Social Engineering attacks can be physical or cyber. One type of physical attack includes Tailgating, and it is not done in a car. Tailgating, in a social engineering sense, is when a person gains unwanted entrance into a facility by using tricks and tactics to fool the employees of that company.
Most people know that when they are walking around their company, they have to have their identification badge on them and visible so anybody that passes knows they belong there. Unfortunately, this practice has become rare. Because of the lack of visible badge enforcement and verification, it makes it easier to gain unauthorized access to a facility without raising suspicion.
Criminals have many tricks in their arsenal to trick people into letting them into a building. One common way of doing this is by hanging out around the area of the building that is commonly used by smokers. If the social engineer locates that area and act like they are on a smoke break, they can wait for an employee of that company to come out then easily start a conversation with them. It is likely that, at the end of the break, the employee will go to open the door and hold it open for the criminal masquerading as an employee to walk in. Another method employed by criminals to get an employee to grant them access to a building is to walk toward the entrance with their hands full. Common courtesy can easily override the uninitiated’s sense of security and spurn individuals to open the door for someone who has no business being there.
Some criminals will even buy boxes of donuts to bring in with them to make it look like they cannot open the door because they have a hand full of donuts (and everyone will open the door for someone holding donuts). People will also walk really close to others when going into work in the morning with the goal of grabbing the door before it closes.
These social engineering tactics can be thwarted--and risk to your organization reduced--by simply asking to see the person’s badge. If they cannot produce a badge, they should not be allowed into the office.
Other Blogs in the Social Engineering Attacks & Mitigations Series: