What Is Tailgating?

Tailgating (also called "piggybacking" in some contexts) is a physical security breach where an unauthorized person gains access to a restricted area by closely following an authorized individual through a controlled entrance without using their own credentials. The attacker exploits human psychology—specifically social norms around helpfulness and group conformity—rather than technical security vulnerabilities. Tailgating is a sophisticated form of social engineering targeting physical security measures rather than digital systems.

While specific tailgating attack statistics are limited, the broader context of physical security breaches demonstrates its significance. Verizon's Data Breach Investigations Report (2024) found 68% of breaches involved human error, which includes physical security failures like tailgating. IBM (2025) reported the average global cost of a data breach reached $4.44 million, and Palo Alto Networks (2025) found 86% of organizations experienced business disruption from social engineering attacks.

How does tailgating work?

Tailgating works by exploiting social norms and human psychology to gain unauthorized physical access to restricted areas. The attack leverages people's natural tendency to be helpful and their reluctance to challenge others.

Direct tailgating

The attacker follows closely behind an authorized employee as they badge into a secure area. The legitimate employee's access badge grants entry and holds the door open, allowing the unauthorized person to slip through without triggering security. The tight timing and casual appearance minimize detection.

This approach relies on physical proximity and timing. The attacker positions themselves behind the legitimate user as they approach the access control point, close enough that holding the door becomes a natural courtesy. Many people find it awkward or rude to let doors close in someone's face, especially in professional environments where politeness is expected.

Impersonation

The attacker poses as a delivery person, vendor, contractor, or maintenance worker, approaching an employee with packages or supplies and requesting access. Many employees assume good faith and hold doors open to help. The impersonation provides a plausible explanation for being at the facility without proper credentials—delivery personnel often have temporary access or need escort.

Delivery impersonation proves particularly effective because:

- Employees expect regular deliveries

- Delivery personnel often don't have permanent badges

- Carrying packages creates urgency and makes badge access difficult

- Refusing entry to apparent delivery people seems obstructionist

Piggybacking

Unlike pure tailgating, piggybacking involves some level of perceived permission. The attacker convinces an authorized person to allow them through by claiming to be an employee, contractor, or IT staff needing urgent access. This might involve claiming to have forgotten their badge, working in a different department, or being new to the organization.

The distinction between tailgating and piggybacking lies in awareness and consent. In tailgating, the authorized user may not notice the unauthorized person following them. In piggybacking, the authorized user knowingly allows entry but has been deceived about the person's legitimacy.

After-hours exploitation

Attackers monitor employee entry and exit patterns and follow employees during off-hours when security presence is reduced and scrutiny is lower. Late-night or weekend access sees fewer people, making unauthorized individuals more noticeable but also reducing the number of staff who might challenge them. Security personnel may be minimal or absent during these periods.

How does tailgating differ from other security breaches?

Tailgating is specifically unauthorized access through controlled entrances by following authorized personnel or posing as vendors. Other physical breaches involve bypassing locks (lock picking), windows, or other access points. Tailgating exploits human behavior—helpfulness and social conformity—rather than lock vulnerabilities.

Lock picking and forced entry leave physical evidence—damaged locks, broken windows, or triggered alarms. Tailgating leaves minimal physical evidence. Video surveillance may capture it, but identifying tailgating in footage requires knowing which individuals belong in the facility, making post-incident investigation challenging.

Digital security breaches exploit software vulnerabilities, phishing, or malware. Physical breaches like tailgating require on-site presence and timing. The skillsets differ—digital attackers need technical knowledge while tailgating attackers need social engineering skills and physical access to facilities.

Why does tailgating matter?

Tailgating matters because it defeats physical access controls, potentially providing attackers with direct access to systems, data, and facilities that digital attacks cannot easily reach.

Circumventing security investments

Organizations invest heavily in badge systems, access control infrastructure, and perimeter security. Tailgating circumvents these investments through social engineering. A single helpful employee holding a door negates thousands of dollars in physical security technology.

Financial institutions, healthcare providers, and government agencies face elevated tailgating risk due to sensitive data. These sectors often require badge access but may lack rigorous surveillance or strict "no door-holding" enforcement. The combination of security requirements and polite workplace culture creates vulnerability.

Physical access amplifies attack potential

Physical access provides opportunities unavailable to remote attackers:

- Direct access to computers and networks, bypassing firewalls and perimeter defenses

- Installation of keyloggers, network taps, or other physical attack devices

- Theft of documents, devices, or physical media containing sensitive information

- Observation of security procedures, network configurations, or access codes

- Placement of rogue access points enabling persistent remote access

A tailgater who gains access to server rooms, network closets, or executive offices can accomplish in minutes what might take months of sophisticated digital attacks.

Combination with other attacks

Tailgating frequently serves as the entry point for more complex attacks. Once inside, attackers can:

- Use social engineering to obtain credentials from employees

- Photograph or copy sensitive documents

- Install malware directly on systems

- Conduct reconnaissance for future attacks

What are the limitations of tailgating?

Physical proximity requirements

Tailgating must occur at a specific location and time. The attacker cannot conduct tailgating remotely and cannot scale attacks across multiple locations simultaneously. Each facility requires separate physical presence, limiting the number of targets attackers can pursue concurrently.

Geographic constraints mean attackers must be present in the city, potentially country, where targets are located. International tailgating campaigns require travel and local presence. This contrasts sharply with digital attacks that operate globally without geographic limitation.

Detection risks

Physical access to restricted areas creates observable activity. Security cameras record entry points. Other employees notice unknown individuals. Security personnel can detect suspicious behavior or unfamiliar faces. Extended presence increases detection likelihood.

Unlike digital attacks that can be conducted anonymously from distant locations, tailgating exposes attackers to identification and capture. Security footage provides evidence for investigations. Biometric data (appearance, height, clothing) can link multiple incidents or identify suspects.

Limited access duration

Once past the secured entrance, the attacker has limited time before being discovered. Extended presence increases detection risk, limiting the time available for data theft, device placement, or reconnaissance.

Employees may notice unfamiliar individuals, especially in smaller organizations or departments where personnel know each other. Questions about identity and purpose expose tailgaters. The attacker must accomplish objectives quickly before attracting attention.

Effectiveness of physical controls

Turnstiles and mantraps that require individual badge authentication for each person significantly reduce tailgating success. These systems make following authorized users mechanically difficult or impossible.

Organizations with strict identity verification policies, security personnel at entry points, and "no badge, no entry" enforcement create multiple barriers to tailgating. The combination of technical controls and human vigilance makes successful attacks substantially more difficult.

Employee awareness impact

Organizations with security training emphasizing "challenge unknown individuals" and "never hold doors for strangers" reduce tailgating effectiveness. Employees who feel empowered to question unfamiliar people create a security culture that defeats social engineering.

Training addresses the social discomfort of challenging others. Many people find confronting strangers uncomfortable or feel it might be rude. Security training gives employees permission and protocols for politely but firmly verifying identity before allowing access.

How can organizations defend against tailgating?

Physical controls

Turnstiles and mantraps that require individual badge authentication for each person represent the most effective technical control. Turnstiles permit only one person per badge swipe, mechanically preventing tailgating. Mantraps create secure vestibules where the entry door must close before the interior door opens, isolating each person for individual verification.

Video surveillance at entry and exit points monitors and records all access. Surveillance serves both deterrent and investigative purposes. Prominent cameras discourage tailgating attempts. Recorded footage enables post-incident investigation, identification of unauthorized individuals, and pattern analysis revealing security weaknesses.

Security personnel actively monitoring entry points and requesting identification create human barriers to tailgating. Guards can challenge individuals who enter without proper credentials, verify visitor identity against approved lists, and escort guests through facilities.

No badge, no entry policies requiring all individuals to present credentials eliminate the assumption that people inside facilities belong there. Visible badge requirements enable employees to identify individuals without badges and report them to security.

Reinforced doors and controlled access that prevent door-holding exploitation use automatic closing mechanisms with short delays. Doors that close quickly after badge access reduce the window for unauthorized individuals to follow through. Heavy doors or hydraulic closers make holding doors open physically difficult.

Organizational practices

Security awareness training teaching employees to challenge unknown individuals and not hold doors for strangers addresses the social engineering aspect of tailgating. Effective training includes:

- Clear policies about physical security expectations

- Scripts for politely challenging unfamiliar individuals

- Understanding that everyone must badge independently

- Permission to appear "rude" when enforcing security policies

- Recognition that tailgating represents a serious security threat

Clear escalation procedures for reporting suspicious individuals establish what employees should do when they observe potential tailgating. Procedures should include who to contact (security office, specific phone numbers), what information to report (description, location, direction of travel), and expectations about confrontation (observe and report rather than physically confront).

Visitor badge systems requiring sign-in and escort by authorized employees ensure visitors have legitimate business reasons and supervision. Visitor management systems track who enters facilities, who authorized their visit, and when they leave. Visitors should receive distinctive badges clearly identifying them as non-employees.

Access control policies limiting who can grant building access create accountability. Employees should understand they cannot give their own badges to others or allow tailgating. Some organizations implement badge-sharing detection that flags when a single badge is used for multiple people in rapid succession.

Periodic security audits and penetration testing specifically targeting tailgating vulnerabilities identify weaknesses before malicious actors exploit them. Physical security testing by professionals (with proper authorization) reveals which locations, times, or techniques successfully defeat controls.