Tailgating - Social Engineering
2025-08-13

Overview

Tailgating is a physical social engineering technique in which an unauthorized individual gains access to restricted areas by following an authorized person.
The approach often exploits situational factors such as time pressure, helpfulness, or insufficient attention.
The goal is to bypass physical security barriers to gain unauthorized access to systems, data, or premises.

Typical Scenario

An attacker positions themselves in close proximity to a secured entry point, often appearing inconspicuous or seemingly legitimate.
Once an authorized person opens the entry point, the attacker takes the opportunity to enter the secure area without authenticating themselves.

Example:
An employee enters the office building carrying items in both hands.
An unknown man offers to hold one of the items.
While the employee uses her RFID access card,
the man follows her directly into the secure area.
Shortly afterwards, it is discovered that an unauthorized device was connected to the internal network, leading to a compromise of the systems.

Risks and Impacts

A successful tailgating attack can lead to the following consequences:

  • Circumvention of physical access controls
  • Installation of malware or unauthorized devices
  • Theft of confidential data or trade secrets
  • Disruption of critical business processes
  • Significant financial and reputational damage

Preventive Measures

To minimize the risk, a combination of organizational, technical, and personnel measures is recommended:

  1. Physical access controls – Use of turnstiles, mantraps, or biometric systems
  2. Employee awareness – Regular training on social engineering techniques and their detection
  3. Access policies – Mandatory rules for handling unknown persons in secure areas
  4. Security monitoring – Cameras, access control logs, and real-time monitoring
  5. Security awareness testing – Conducting controlled tailgating simulations
  6. Security presence – Deployment of security personnel at critical entry points

Standards and Best Practices

The following frameworks and standards include relevant measures for preventing tailgating:

  • ISO/IEC 27001 – Annex A.11: Physical and Environmental Security
  • NIST SP 800-53 – Physical and Environmental Protection (PE)
  • BSI IT-Grundschutz – Modules PHY.1 “General Building Security” and PHY.2 “Access Control”

Conclusion

Tailgating is a well-established social engineering method that exploits physical and organizational security gaps.
Effective protection relies on the consistent combination of technical access controls, established security processes,
and ongoing staff awareness.