I Walked Into Your Building With a Box of Donuts
The office had a key card access system, security cameras at every entrance, a receptionist desk staffed during business hours, and a clearly posted visitor policy. It also had a door that stayed propped open during the morning rush because people were coming in with coffee cups in both hands and nobody wanted to be the person who let the door close on a colleague.
I walked in carrying a box of donuts from the place down the street. I was wearing a lanyard with a badge that said my name and the word "CONTRACTOR" in large friendly letters. The badge was not issued by anyone. I made it the night before. Total materials cost: around six dollars, excluding the donuts.
The donuts were twelve dollars. They were very good donuts.
Why This Works Every Single Time
Physical social engineering exploits something that is genuinely not a flaw in human character. It exploits the fact that people are polite, that holding a door open for someone carrying things is considered basic decency, and that challenging a stranger who looks like they belong there feels rude and confrontational in a way that most people in an office environment are not comfortable with.
The contractor badge works because contractors are everywhere. Every office has them. Nobody knows all of them. The slightly unfamiliar face is, in most environments, perfectly normal, and calling it out requires the kind of assertiveness that workplace culture actively discourages.
The donuts work because the moment you carry food into an office, you become extremely popular and approximately nobody asks who you are. I have tested variations of this. Pizza beats donuts in terms of volume of positive attention. A plate of homemade cookies generates more trust than either.
I want to be very clear: I am describing this because it is a documented attack technique that your physical security controls may not account for, not because I am encouraging anyone to defraud a pastry shop in the name of unauthorized access.
What I Found Once I Was Inside
I will not identify the specific organization but I will tell you what I found after walking past the propped door, through the open-plan office area, and into the hallway beyond.
Three unlocked workstations in the first ten minutes. By unlocked I mean screens lit up, user sessions active, nobody at the desk. A printer in the hallway with a two-inch stack of documents that had been sitting there long enough that some of them were from the previous quarter. A server room with a sign that said AUTHORIZED PERSONNEL ONLY and a door that was both closed and not actually latched, which I discovered by leaning against it with my shoulder while pretending to look at my phone.
The most interesting finding was a whiteboard in a conference room visible through a glass wall. It had what appeared to be internal system credentials written on it in blue marker, presumably from a previous meeting, that nobody had erased. I did not photograph it. I noted it in my report and recommended that the office invest in whiteboards with doors or, alternatively, in someone whose job involves erasing things.
The Part Where Technology Doesn't Help
The organization had invested seriously in their digital security posture. Good endpoint protection. Decent network segmentation. MFA deployed widely. They had done a lot of the right things on the technical side.
None of it mattered once I was standing in the hallway.
Physical security and digital security are typically managed by different teams, assessed on different schedules, and funded through different budget lines. The result is organizations that have sophisticated layered defenses against remote attacks and a side entrance that has been propped open with a decorative rock since 2019 because the HVAC system runs hot and the facilities team hasn't gotten around to fixing it.
An attacker with physical access to your environment has options that no amount of network segmentation will prevent. They can plug a small device into an ethernet port behind a printer and leave. They can photograph whatever is on visible screens or whiteboards. They can collect documents from an unmonitored printer. In the right environment, they can do considerably more than that.
The Actual Fix (It Is Not a Technical Fix)
Physical security is a culture problem more than a technology problem. Access control systems are only as good as the behavior of the people who use them. That means tailgating prevention has to be something people actually do, not just a policy that exists.
The practical version of this is not asking employees to be confrontational. It's giving them a script. "Hey, can you badge in? The door auto-locked behind me and I don't want to get in trouble." That framing gives someone a polite, non-accusatory way to ensure that everyone who enters through a door uses their own credentials to do it.
Physical security assessments should be part of your penetration testing program, not a separate thing that happens when someone remembers it exists. If your pentest scope explicitly excludes your physical premises, you have a gap that no amount of EDR software will close.
Also, the donuts are a business expense. I have the receipts.