Tailgating and Piggybacking are two social engineering practices. They exploit the human factor to violate areas reserved for authorized personnel. It brings consequent risk for security of both physical and information systems.
Let us find out what exactly we are talking about, and understand how these scenarios are applicable to both physical and IT security. There is a subtle difference between the meaning of Piggybacking and Tailgating.
Tailgating represents the situation, when an individual without access authorization closely follows an authorized person in a reserved area. The malefactor takes advantage of the moment, when the authorized one opens the door with his badge – and sneaks inside before the door closes.
Piggybacking represents the situation, when someone accesses a reserved area with the permission obtained by deception of an authorized person.
If you watched the film with Leonardo DiCaprio “Catch me if you can”, you would remember the smart character of the famous swindler Frank Abagnale he played. The fraudster entered restricted areas in airports and hospitals by pretending a doctor or an airplane pilot. He succeeded through deception and cunning, causing financial damage to the companies he cheated.
Such criminals pose a serious problem for companies, as they violate the law, often with criminal intent. Those who aim to gain access without authorization, can be well-dressed and introduce themselves as customers to fool the security personnel. Or they can appear dressed as couriers, carrying bulky parcels, asking someone from the staff outside to open the entrance door with a company badge.
Sad but true, that people’s kindness and ingenuity often helps fraudsters. They manage to access restricted areas, exposing corporate assets and confidential data at risk. Anyone who attempts to get an unauthorized access is aware of these “weaknesses” and uses them to get what he wants.
Would you let someone you do not know enter your home? Even if he asked you kindly and good manners? You would probably think twice before doing it, as it can pose a safety risk to yourself and your beloved.
The same attitude is valid for the safety of your workplace. If you notice a stranger without a badge in your company, you need to follow some security procedures. Most companies have security policies describing access rules to reserved spaces. If you have never heard of them, ask to put them into practice.
The situation can be more complicated when it comes to coworking spaces. There are many employees from different companies, who come and go, and do not know each other. Intruders can use multiple tricks to get inside the restricted areas.
Unfortunately, tailgating and piggybacking happen more often, than one can think. There are numerous violations of information systems caused by employees’ negligence and naivety. They forget to lock their screens, or leave their access credentials written on a post-it next to the monitor. Those who enter inside the reserved areas without authorization with very specific purposes will certainly notice that.
Please, follow the corporate security policies:
You can find this and other important information in Sababa Awareness training platform, which allows employees to increase their skills to resist cyber-attacks and social engineering techniques, such as those indicated in this article.
Image by Macau Photo Agency
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_150416163_1||1 minute||Set by Google to distinguish users.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|pardot||past||The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.|
|visitor_id909942-hash||10 years||No description|
|lpv909942||30 minutes||No description|
|visitor_id909942||10 years||No description|