Tailgating (also known as “piggybacking”) is a physical social engineering attack where a person seeks to enter a restricted area where they are otherwise not allowed to be.
In this guide, we will cover:
- what tailgating is;
- a few examples of real-world cases of tailgating;
- what you can do to prevent tailgating attacks.
What is Tailgating?
Tailgating is when someone accesses a restricted area (building, specific office space etc.) where they are not allowed.
In practice, this can be by following someone closely, asking them to “Hold the door please!”, or pretending to be a delivery or repair person.
The main difference with other forms of social engineering is that tailgating is a physical intrusion. In this sense, it is closer to baiting.
At its origin, the term “tailgating refers to “following another vehicle too closely”. This is how to terms was eventually co-opted into its social engineering definition.
Tailgating: Real-World Examples
So, what does a tailgating attack look like in practice? Here are a few common scenarios.
- “Delivery driver” tailgating: attackers impersonate a service person such as couriers, maintenance personnel, or food delivery agents to gain access to restricted areas.
- Credentials stealing: attackers may obtain access badges through social engineering tactics, such as pretending to be new employees who forgot their credentials.
- Technology-assisted tailgating: attackers may use technology, such as hidden RFID scanners, to clone access badges and gain unauthorized entry later.
Now, let’s look at some real-world cases of tailgating attacks.
Case #1: The Munich Airport Security Breach
In August 2024, a 39-year-old Norwegian man managed to board two flights without tickets over two consecutive days.
Somehow, he managed to bypass security at Munich Airport by tailgating passengers with legitimate boarding passes.
On the first day, he was detected and apprehended once aboard the plane as he did not have a seat booked. Remarkably, the following day, he repeated the act, boarding a Lufthansa flight to Stockholm without detection.
This incident prompted investigations into security protocols at Munich Airport and highlighted vulnerabilities in access control measures.
Case #2: Banned Russian diplomats gain access to restricted areas of British Parliament
In December 2024, Russian diplomats gained access to restricted areas of the British Houses of Parliament. This constitued a major security breach.
A ban on visits by Russian officials has been in place since 2022.
The group of diplomats had apparently joined a public tour of the Houses of Parliament. They then separated from the group and managed to enter a restricted area before they were found by security.
Luckily, they were caught before any damage was done. However, the incident highlighted the serious risk of tailgating inside government buildings.
Case #3: Catch me if you can (Frank Abagnale)
Frank Abagnale was a notorious con artist and impostor who, in the 1960s, successfully carried out numerous fraudulent activities by exploiting social engineering tactics, including tailgating.
He most famously posed as a Pan Am pilot, gaining unauthorized access to airport facilities and even traveling for free by confidently tailgating airline staff.
Abagnale also impersonated a doctor and a lawyer, using his charm and manipulation skills to gain trust and access restricted areas without proper credentials. His ability to blend in and exploit human trust allowed him to cash millions of dollars in fraudulent checks before being caught.
After serving prison time, he later worked with the FBI as a security consultant, helping organizations prevent fraud and social engineering attacks. His story was made famous in the movie Catch Me If You Can with Leonardo di Caprio.
How to Prevent Tailgating in your company?
A tailgating attack can be especially dangerous to mid-sized and larger organizations as there is a lot at stake. Examples include:
- stealing company secrets, money, and/or equipment
- installing a backdoor to the server to eavesdrop on every conversation on the company’s network.
If you are working for a mid-sized company then you should start challenging everyone who wants to get access to the premises.
It may seem rude and awkward at first. However, it is in your company’s best interest. Ask management to install biometric scanners and turnstiles to prevent a tailgater from just walking into the building.
Biometric scanners and turnstiles prevent the tailgater from walking with you inside the building as they only allow for one person at a time. Additionally, you should challenge that individual and ask questions that only employees would know.
Although it looks simple and, tailgating or piggybacking can be an effective way your competitors can use to spy against your company. Learn more about securing your company from data spying and protecting your computers.
What if an attacker still manages to get inside?
You might not always be in control of how people access a building. For example, if you rent office space within a larger building. In this case, the access policy is most probably out of your hands.
In this case, there are several steps you can take to protect yourself nonetheless:
- Automatic screen locking & manual logouts: train employees to log out or lock their computers (Windows + L for Windows, Command + Control + Q for macOS) whenever they step away from their desks. Implement automatic screen locking after a short period of inactivity (e.g., 1–2 minutes) to prevent unauthorized access.
- Clean desk & document security policies: employees should never leave sensitive documents, notes, or storage devices (USBs, hard drives) unattended on desks. Use locked drawers for confidential paperwork and require shredding of sensitive documents before disposal.
- Restrict unauthorized access to meeting rooms & whiteboards: encourage teams to erase confidential information from whiteboards after meetings and ensure that classified discussions do not take place in open areas where unauthorized individuals might overhear.
- Monitor visitors & challenge suspicious individuals: teach employees to politely challenge anyone they do not recognize and report unescorted visitors immediately. Implement a visitor badge policy and require that all guests be escorted at all times.
- Use secure print & access control for office equipment: implement “pull printing” requiring authentication before documents are printed, preventing unauthorized individuals from accessing sensitive printouts.
Tailgating: Final Words
Tailgating attacks often take advantage of unaware employees. This is why knowledge is king. It is absolutely vital that employees are trained and armed with knowledge.
You can provide them with a free security & privacy awareness course to make sure they never fall for a tailgating attack again. Every time your company gets a new intern you should make sure you provide them with basic cybersecurity training, as 99% of interns are completely unaware that such attacks exist.
None of these tips will matter if you don’t stay vigilant and be suspicious of everyone you don’t know. Holding the door for a person who is “running late” seems harmless but that decision carries a lot of weight. As an employee, you are responsible for making sure that nobody except authorized personnel enter the building(s).
Want to learn more about social engineering scams and how to avoid them? Check out our extensive guide here.
