Definition

What is tailgating (piggybacking)?

Rahul Awati

By

Rahul Awati

Tailgating, sometimes referred to as piggybacking, is a type of physical security breach in which an unauthorized person follows an authorized individual to enter secured premises while avoiding detection by an electronic or human access control (or alarm) system.

In general, when tailgating attacks succeed, it's due to a combination of two factors: 1) human carelessness on the part of the followed party, and 2) ingenuity and confidence on the part of the following party. Tailgating is a significant security risk for organizations and their property, equipment, data and personnel.

Understanding tailgating

Tailgating is one of the simplest forms of a social engineering attack, in which threat actors take advantage of human habits or weaknesses to perpetrate a malicious incident, such as a scam, theft or a cyberattack.

By simply following an authorized person (AP); an unauthorized party (UP) can easily get around security mechanisms, such as retina scanners, fingerprint scanners, and even human security guards, and gain access to restricted physical areas.

Often, unauthorized persons are able to do so by taking take advantage of cognitive biases that affect human decision-making. One such "human bug" is the tendency to be courteous; another is the tendency to trust other people; a third is simple habit. Due to these human quirks, many APs tend to hold the door for UPs, who then might exploit such polite gestures to access locations they might not have been able to access otherwise.

How tailgating happens

Tailgating attacks can happen in many ways, including the following:

The simplest method is someone following someone else through a door.
Tailgating can also occur when an authorized person enters an area without closing the door behind them. This can leave a small window of time available for an unauthorized person to enter the premises.
Another method is when an AP keeps a door propped open for some reason. For instance, a painter might leave it open to get rid of paint fumes, or an IT vendor might be troubleshooting a server or router in the server room while leaving the room's door open.
A more sophisticated type of attack occurs when threat actors disguise themselves, either as authorized personnel with access to a particular area (e.g., a manager) or seemingly harmless persons (e.g., a delivery person) to trick people into granting them access to that area.

Visual comparing cyberespionage versus cyberwarfare. — Successful tailgating can lead to the installation of cameras or listening devices as part of a cyberespionage operation.

Where does tailgating happen?

Tailgating is a common problem in multitenant buildings with high traffic (many people accessing the building and its premises). High traffic makes it difficult to identify and track unauthorized personnel, and to keep them out.

Tailgating also happens more often in companies where employees lack good cybersecurity hygiene or don't follow cybersecurity best practices. This might be due to the following:

Carelessness.
Lack of awareness about cyber risks.
Inadequate cybersecurity training, particularly training about how humans are often the "weak link" in cybersecurity.

Graphic showing best practices to avoid data breaches. — Tailgating can lead to data breaches, as well as loss of money and property.

Tailgating can also happen in firms lacking biometric access control systems. Without such electronic systems in place, almost anybody can enter secure areas by simply walking in. It's also difficult to identify blind spots in a facility or plan strategies to address them.

Dangers of tailgating

Tailgating is considered a "low-tech" attack tactic because it rarely involves sophisticated equipment. Nonetheless, it is a serious physical and cybersecurity concern for enterprises because it increases the risk of a malicious person compromising or harming the firm in some way. For example, an intruder might do the following:

Exfiltrate sensitive information to cause a data breach.
Steal valuable equipment such as unattended laptops.
Insert spyware into enterprise devices.
Install malware or ransomware on computers.
Turn off critical systems such as servers.
Access the server room and create a backdoor to the entire enterprise network.
Install cameras to remotely keep an eye on company operations and engage in corporate or cyberespionage.
Steal money or business secrets like blueprints, intellectual property (IP), client lists or financial information.
Destroy or damage the firm's physical property (vandalism).

Tailgaters can include disgruntled former employees, thieves, vandals or mischief makers. Basically, anyone who has an issue with the company or hopes to profit off it can be a tailgater. Whether tailgating persons are innocent or malicious, they can potentially disrupt the business, cause damage or create unexpected costs. They might also create further safety issues for company personnel due to fires or stampedes. Tailgating also can lead to physical violence.

Diagram showing types of biometric authentication. — Biometric access control systems combined with employees with good cybersecurity hygiene help prevent tailgating breaches.

How to avoid tailgating

Organizations can protect their premises from unauthorized personnel and prevent tailgating by implementing certain effective security measures. These include the following:

Electronic access doors

Installing access controls for entrances and restricted areas with swiftly closing doors is vital to prevent tailgating. Additionally, revolving doors provide tailgating detection and ensure that an individual is alone, preventing others from entering behind them without going through a proper access mechanism.

Laser sensors or mantraps

Photosensors, laser sensors and mantraps can limit entry to a single person at a time, preventing someone from following an authorized person and entering an area they are not authorized to enter.

Biometric scanners

Biometric scanners and turnstiles allow only one person to enter an area at a time, preventing tailgaters from walking with or behind an authorized person. Also, biometric systems store specific individuals' data (e.g., fingerprints, palm prints, retinal scans, etc.) to facilitate access to specific areas, so individuals whose information is not stored in the security system are automatically kept out of those areas.

Smart cards

Smart cards are usually customized for use by a single person, which helps to control access to a room, office or building. When implemented with electronic access control mechanisms, smart cards can prevent tailgating in entrances and restricted areas.

Photo ID

Employees must be required to wear photo IDs and visitors must be provided temporary badges and required to wear them as long as they are within the organization's premises. All IDs must be clearly visible. With these ID methods in place, anyone not wearing one becomes conspicuous, making it easier to recognize and detain them, and prevent them from entering secure premises.

Video surveillance

Surveillance devices such as CCTVs provide a means to keep an eye on the premises 24/7. If the devices are clearly visible, they act as a deterrent to those looking to tailgate their way into an office or server room. Now, AI-enabled video surveillance systems are available to provide uninterrupted views of secure areas plus real-time insights that enable security staff to identify unauthorized or malicious parties and take fast remedial action.

Multifactor authentication (MFA)

MFA on access doors requires users to provide more than one credential to access an area. In this way, even if an unauthorized individual manages to compromise one credential, they will still not be able to gain access. One example of MFA is requiring individuals to provide both an access card and a thumb print. Another is requiring entrants to enter numbers on a keypad and provide a retina print. MFA is particularly useful to keep unauthorized persons from accessing secure areas like server rooms or file rooms.

Read about use cases for MFA.

Human security guards

Security guards provide a physical means to safeguard premises. These guards should be trained to ask unfamiliar personnel or personnel not wearing ID cards who they are and why they are on the premises. They also should be authorized to detain these persons in a holding room until management can determine what further action (e.g., a police report) is needed against them.

The importance of employee education in preventing tailgating

The above security measures are all crucial to curtail tailgating. However, their presence can create a false sense of security among staff, leading to carelessness or ignorance of employees' role in preventing tailgating. That's why it is vital to educate them on the following:

The dangers of tailgating.
How to recognize tailgating attempts.
What they can do to resist tailgating and to keep tailgaters out.

It's also important to create a strong cyber awareness culture throughout the organization and to make employees aware of their responsibilities to protect the company's assets from unauthorized parties. Employees should also be taught to follow these security best practices:

Never hold the door for anyone.
Always keep doors closed, especially those to secure or restricted areas like server rooms.
Stop people from following them into special access zones or restricted areas, especially if they are not wearing employee or visitor badges.
Ensure that any outsiders, such as repairmen or delivery persons, are legitimate and wearing appropriate visitor badges.
Direct unfamiliar people, people without badges or people who appear "lost" to the reception desk.
Never allow former employees to access the company premises if they don't have the permission of authorized personnel (e.g., IT team) or are not wearing proper ID badges.
Report suspicious activity to security guards.
Inform security guards or the IT team if an electronic door is not functioning properly.

Tailgating vs. piggybacking

Tailgating is not the same as piggybacking, a type of breach in which the unauthorized individual tricks or convinces the authorized individual into letting them into a secure area. Thus, piggybacking usually involves an AP's knowledge, consent or permission. Also, the AP providing access to the UP usually assumes that the UP has a legitimate reason for requesting access.

That said, both tailgating and piggybacking are forms of in-person social engineering attacks in which threat actors try to gain access to an area that would be off-limits to them, usually for nefarious or malicious purposes. Both can be very damaging for an organization in a multitude of ways.

Organizations should know the key signs of common security incidents and how to respond to keep systems and data safe. Read about the types of security incidents and how to prevent them.

This was last updated in October 2024

Continue Reading About What is tailgating (piggybacking)?

Pave a path to cybersecurity and physical security convergence

Flashpoint CEO: Cyber, physical security threats converging

Top types of information security threats for IT teams

Experts highlight progress, challenges for election security

How to conduct a social engineering penetration test

Search Networking

What is 1000BASE-T (Gigabit Ethernet)?
1000BASE-T is a Gigabit Ethernet standard that operates at a speed of 1 gigabit per second (Gbps) over copper wiring.
What is DHCP (Dynamic Host Configuration Protocol)?
DHCP (Dynamic Host Configuration Protocol) is a network management protocol used to dynamically assign an Internet Protocol (IP) ...
What is Routing Information Protocol (RIP)?
Routing Information Protocol (RIP) is a distance vector protocol that uses hop count as its primary metric.

Search Security

What is a security operations center (SOC)?
A security operations center (SOC) is a command center facility in which a team of information technology (IT) professionals with...
What is a risk profile? Definition, examples and types
A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.
What is risk reporting?
Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.

Search CIO

What is the Sarbanes-Oxley Act? Definition and summary
The Sarbanes-Oxley Act of 2002 (SOX) is a federal law that established sweeping auditing and financial regulations for public ...
What is a change agent (agent of change)?
A change agent, or agent of change, is someone who promotes change and enables it to happen within any group or organization.
What is a quantum processing unit (QPU)?
A quantum processing unit (QPU) is a hardware device that uses quantum mechanics -- such as superposition and entanglement-- to ...

Search HRSoftware

What is team collaboration?
Team collaboration is a communication and project management approach that emphasizes teamwork, innovative thinking and equal ...
What is talent management? Definition, basics and strategy
Talent management is a strategic approach organizations use to attract, develop, retain, and optimize employees.
What is employee experience?
Employee experience is a worker's perception of the organization they work for during their tenure.

Search Customer Experience

What are customer service and support?
Customer service is the support organizations offer to customers before, during and after purchasing a product or service.
What is quality of experience (QoE or QoX)?
Quality of experience (QoE or QoX) is a measure of the overall level of a customer's satisfaction and experience with a product ...
What is voice of the customer? A guide to VOC Strategy
Voice of the customer (VOC) is the component of customer experience (CX) that focuses on customer needs, wants, expectations and ...

Close