Back to Learning CenterSecurity

What is piggybacking in cybersecurity?

By Samuel ChenardJuly 17, 20266 min read
What is piggybacking in cybersecurity?

Piggybacking in cybersecurity is a physical social engineering attack in which an unauthorized person gains entry to a restricted area because an authorized person knowingly lets them in — usually out of courtesy or under a believable pretext. The defining feature is consent: the employee is aware of the second person and grants access anyway, holding a door, waving them past a badge reader, or accepting a "just this once" excuse.

That consent is what separates piggybacking from tailgating, and it makes it a human-trust problem rather than a purely technical one. No password is cracked and no system is breached; the attacker simply exploits politeness to walk through a door that a badge was supposed to protect.

Quick Takeaways

  • Piggybacking is a physical social engineering attack where an authorized person knowingly grants access to someone who shouldn't have it.
  • The key difference from tailgating is consent: piggybacking involves the insider's awareness and permission; tailgating happens without their knowledge.
  • Common pretexts include posing as a delivery driver, a new hire, a contractor, or someone whose hands are full and needs the door held.
  • Once inside, an attacker can steal devices, plug in rogue hardware, read unlocked screens, or set up later email-based attacks.
  • The term also has a networking sense — piggybacking on an unsecured Wi-Fi connection or an authenticated session.
  • Defenses are layered: access-control vestibules, anti-passback badges, visitor escort policies, and consistent security-awareness training.

What is piggybacking in cybersecurity?

Piggybacking is a way of defeating physical access control by borrowing someone else's authorization. Secure buildings rely on badge readers, PIN pads, and locked doors to ensure only approved people enter sensitive spaces — server rooms, offices, data centres. Piggybacking sidesteps all of it by targeting the person, not the lock.

A typical attempt is quiet and unremarkable. Someone carrying boxes asks an employee to hold the door. A stranger in a hi-vis vest says they're "here to fix the AC" and an employee badges them in. A friendly face claims to be a new starter who hasn't got their badge yet. In each case the authorized person makes a conscious choice to let the other person through — that choice is exactly what the attacker engineered. It is the physical-world cousin of the trust manipulation behind phishing and impersonation attacks.

What is the difference between piggybacking and tailgating?

Piggybacking and tailgating both end with an unauthorized person inside a restricted area, and the words are often used interchangeably — but the mechanism differs on one point: awareness and consent.

  • Piggybacking is consensual. The authorized person knows the other individual is there and deliberately grants access — holding the door, badging them in, or accepting a pretext. It exploits trust and courtesy.
  • Tailgating is non-consensual. The unauthorized person slips in unnoticed, closely following someone through a door before it closes. It exploits inattention and the anonymity of a crowd.
A useful test: if the insider chose to let them in, it's piggybacking; if the insider had no idea, it's tailgating. The distinction matters for defense, because piggybacking is corrected through training and culture ("verify before you grant access"), while tailgating is corrected largely through physical controls that make unnoticed entry impossible.

What can an attacker do after piggybacking in?

Physical access is a powerful foothold, which is why the technique is worth taking seriously even though it sounds low-tech. Once inside, an attacker can:

  • Steal hardware — laptops, drives, or documents left on desks.
  • Plant rogue devices — a keystroke logger, a malicious USB drop, or a small network implant on an open port.
  • Read what's on screen — unlocked workstations, sticky-note passwords, whiteboards with sensitive plans.
  • Set up a follow-on attack — reconnaissance that feeds a later business email compromise or a convincing spear-phishing message that references real internal details.
The last point is the bridge between physical and digital risk: physical intrusion often exists to make a later email or credential attack more believable.

Is piggybacking always physical?

Mostly, but not entirely. The classic meaning is physical entry, and that's how the term is used in most security-awareness contexts. There is also an electronic sense worth knowing:

  • Network piggybacking — using someone's internet connection, typically an unsecured or weakly secured Wi-Fi network, without authorization.
  • Session piggybacking — riding on an already-authenticated session (for example, a workstation a user left logged in) to act with their privileges.
The common thread across all three is the same: the attacker never obtains their own legitimate access. They borrow access that belongs to someone or something already trusted — a person, a network, or a live session.

How do you prevent piggybacking?

Because piggybacking targets people, no single gadget stops it. Layer physical controls with a culture that makes "verify first" the norm:

  • Access-control vestibules (mantraps) and turnstiles allow only one person through per authentication, removing the option to hold a door.
  • Anti-passback badge rules stop a credential from being used to enter again before it has been used to exit, flagging shared or cloned badges.
  • Visible visitor management — sign-in, badges, and a required employee escort — so an unbadged stranger is obviously out of place.
  • A blame-free challenge culture. Train staff that it is expected and encouraged to politely ask an unfamiliar person for a badge, even when it feels awkward. Attackers rely on people not wanting to seem rude.
  • Cameras at entry points deter attempts and provide evidence when something goes wrong.
  • Regular security-awareness training that covers physical tactics, not just email threats, so employees recognise the pretext when they hear it.
Piggybacking is a reminder that security is only as strong as its weakest human moment — and the same trust it exploits at the door is what attackers exploit in your inbox. Palisade closes the email side of that gap: it automates DMARC, SPF, and DKIM so that even an attacker who gets a foot in the door can't also spoof your domain to launch internal-looking phishing. Check where your domain stands with the free Email Security Score.

Frequently asked questions

Is piggybacking illegal?

Gaining access to a restricted area you're not authorized to enter is generally trespassing, and any theft or tampering that follows compounds it. Authorized penetration testers do it legally under a signed scope-of-work agreement; anyone else is committing a physical breach.

Is piggybacking the same as social engineering?

It's a type of social engineering — the physical, in-person variety. Like phishing and pretexting, it manipulates human trust rather than breaking a technical control, just at a doorway instead of over email.

Can technology alone stop piggybacking?

No. Mantraps, turnstiles, and anti-passback badges make it much harder, but a determined attacker still relies on a helpful employee. Physical controls plus a challenge-friendly culture and ongoing training are what actually reduce the risk.

How is piggybacking different from a lookalike-domain attack?

Piggybacking is a physical-entry technique; a lookalike-domain attack is purely digital, using a near-identical domain to impersonate a brand over email. Both abuse trust, but one happens at a door and the other in an inbox.

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.

More from Samuel

Related articles