Piggybacking is a social engineering attack type that gives someone without proper access the ability to gain access to a restricted area, usually by physically following an employee.

The most common incarnation of this attack occurs when the would-be hacker impersonates a delivery driver trying to deliver a package to an office building. The fake delivery driver follows a credentialed worker to the entry point and, because the delivery driver has his hands full with a large package, asks the employee to hold the door for him.

This sort of attack rarely works for offices that have controlled, key-card type access. It is, however, highly effective in smaller offices where the driver is able to strike up a conversation with the employee and gain trust by gaining familiarity.

One famous example of successful piggybacking comes from Siemens Enterprise security consultant Colin Greenless. To test the vulnerability of a publicly-traded financial firm, Greenless piggybacked his way into a central office where he worked, undetected, for 3 days. During that time he used other social engineering techniques to gain the user names and passwords of 17 employees, which gave him deep access into the company’s network and sensitive data.

The full story of that can be read here.