we’ve referred to throughout this article – is for building entrances to be protected with a key or passcode. Every employee should receive one specific to the building they work in, and in large organisations there might be additional passcodes for specific parts of the building.
However, implementing such a system can be expensive – and in some organisations it simply isn’t feasible. There are some industries where employees are required to move regularly between public and employee-only spaces, and it would hinder business if they were forced to lock or unlock a door every time.
In those cases, video surveillance is a helpful tool. It won’t necessarily catch a tailgater in the act (unless you have someone constantly monitoring the footage), but it is a useful preventive measure.
Both the organisation and the potential tailgater know that once a security incident has been discovered, the perpetrator could be identified by the footage. This greatly increases the chances that they will be apprehended, and as a result will dissuade them from targeting the organisation.
The most effective measure for preventing tailgating attacks, however, is staff awareness training. Like other forms of social engineering, tailgating exploits people’s ignorance and reluctance to complain.
By showing your employees how fraudsters do this, you can help them spot an attacker and respond appropriately.
You can learn more about how this works with GRC eLearning’s Physical Security Staff Awareness E-learning Course.
This online course helps your staff understand the physical security threats faced by your organisation and why it is important to protect against such threats.
It also explains how threat actors use your online presence as part of their attacks and what individuals can do to stay safe.
