In 2019, a penetration tester hired by the state of Iowa walked into a locked courthouse after hours by simply following an employee through a secure door. He was arrested — even though the state had authorized the test. The incident made national headlines and exposed a painful truth: your firewalls, endpoint detection, and zero trust architecture mean nothing when someone can walk right through your front door.

That's the essence of a tailgating attack in cybersecurity. It's the lowest-tech, highest-impact social engineering tactic in a threat actor's playbook. And I've seen it work at Fortune 500 companies, hospitals, and government agencies alike. If your security strategy stops at the network perimeter, you've left the physical perimeter wide open.

This post breaks down exactly how tailgating attacks work, why they succeed so often, and the specific countermeasures that actually stop them. Whether you run a ten-person office or a multi-building campus, the threat is real — and the fix is within reach.

What Is a Tailgating Attack in Cybersecurity?

A tailgating attack — sometimes called "piggybacking" — happens when an unauthorized person gains physical access to a restricted area by following closely behind someone who has legitimate access. The attacker doesn't pick a lock or hack a badge reader. They exploit human politeness.

You've done it yourself. Someone's walking in behind you carrying a box of donuts. They smile. You hold the door. Congratulations — you just defeated a $50,000 access control system with good manners.

Tailgating vs. Piggybacking: Is There a Difference?

Some security frameworks distinguish the two. Tailgating typically refers to following someone without their knowledge. Piggybacking means the authorized person knowingly lets the attacker in. In practice, both produce the same result: an unauthorized individual inside your secure space. For defensive purposes, treat them identically.

Why Tailgating Attacks Work Almost Every Time

The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. Social engineering — the category tailgating falls under — remains one of the most effective attack vectors because it targets trust, habit, and social pressure instead of software vulnerabilities.

Here's what I've observed after years of physical penetration testing and security awareness work:

  • Cultural conditioning. We're raised to hold doors for people. Challenging a stranger feels rude, even confrontational. Attackers know this and exploit it ruthlessly.
  • Uniform trust. A delivery uniform, a hard hat, or a lanyard with a fake badge creates instant credibility. People don't inspect — they assume.
  • Busy environments. During shift changes, lunch rushes, or large meetings, doors open and close constantly. Nobody tracks who's actually badging in.
  • Lack of training. Most employees have never been told that holding a door open is a security risk. If you haven't explicitly trained on it, you can't expect compliant behavior.

The 2020 CISA assessment of federal agencies found that physical security controls were among the most inconsistently implemented defenses across government facilities. If federal agencies struggle with this, your organization probably does too.

The $4.88M Reason You Can't Ignore Physical Access

IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million. While most people associate breaches with phishing emails and credential theft, physical access is often the first domino.

Once inside, a threat actor can:

  • Plug a rogue device into an open Ethernet port, creating a backdoor past your firewall.
  • Install a hardware keylogger on a shared workstation.
  • Access unlocked computers and exfiltrate data directly.
  • Photograph sensitive documents, whiteboards, or screen contents.
  • Plant ransomware via USB in a matter of seconds.
  • Access server rooms, network closets, or IDF panels.

A tailgating attack in cybersecurity isn't just a physical security problem. It's the starting point for network compromise, data breach, and potentially catastrophic operational disruption.

Real-World Tailgating Scenarios I've Encountered

I won't name clients, but I'll share patterns that repeat across industries.

The Delivery Driver

An attacker shows up at a side entrance in a brown uniform carrying a box. An employee holds the door. The "delivery driver" walks past the lobby, finds an empty conference room, and plugs a small device into the wall jack. Within minutes, the penetration testing team has remote access to the internal network.

The New Employee

A well-dressed person lingers near the entrance during the morning rush, holding a coffee and a laptop bag. They strike up a conversation with someone badging in: "First week — I left my badge at my desk." The employee holds the door without a second thought. It works almost 100% of the time in my experience.

The Smoker's Entrance

Side doors propped open for smoke breaks are the single most exploited physical vulnerability I've seen. No badge required. No social engineering necessary. Just walk in.

How to Prevent Tailgating Attacks: Specific Countermeasures

Stopping tailgating requires a layered approach — exactly like defending against digital threats. No single control is sufficient.

1. Deploy Physical Access Controls That Enforce One-at-a-Time Entry

Mantraps (interlocking doors), turnstiles, and optical sensors that detect multiple people in a badge-swipe event are your first line of defense. These are especially critical for server rooms, data centers, and executive floors. Yes, they cost money. They cost far less than a breach.

2. Train Every Employee — Not Just Security Staff

This is where most organizations fail. Your receptionist can't be the only person responsible for access control. Every employee needs to understand that allowing someone to follow them through a secure door is a security violation, not a courtesy.

Effective cybersecurity awareness training covers tailgating as a core social engineering tactic alongside phishing, pretexting, and baiting. If your training program only covers email threats, it's incomplete.

3. Run Physical Social Engineering Simulations

You run phishing simulations. You should run tailgating simulations too. Hire a penetration testing firm or designate internal staff to test physical access controls quarterly. Measure how often employees hold doors, how quickly they report suspicious individuals, and whether badge policies are followed.

Organizations already running phishing awareness training for their teams can extend the same measurement-and-improvement mindset to physical security.

4. Implement a Visible Badge Policy

Every person in your facility should wear a visible badge at all times. Color-code them: employees get one color, contractors another, visitors a third. Train employees to politely challenge anyone without a visible badge. Give them a script — something like: "Hey, I don't see your badge. Can I help you check in at the front desk?"

5. Eliminate Propped Doors

Install door-prop alarms on every exterior and restricted-area door. When a door is held open beyond a set threshold, it triggers an audible alert and notifies security. This single control eliminates one of the easiest tailgating vectors.

6. Use Video Surveillance Strategically

Cameras at entry points should capture faces, not just the tops of heads. Pair surveillance with analytics that flag anomalies — like a door opening without a corresponding badge swipe. Review footage regularly, not just after an incident.

7. Apply Zero Trust Principles to Physical Space

Zero trust isn't just a network architecture concept. The same principle — never trust, always verify — applies to physical access. No one gets a pass because they "look like they belong." Verify identity at every access point, every time.

What to Do When You Catch a Tailgating Attempt

Your incident response plan should cover physical intrusions, not just digital ones. Here's a practical response framework:

  • Challenge politely but firmly. Ask the person to identify themselves and show credentials.
  • Do not physically block or restrain. Your employees aren't security guards. They should observe, report, and disengage if they feel unsafe.
  • Notify security immediately. Use a dedicated channel — phone number, radio, or panic button.
  • Document everything. Time, location, physical description, direction of travel. This matters for the investigation.
  • Report to management and update training. Every real or attempted tailgating incident is training material for the next awareness session.

How Does a Tailgating Attack Differ from Other Social Engineering?

A tailgating attack exploits physical access controls rather than digital ones. Unlike phishing (which targets email), vishing (which targets phone calls), or pretexting (which constructs elaborate digital scenarios), tailgating requires the attacker to be physically present. This makes it higher risk for the attacker but also harder for the organization to detect remotely. There are no email headers to analyze, no IP addresses to trace. Your defense is your people and your physical infrastructure — nothing else.

Building a Culture Where Challenging Strangers Is Normal

The hardest part of preventing tailgating attacks isn't technology. It's culture. You need to build an environment where employees feel empowered — even expected — to challenge unfamiliar faces at access points.

This requires three things:

  • Leadership buy-in. Executives must follow the same badge policies as everyone else. When the CEO holds a door for a stranger, the policy is dead.
  • Positive reinforcement. Recognize employees who challenge unauthorized access. Never punish someone for being "rude" to a visitor who turned out to be legitimate.
  • Regular reinforcement. One annual training isn't enough. Monthly reminders, posters near access points, and periodic simulations keep physical security awareness top of mind.

NIST Special Publication 800-50 outlines a framework for building a security awareness and training program that includes physical security components. It's worth reviewing if you're building or revamping your program: https://csrc.nist.gov/publications/detail/sp/800-50/rev-1/final.

Tailgating and Compliance: What Auditors Look For

If your organization is subject to HIPAA, PCI DSS, SOC 2, or CMMC, physical access control is explicitly in scope. PCI DSS Requirement 9, for example, requires that physical access to systems handling cardholder data be restricted and monitored. A successful tailgating attack is a compliance failure — and potentially a reportable incident.

Auditors will check for:

  • Documented physical access policies
  • Evidence of employee training on physical security
  • Visitor management logs
  • Badge issuance and revocation procedures
  • Surveillance footage retention and review processes

If you can't demonstrate these controls, expect findings. And findings become expensive fast.

Your Digital Defenses Are Only as Strong as Your Front Door

I've watched organizations spend millions on next-gen firewalls, SIEM platforms, and multi-factor authentication — then leave a side door propped open with a rock. A tailgating attack in cybersecurity renders all of those investments irrelevant the moment an unauthorized person walks past them.

Physical and digital security are not separate disciplines. They are two sides of the same defense. If your security awareness program doesn't cover tailgating, social engineering at the physical layer, and proper access control behavior, you have a gap that threat actors will find.

Start closing that gap today. Enroll your team in comprehensive cybersecurity awareness training that covers the full spectrum of threats — from phishing emails to propped-open doors. And if email-based social engineering is your primary concern, targeted phishing awareness training gives your people the practice they need to recognize and report attacks before damage is done.

The most dangerous breach vector isn't a zero-day exploit. It's a held door and a friendly smile.