In September 2019, a Chinese national named Yujing Zhang walked past security at Mar-a-Lago carrying a thumb drive loaded with malware. She told the front desk she was there to use the pool. That's tailgating — and it nearly compromised one of the most secured private facilities in the United States. A tailgating attack in cybersecurity doesn't require exploiting a zero-day vulnerability or crafting a sophisticated phishing email. It requires a smile, a lanyard that looks official, and someone willing to hold the door open.

This post breaks down exactly how tailgating attacks work, why they remain one of the most underestimated physical security threats in 2021, and what your organization can do right now to shut them down. If you think your badge-access system is enough, keep reading.

What Is a Tailgating Attack in Cybersecurity?

A tailgating attack — sometimes called "piggybacking" — is a social engineering technique where an unauthorized person gains physical access to a restricted area by following closely behind an authorized individual. The attacker exploits human politeness. Someone's carrying a box of donuts and asks you to hold the door? Most people don't think twice.

Once inside, the threat actor has a staggering number of options. They can plug a rogue device into your network, install keyloggers on unattended workstations, steal documents, plant malware via USB, or simply observe credentials being entered. The 2021 Verizon Data Breach Investigations Report found that physical actions were involved in a meaningful percentage of breaches, and social engineering was present in 36% of all breaches this year — a record high.

The damage isn't hypothetical. It's real, it's measurable, and it starts at the door.

Why Tailgating Attacks Still Work in 2021

Human Nature Beats Technology Every Time

I've seen organizations spend six figures on badge readers, mantrap doors, and biometric scanners — then watched an attacker walk in behind a delivery driver at 8:47 AM during the morning rush. Technology only works if people use it correctly. And people are wired to be polite.

Holding the door for someone feels like basic decency. Challenging a stranger in your building feels confrontational. Attackers know this. They exploit the gap between your security policy and your employees' social instincts.

The Rise of Hybrid Work Created New Gaps

With the massive shift to hybrid work this year, many offices have fewer people on-site. That means fewer familiar faces. Employees returning to offices two or three days a week can't always identify who belongs and who doesn't. This makes tailgating easier than ever.

Visitor management systems get neglected. Reception desks sit empty. Badge policies relax. Every one of these lapses is an invitation for a tailgating attack.

It's Low-Tech and High-Reward

Unlike ransomware operations or credential theft campaigns that require technical infrastructure, a tailgating attack requires almost nothing — a convincing pretext and physical proximity. The attacker's risk is relatively low. If challenged, they simply apologize and leave. If not challenged, they have physical access to your environment, which is often the hardest perimeter to breach remotely.

Real-World Tailgating and Physical Breach Incidents

The Yujing Zhang incident at Mar-a-Lago is the most public example, but it's far from isolated. Penetration testers and red team operators routinely report that physical access is the easiest vector to exploit during engagements.

In 2017, security researcher Jayson E. Street famously demonstrated how he could walk into bank branches across multiple countries, claim to be from IT, and get employees to plug his devices into their networks — all without any technical hacking. His talks at DEF CON documented these social engineering exercises in detail.

The FBI's Internet Crime Complaint Center (IC3) has consistently highlighted social engineering as a top attack vector. While their annual reports focus heavily on digital fraud, the bureau repeatedly emphasizes that physical security failures enable digital compromise. A threat actor who gets inside your building can bypass your firewall entirely.

I've personally conducted physical security assessments where I gained access to server rooms by wearing a polo shirt with a fake vendor logo and carrying a clipboard. The success rate is disturbingly high.

The $4.88M Lesson Behind Physical Access Failures

IBM's 2021 Cost of a Data Breach Report pegged the average breach cost at $4.24 million globally, with the U.S. average even higher. What people miss is that many breaches classified as "insider" or "physical" start with exactly the kind of unauthorized access a tailgating attack provides.

Once a threat actor is inside your building, the attack chain accelerates dramatically. They can:

  • Deploy hardware implants (like a Raspberry Pi or LAN Turtle) on your internal network
  • Access unlocked workstations left by employees at lunch
  • Photograph sensitive documents, whiteboards, and sticky notes with passwords
  • Steal hard drives, backup tapes, or other removable media
  • Install rogue wireless access points for persistent remote access

None of these require a single line of malicious code. And every one of them can lead to a data breach that costs millions.

How to Prevent Tailgating Attacks: Specific Defenses

1. Train Every Employee — Not Just Security Staff

Your receptionist isn't your only line of defense. Every employee who walks through a secured door is a potential gatekeeper — or a potential enabler. Security awareness training must cover tailgating explicitly, with real scenarios and role-playing exercises.

Our cybersecurity awareness training program covers physical security threats like tailgating alongside digital threats like phishing and credential theft. Because in the real world, these attacks work together.

Train people to politely challenge unfamiliar faces. Give them a script: "Hey, I don't think we've met — can I help you find who you're looking for?" Make it a cultural norm, not an awkward confrontation.

2. Implement Mantrap or Airlock Entry Systems

For high-security areas — server rooms, executive suites, R&D labs — a single badge reader isn't enough. Mantrap systems (also called airlock or sally port entries) force one person through at a time. The first door must close and lock before the second door opens. This physically prevents tailgating.

Yes, they're expensive. They're also far cheaper than a breach.

3. Deploy Tailgating Detection Technology

Modern physical security systems use overhead sensors, computer vision, and infrared beams to detect when more than one person passes through a door on a single badge swipe. These systems can trigger alarms, lock doors, or alert security in real time.

Pair these with security cameras that capture entry points in high resolution. Footage is critical for post-incident investigation.

4. Enforce a Strict Visitor Management Policy

Every visitor should be logged, photographed, issued a visible temporary badge, and escorted at all times. No exceptions for delivery personnel, contractors, or "someone from corporate." CISA's physical security guidance emphasizes layered access controls that include visitor management as a core component.

I recommend expiring visitor badges — ones that visually change color after a set number of hours. If someone's wearing a badge that's turned red, everyone knows something's wrong.

5. Combine Physical and Digital Security Awareness

Tailgating doesn't happen in a vacuum. A tailgating attack might be preceded by a phishing email that reveals the target building's layout, employee names, or even the brand of ID badge used. Your security awareness program should treat physical and digital threats as interconnected.

Our phishing awareness training for organizations teaches employees to recognize the social engineering tactics that enable both digital phishing and physical tailgating. When your team understands how threat actors think, they're harder to fool — online or at the front door.

6. Apply Zero Trust Principles to Physical Access

Zero trust isn't just a network architecture concept. Apply it to your building. Don't trust anyone based on appearance, claimed identity, or the fact that they're walking next to someone you know. Verify every person, every time, at every access point.

This means re-badging at each secured zone — not just the front door. It means requiring multi-factor authentication for sensitive areas, such as a badge plus a PIN or biometric scan.

How Does Tailgating Differ From Other Social Engineering Attacks?

Tailgating is a physical social engineering attack. Unlike phishing (email-based), vishing (voice-based), or pretexting (scenario-based manipulation over any channel), tailgating requires the attacker to be physically present. This makes it higher-risk for the attacker but also higher-reward, because physical access often bypasses entire layers of digital security.

Here's a quick comparison:

  • Phishing: Digital. Targets credentials or deploys malware via email.
  • Pretexting: Can be digital or physical. Attacker creates a fabricated scenario to gain trust.
  • Tailgating: Physical only. Attacker follows authorized person through a secured entry.
  • Baiting: Physical or digital. Attacker leaves infected USB drives or offers enticing downloads.

A sophisticated threat actor combines multiple techniques. They might phish an employee to learn the office layout, then physically tailgate into the building, then plant a rogue device on the network. Defending against one vector while ignoring others leaves you exposed.

Building a Culture That Stops Tailgating

Technology helps. Policies help. But culture is what actually stops tailgating attacks.

I've worked with organizations where employees were genuinely afraid to challenge someone without a badge — they worried about being rude or getting in trouble for confronting the wrong person. That fear is a security vulnerability.

Leadership has to model the behavior. When your VP badges in every single time — even when the security guard knows them by name — it sends a message. When the CEO holds the door for a stranger without checking their badge, that sends a very different message.

Run physical penetration tests. Hire professionals to attempt tailgating at your facilities. Share the results (anonymized) with the entire organization. Nothing changes behavior like seeing how easily your own building was breached.

Reward employees who report suspicious access attempts. Make it part of performance reviews. Make it part of your security culture the same way you treat phishing simulation results.

The Tailgating Attack Cybersecurity Checklist

Use this as a starting point for your next physical security review:

  • All exterior doors require badge or biometric access — no propped doors, ever
  • Employees trained to challenge or report unfamiliar individuals
  • Mantrap entries installed at high-security zones
  • Tailgating detection sensors deployed at primary entry points
  • Visitor management system with photo badges and escort requirements
  • Security cameras covering all entry and exit points with 30+ day retention
  • Regular physical penetration testing (at least annually)
  • Integrated security awareness training covering both physical and digital threats
  • Zero trust applied to physical access — verify at every zone boundary
  • Incident response plan includes physical breach scenarios

Your Firewall Doesn't Protect the Front Door

A tailgating attack in cybersecurity is the reminder that no amount of endpoint detection, multi-factor authentication, or network segmentation matters if someone can walk into your building unchallenged. The most sophisticated digital defenses in the world fail when the attacker is standing next to your server rack.

Start treating your physical perimeter with the same rigor you apply to your digital one. Train your people. Test your defenses. Build a culture where checking a badge isn't rude — it's expected.

If your organization hasn't addressed tailgating in your security awareness program, you have a gap that threat actors already know how to exploit. Close it today.