Common Physical Social Engineering Techniques

Understanding attack methods enables better defense:

Tailgating (Piggybacking): The most common physical attack involves following authorized personnel through secure entrances. Attackers exploit politeness—people hold doors for others—and the awkwardness of challenging someone who appears to belong. Variations include carrying packages to prompt door-holding or timing arrival with groups to blend in.

Impersonation: Attackers pose as employees, contractors, or service personnel to gain access. Common impersonations include:

IT technicians needing system access
Maintenance workers or cleaners
Delivery personnel with packages
Inspectors or auditors
New employees on their first day
Executives or VIPs expecting deference

Pretexting for Physical Access: Creating believable scenarios that justify presence:

Scheduled meetings with employees who are absent
Emergency repairs requiring immediate access
Interviews or consultations
Lost and needing directions (reconnaissance)
Smoking area conversations to build rapport

Dumpster Diving: Though unglamorous, searching trash remains effective for gathering:

Discarded documents with sensitive information
Old equipment containing data
Employee directories and organizational charts
Passwords written on sticky notes
Calendars showing meeting schedules and travel

Shoulder Surfing: Observing people entering sensitive information:

Watching password entry at keyboards
Viewing screens in public spaces
Photographing whiteboards with sensitive data
Listening to confidential conversations
Observing security procedures and patterns