Frank Abagnale was one of the world’s most infamous hackers. His criminal activities were made famous in the film of his life, “Catch me if you can”. Frank did much of his hacking back in the 1960s. He used low-tech social engineering techniques, including ‘Tailgating’, to impersonate a doctor and a pilot to facilitate various financial scams. During his scams, Frank would use false identities to forge checks and cash them in. Frank stole large sums of money and ended up sentenced to 12 years in prison for fraud. Frank has since long left his life of crime to advise on how to prevent cybercrime.
Frank used social engineering to commit fraud by manipulating situations and people. These attack methods typically focus on weaknesses in human behaviour, exploiting them to initiate cyber attacks including criminal damage, inventory theft, ransomware infection, Business Email Compromise (BEC), and data exposure. The term ‘engineering’ belies the often subtle and low-tech nature of many social engineering issues. Here is a look at the low-tech hacking tactic known as ‘Tailgating’.
What is Tailgating in the Context of a Cyber Threat?
News headlines are filled with massive security breaches, analysts taking us through the often complex hacks involved. However, not all hacks are digital; many are achieved using low-tech tactics. But even these low-tech attacks can still result in major breaches and theft.
Tailgating, sometimes known as ‘Piggbacking’ is a form of low-tech social engineering that is a physical, rather than digital, hack. However, this physical attack can lead to a digital cyber attack.
A typical example of tailgating is a fraudster gaining access into a corporate building by pretending to be a legitimate visitor or delivery person or similar. Colin Greenless, a consultant at Siemens Enterprise Communications, demonstrated back in 2009, how easy tailgating was and how damaging it could be. Greenless gained unauthorized entry to an FTSE 100 listed financial institution building, and within 20 minutes had found a highly sensitive M&A document sitting in plain sight on a desk.
The Psychology of Tailgating
The act of tailgating takes advantage of human behaviour and situations. Tailgating is an in-situ social engineering tactic – that is, the tailgater must be physically in the environment that they wish to exploit. This brings into play other important factors in successful tailgating, namely pretexting.
Pretexting is probably as old as human society. It is the act of presenting yourself as someone else to obtain sensitive or important information from another individual or group, somewhat like Frank Abagnale. In the act of tailgating, the offender will often take on a form of identity that makes the target more open to revealing information or performing an act (like opening a door). Pretexting requires research on a target. It is also built upon the notion of trust – what prerequisites help building a trusted persona to make any social engineering scenario more successful? For example, if the social engineer wishes to tailgate a target company, they may spend time looking at the types of visitors that turn up at the organisation’s building; is there a specific time that deliveries are made, for example. This intelligence gathering allows the fraudster to build a trusted persona that they can use to manipulate and influence employees into allowing them into a normally secured building or room.
The Damage from Tailgating
Tailgating is not just a case of someone playing the fool and getting into a building for a lark. Tailgating carries malicious intent, and the perpetrators perform this act to cause property damage, steal information, install malware, and even put staff lives at risk. In a recent survey from Boon Edam, 71% of respondents felt at risk from a physical breach due to tailgating.
Tailgating comes in whatever form works and those that carry it out can be ex-employees or strangers.
Ex-employees: According to research, 80% of cyber-liability claims come from employee negligence, including rogue employees. These ex-employees are often disgruntled, seeking revenge and damaging property, and stealing company information and sensitive data to enact this revenge.
Stranger danger: Politeness can lead to data theft and malware infections: during the Colin Greenless tailgating exercise, 17 employees, on request, gave Colin their passwords. Fraudsters typically plan their attack well in advance. They know who to target, and as well as passwords, access badges will be on their must-have list. Being polite to a stranger can lead to compromised accounts, a data breach and even infection by installing malware.
How to Stop Tailgating
A security policy is an important first step in developing methods to stop tailgating events. The policy must reflect the tailgating methods and how to stop the tailgater in their tracks. To stop tailgating, before it gets under the skin of your organisation, look at the following areas:
Teach employees about what tailgating is, how it happens, and the consequences. This should be part of an ongoing Security Awareness Training program. Security awareness programs should cover all aspects of cyber threats, both digital and physical security.
Encourage a vigilant attitude from employees. Anyone who looks suspicious should be challenged to supply credentials. Better still, set a process in place so that employees can inform a relevant security team member or manager about their suspicions.
Train employees about tailgater actions, such as attempting to gain physical access into restricted areas as an authorised person enters the space. Ensure that employees know that tailgating involves confidence tricks used to build trust.
Being polite is important but being assertive can help prevent a serious company breach. Employees need to be taught about the tricks of the tailgating trade and how these criminals use fear of looking impolite to circumvent security.
Shutting the Door on Tailgating
Colin Greenless was a white-hat hacker, and his escapades were made transparent to help prevent tailgating. However, tailgating is still a commonplace event. A more recent example involved a woman who was able to access a restricted area of the Mar-a-Lago Trump Resort, carrying four mobile devices, a laptop computer, an external hard drive, and a thumb drive containing malware. Even with presidential security levels in place, she was able to circumvent security by pretending not to understand questions from security staff, the result being that “security staff blamed a language barrier and admitted her.”
Persons intent on harming an organisation and/or committing fraud will work hard to pull the wool over the eyes of employees. Human traits such as politeness or lack of vigilance or just being distracted by work can lead to nefarious individuals entering an organisation with malicious intent. Employees must be made aware of the dangers of what may seem harmless, like someone popping into an office who maybe shouldn’t be there. Security Awareness Training will close the door on tailgating and give employees the knowledge needed to tackle this insidious problem.