← Blog

Holding the door: physical social engineering and the friendly stranger

Tenant Strike3 min read

Not every attack happens online. Sometimes someone just walks in behind an employee carrying coffee. Physical social engineering is real, low-tech, and surprisingly easy to overlook.

We put real effort into digital defenses — passwords, multi-factor authentication, email filters — and then hold the door open for a friendly stranger balancing a coffee and a cardboard box. Not every attack arrives over the internet. Some of the most effective ones happen in person, and they rely on the same human instincts as any other con: politeness, helpfulness, and the reluctance to make a scene.

Tailgating: the most common version

Tailgating is simply following an authorized person through a secured door. Someone walks up right behind an employee at a badge reader, arms full, and the employee — being decent — holds the door. No badge, no questions, no record that anyone entered. In an office with locked doors, this quietly defeats the lock.

It works because challenging the person feels awkward. Asking "do you work here?" or "can I see your badge?" cuts against our instinct to be courteous, and attackers count on exactly that hesitation. The coffee, the box, the lanyard with an unreadable card, the phone pressed to their ear — these are props that make the person look busy and legitimate so you won't interrupt them.

The other in-person tricks

Physical social engineering goes beyond doors:

  • The fake delivery or contractor. A high-visibility vest, a clipboard, and a confident "I'm here for the network/copier/inspection" can get someone past reception and into sensitive areas.
  • Shoulder surfing. Watching someone type a password or read a confidential screen — in the office, on a train, in a coffee shop. No break-in required.
  • The unattended desk. A logged-in computer left unlocked while someone steps away is an open door to anyone who walks by.
  • Dumpster diving. Sensitive documents, client lists, and even sticky notes with passwords tossed in the trash rather than shredded.
  • The "new hire" or "auditor." Someone who acts like they belong, drops a few real names, and asks for access or information that a real insider would have.

The goal varies — plugging a device into your network, photographing screens, grabbing documents, or just getting close enough to learn how your business runs for a later attack.

Why small businesses overlook it

Bigger organizations have guards, badge logs, and visitor policies. Small businesses often have a propped-open door, a shared space, and a culture where everyone trusts everyone. That openness is lovely for the workplace and convenient for an attacker. And because these attacks leave little trace, a business may never realize it happened.

Simple habits that close the gaps

You don't need a security desk. You need a few normalized behaviors:

  1. Make it okay to ask. "Hi, can I help you find someone?" is polite, not rude. A culture where everyone greets unfamiliar faces is a strong, friendly defense.
  2. Don't hold secured doors for people you don't recognize. Let them badge in themselves or check in at reception. This is the single most effective habit.
  3. Verify contractors and deliveries. Confirm that a visit was actually scheduled before granting access to sensitive areas. A vest and a clipboard aren't credentials.
  4. Lock screens when you step away. A quick keyboard shortcut to lock the computer should be muscle memory for everyone.
  5. Shred sensitive paper, and keep passwords off sticky notes. Your trash and your monitor shouldn't be a source of credentials.
  6. Be mindful of screens in public. A privacy screen and a habit of facing your laptop away from the room go a long way.

The theme is the same as digital social engineering: a moment of polite verification, made normal, defeats an attack that depends on you not wanting to seem unwelcoming.

Physical and digital security feed each other — many in-person tricks exist only to reach a computer, a network jack, or a login. Tenant Strike handles the digital half, reading your Microsoft 365 and Azure settings to show where access is too broad or too easy if someone does get a foothold. It won't lock your front door, but it makes sure that getting in doesn't quietly mean getting everything.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.