Fraudsters have countless tricks up their sleeves to bypass security measures and access sensitive information. In most cases, this refers to cyber crime, but scammers might also gain physical access to their premises in tailgating attacks.
Although it’s a much bolder method – given that a criminal could get caught in the act – many organisations don’t protect their physical perimeter in the same way that they stay safe online, presenting opportunities for attackers to strike.
What is tailgating?
When you hear the word ‘tailgating’, you probably think of someone who drives close behind another car so that they are almost touching its tailgate.
The same principle, believe it or not, applies in a cyber security context. A tailgater here is someone who stays close to a person as they enter or exit a building. Their goal is to be near enough to the door so that they can walk through without a key.
More specifically, the fraudster is trying to gain physical access to a secure part of the premises so that they can steal confidential information.
They might do this by timing their approach so they can grab the door before it closes. Alternatively, they might use social engineering techniques to persuade the employee to hold the door open for them.
Social engineering is a collective term for the ways people manipulate others into performing certain actions. In an information security environment, it refers to the ways that crooks trick people into gaining privileged access.
For example, phishing is a type of social engineering, with the attacker appearing to be a legitimate person or organisation who is emailing the target.
Tailgating can work in the same way, with the interloper appearing to be a trusted individual. But unlike phishing attacks, the fraudster doesn’t always need a clear pretext to trick people – as we explain in the next section.
Tailgating attack examples
In the most basic form of tailgating, the fraudster simply waits by a door until someone with legitimate access opens it, then follows them into the building.
They often get away with this because people will assume that the person has a right to enter – provided they act as though they belong. Sneaking around or loitering will make people suspicious, which is why timing and confidence are crucial.
Often, the attacker will attempt to blend in and create subtle clues about why they are waiting outside the door. For example, they might find a back entrance where employees go for cigarette breaks, or approach staff as they enter the building, which helps them pass through reception unnoticed.
Alternatively, the tailgater might stand out of sight and make a move as soon as someone comes through the door. They could explicitly ask the person to hold the door open, appearing rushed and believing that the other person will be too polite to close the door on them.
The scammer might even have their hands full – perhaps with paperwork or takeaway coffee – which would explain why they need the door held open.
These are the simplest forms of tailgating, because at no point does the fraudster have to say why they are trying to enter the building; it is simply assumed that they belong there.
However, it’s also the riskiest technique, because an employee might question their credentials or ask why they don’t have a key or passcode to the building.
Given that they could be apprehended or even arrested if someone discovers that they are trying to gain unauthorised access to the building, the attacker will clearly want a backup plan. As such, many take a more complex route but one that holds up better to questioning.
The most common example is to pretend to be a delivery driver or tradesperson. This requires them to bring props such as a uniform, van, package or toolbox to appear legitimate.
This gives them a clear pretext for entering the building while also explaining why they don’t have a key or passcode. It also helps them move around the building without anyone asking them who they are or what they are doing.
However, making their presence in the office more explicit limits their ability to act surreptitiously. You would be more likely to notice a delivery driver or tradesperson enter the server room than someone dressed like any other employee.
How can organisations prevent tailgating attacks?
There are several ways for organisations to prevent tailgating attacks. The most important step is to ensure that there are measures in place to prevent unauthorised people from entering parts of the building that contain sensitive information.
One such measure – which we’ve referred to throughout this article – is for building entrances to be protected with a key or passcode. Every employee should receive one specific to the building they work in, and in large organisations there might be additional passcodes for specific parts of the building.
However, implementing such a system can be expensive – and in some organisations it isn’t feasible. There are some industries where employees are required to move regularly between public and employee-only spaces, and it would hinder business if they were forced to constantly lock or unlock doors.
In those cases, video surveillance is a helpful tool. It won’t necessarily catch a tailgater in the act (unless you have someone constantly monitoring the footage), but it is a useful preventive measure.
Both the organisation and the potential tailgater know that once a security incident has been discovered, the perpetrator could be identified by the footage. This greatly increases the chances that wrongdoers will be apprehended, and as a result will dissuade them from targeting the organisation.
The most effective measure for preventing tailgating attacks, however, is staff awareness training. Like other forms of social engineering, tailgating exploits people’s ignorance and reluctance to complain.
By showing your employees how fraudsters do this, you can help them spot an attacker and respond appropriately.
IT Governance can help you address the threat of tailgating, along with other social engineering techniques, with our array of staff awareness training options.
Our unique combination of governance, risk management and compliance expertise, and our ability to develop effective learning solutions in-house means we can deliver bespoke learning solutions tailored to your requirements.
We work with our clients to find out their exact knowledge gaps and requirements, ensuring the finished product delivers the required staff awareness levels on the given topic.
Find out more about how bespoke learning solutions are developed by downloading our brochure or speak to one of our experts for information about how we can help you with your Customised+ or bespoke project.