HOLDING THE DOOR for someone is the polite thing to do, but sometimes that common courtesy can cause more harm than good. In this age of technology, social engineers have developed numerous ways to take advantage of our social behaviors to bypass security and gain access to critical information. Tailgating—also known as piggybacking—is one such technique which, while relatively simple, can have devastating consequences.

Cybercrime takes many forms and is becoming increasingly more sophisticated. Unlike many cyber threats, tailgating comes by way of your physical location. It’s critically important that Information Technology (IT) work closely with Office Services, or the department responsible for facilities management, in a robust education campaign for employees.

At A.I.M. Mutual, we regularly train our employees to identify malicious emails by utilizing webinars, phishing campaigns, and other educational tutorials. Yet tailgating poses some unique challenges. How do you identify a seemingly innocent visitor or a delivery person as being a malicious hacker whose intent is to gain access to your secure data?

The key is knowing and recognizing common tailgating strategies when you see them. Tailgaters will often pretend to be someone who seems to have a legitimate need to enter the building such as a new employee, a delivery driver carrying a large package, or even a known vendor.


Keep in mind that cybercriminals are great actors. Consider this actual case that happened at a large manufacturing company in Massachusetts. The company shared its close call publicly and internally, crediting an employee for his quick thinking and action.

An employee was outdoors heading toward the cafeteria entrance. He noticed another man—wearing an obscured access badge—lingering outside and talking on a cell phone. The employee “badged in” through the first set of doors leading to the cafeteria, surprised to find the man had followed right behind

In a pleasant, offhand manner, the man joked, “I hope it’s okay I’m coming in with you” and then followed the employee into the cafeteria. The man went on to casually look at his phone and aimlessly walk around. Something didn’t seem right, so the employee asked the man to “badge in” himself. He agreed and together they approached Security. The tailgater said he was there for a meeting, provided a fictitious name, and claimed he left his own badge in the car. He was escorted out of the building, got into his car, and drove away.

Confronting someone in a situation like this might feel uncomfortable, but the message to your employees is clear: don’t let that stop you. Give employees a short script. One option is to say that it is company policy to not let anyone in without their own badge and offer to get someone who can help, ideally a supervisor or manager.


Additionally, you can help prevent unauthorized access to company equipment by reminding employees to lock their computer whenever they leave their desk, signing up for multifactor authentication (when possible), creating strong passwords, and never inserting a flash or USB drive without being sure of its contents. If an employee sees someone they don’t recognize sitting at a coworker’s computer or moving through the building, they need to understand the urgency in reporting it to a supervisor.

A.I.M. Mutual has numerous defense measures already in place to secure its facility from this sort of attack. This includes, among other things, an employee badge system, a visitor access protocol, security cameras at all entry points and throughout the parking lot, and other security measures not apparent to the public.

Social Engineering methods are constantly evolving, and to protect ourselves, we must evolve along with them. By educating ourselves and staying vigilant, we can all do our part in protecting data, customers, fellow employees, and our organizations.


Share This Article