No, we are not warning you against hanging out with friends and family in the parking lot outside of a game. What we are warning you about is a form of social engineering attack called “tailgating” or “piggybacking.” Tailgating, in this sense, means an attacker gains physical access to a building by following in a person who has legitimate access to the building usually through an entrance that is unattended or requires some sort of controlled access through a key card or code.
You might think to yourself, “I would never do that. Who would allow a stranger into a secured area?” The answer is quite a few of us would and it might actually feel awkward not to.
Consider the following scenarios:
Scenario 1: A person runs up as you are opening a door with a large box in their hands. “Hey! Can you hold the door for me?”
Scenario 2: A delivery person comes up behind you with a dolly full of packages. It’s raining outside.
Scenario 3: A person is already standing in front of the door, rummaging through their backpack. They look up at you, “I know I had my badge in here.”
Do you say “no” to the person in Scenario 1? Just walk on in and shut the door in their face? You might think to yourself, “Of course! I don’t know them, I wouldn’t let them in the building.” Do you know everyone who works in your office? A lot of us have been in lock down for a while now and there might be a lot of new employees you have never met. Many of us would find it hard to say no to the person in scenario 1 and would in fact reflexively just hold the door open for them as requested. Because it is the polite thing to do.
How about the delivery person in Scenario 2? Would you force that person to walk around the building to the entrance that packages are supposed to be delivered to? Would you find that difficult to do? Especially because it is raining?
And what about the person in Scenario 3? Again they could in fact be a legitimate employee who has the right to be in the building and simply can’t find their badge to get in. Do you just let them in? Do you shrug at them and just walk in, leaving them standing outside fumbling through their backpack? What if they assume you are going to let them in and just start walking in behind you? Do you stop them from following you in? Maybe, but this can be incredibly hard to do. Again, it doesn’t seem like the polite thing to do.
Would your reaction be any different if the person in the scenario mentioned the name of one of your coworkers? Maybe the person in Scenario 1 says, “Rand asked me to grab this for him, I forgot my key card at my desk.” Or the delivery person says, “Penny Testin told me to deliver to this door.” Would the knowledge of a coworker’s name make their request seem more legitimate? Would you let them in then?
Unfortunately, all of these people could be potential attackers. They are counting on our knee jerk reaction to be polite; our natural response to find it incredibly uncomfortable to refuse entry to these people. This is how social engineering attacks work - they are counting on human beings to respond in a predictable manner. This doesn’t mean we need to be rude, but it does mean we might have to take a few moments to verify. If you don’t know the people in Scenarios 1 and 3 that are claiming to be employees that you don’t know, tell them you are happy to meet them, but unfortunately, you need to verify them first before they come in. Or simply apologize and tell them you can’t just let them in because of security reasons and direct them to the entrance where there is a security person on duty or a reception area. Most importantly, be aware!