Tailgating: a dangerous, but unknown, social engineering technique
If you google tailgating right now, you may come across a definition that will confuse you as to why we're discussing the term. It is usually used to refer to the dangerous act of driving your car too close behind another vehicle, which is a common strategy for transposing automatic toll gates, for example. However, the tailgating that we will be discussing here has absolutely nothing to do with cars or good driving practices.
We are talking about the second use of the term, which refers to a rather dangerous, but unknown social engineering scam. Similar to driving, in tailgating, the criminal comes close to an authorized person in order to enter a restricted area, either by following an employee who has access permission or by creating a situation for the employee to let them pass.
Convincing with emotions
Let’s imagine you work for a large corporation with offices spread across an entire building. There are guards and security cameras everywhere. To enter, you need to put your magnetic card — unique and non-transferable! — to the automated gate. However, just as you are entering the building, someone approaches you claiming they lost their card. They are well-dressed, polite, and ask you to let them in because they are late for a meeting.
In this situation, how would you react? Unfortunately, most people, overwhelmed by a feeling of compassion, would open the gate to their supposedly unknown coworker. What if we say that this coworker is actually a criminal who is resorting to a technique that appeals to human emotions to convince an individual with privileged access to let them into the company's premises, which would allow them to steal goods, read documents, and even infect computers with a USB flash drive?
This is a tailgating scam. As companies gradually return to on-site work (or to a hybrid work format, in which professionals can work from wherever they want), this threat, which is often overlooked by many when discussing social engineering, has become dangerous again. If a cybercriminal or a spy is able to enter the premises of the company, the consequences can be as serious as being infected by malware.
The curious thing about tailgating is that it can take on many forms. In addition to the example we gave, a criminal may show up in the entrance hall carrying an armful of boxes (possibly empty) and ask for help to unlock the automated gate, claiming that they can’t reach their credential in their pocket because "they are carrying a lot of weight". They can also be wearing a uniform and claim that they are a service provider hired to perform a service, saying they were unable to contact the person who requested the service.
In all these, and other situations the human imagination can create, the invader will always try to appeal to the empathy, haste, innocence, or goodwill of an employee with access to a privileged place, so that they, of their own free will, open the door and let them in. Once inside the company, they will have plenty of time and almost no supervision to put their evil plans into practice.
Sometimes being too polite can be dangerous
There is no point in investing in technological resources, such as radio frequency key chains, password locks, biometric identification, or facial recognition to prevent unauthorized people from entering: if the social engineer is able to convince an authorized employee, they will surely be able to enter the premises.
The best way to eliminate this threat is, once again, to know more about it, and resist this kind of temptation. As rude as it may seem to ignore the request of a coworker who is late for a meeting, a person carrying heavy boxes, or a puzzled service provider, this is the best way to handle the situation to prevent tailgating from happening. Politely explain you are not authorized to let others in, and preferably report the situation to a responsible person. It is also important to be on the lookout for any suspicious individuals who are watching you in your work environment — when in doubt, notify management immediately.