Impersonation and physical access¶
The most straightforward way to get into a building is to walk in. Most access control systems are designed around the assumption that someone who is physically present and behaving normally has already been screened by someone else. They are not wrong to make that assumption. The problem is that the screening is usually social rather than procedural, and social screening is easy to pass if you understand what it is actually checking for.
What people assess when a stranger walks into their space is not “do I know this person” but “does this person belong here.” Those are different questions with different answers. Belonging is performed through body language, pace, apparent purpose, and the right supporting props. Identity is harder to fake but also rarely checked.
The mechanics of tailgating¶
Tailgating, following someone through a controlled door before it closes, works because holding a door for someone is the polite thing to do and challenging a stranger is not. Most employees have internalised this calculation without articulating it. The cost of being wrong about the stranger is diffuse and largely invisible. The cost of being rude to a colleague who forgot their badge is immediate and personal.
Timing matters. Entering immediately behind a group is more reliable than following a single person, who may notice and feel obligated to check. A slightly wider gap, combined with the performance of someone who is about to badge in themselves and just happening to arrive at the same time, is often less conspicuous than pressing close.
Carrying something helps. A person carrying something heavy or awkward has an obvious reason to be grateful for a held door. Equipment cases, cardboard boxes, catering supplies, and laptop bags all communicate a purpose while simultaneously making it more difficult to badge in unaided. The person who holds the door feels helpful. They remember that, not the face.
Roles that travel well¶
Some impersonation roles have structural advantages. IT contractors move between sites by definition, are rarely on first-name terms with the people they encounter, and have a reason to need access to server rooms, network cabinets, and other restricted areas. They also often work outside normal hours, which explains why the security team doesn’t recognise them. The role pays well across a wide range of targets.
Fire safety inspectors and building surveyors carry an authority that discourages challenge, because refusing to cooperate with either of them implies something worse than cooperating. Facilities staff are nearly invisible in most workplaces; they move through the environment without anyone tracking their route or questioning their purpose.
Delivery personnel are effective at front-of-house access. Nobody wants to turn away a package, and the expectation is that a delivery person will be escorted to a receiving area rather than questioned at length. That brief escort, into a secure area, by someone who is now responsible for you, is often all you need.
What to carry¶
The supporting materials for an impersonation can be minimal. A lanyard with a visible badge holder, even with a generic or slightly obscured badge inside it, signals that you have already been through some kind of access control somewhere. A clipboard or tablet indicates purpose and documentation. A high-visibility vest confers an almost comical level of unchallenged passage in large facilities.
Printed materials help when challenged. A work order, a delivery manifest, or a visitor confirmation email (real or constructed) gives the person in front of you something to look at other than your face. People who receive a piece of paper tend to process the paper rather than the situation, which is useful.
When things go wrong¶
The most important skill in physical social engineering is graceful degradation: what do you do when the access you expected isn’t there, the person you named is unavailable, or someone actually asks for ID. The answer is usually to leave, because the cost of pressing forward and failing is much higher than the cost of withdrawing and trying a different approach later.
A confident and apologetic exit is not a failed engagement. It is information about where the controls are tighter than expected, which shapes the next attempt.