SE101: What's a Pretext?
Explaining pretexting in the context of SE101 and how to fit in with your pretext.
Often when performing some kind of social engineering, you'll need a pretext.
Well, what is a pretext? The Cambridge Dictionary lists it as:
A pretended reason for doing something that is used to hide the real reason
It's a fancy way of saying; it's your back story (or legend as they call it in the UK, undercover, police world).
The back story that you'd use in justification if you were challenged or asked why you're in the server room (when you shouldn't be).
Fitting Your Pretext
If you're physically and socially engineering into a building or office, fit your pretext around your knowledge and skill set, i.e. Don't say you're a plumber if you've never plumbed before.
There's a chance you'll be asked questions and/or terminology you probably do not know about.
But if, like me, you've got an IT Support and IT Network background, these are ideal things to fit your pretext.
If you get challenged, or asked questions, not only do you know the terminology but, more importantly, the answers will come to you quickly and you'll answer confidently.
It's a subject you know; you won't be umming nor arrrr'ing; you'll just answer without thinking about it. Doing that will give the person asking the question no concerns that you shouldn't be there.
There's much more to it than that. Don't just wing it; try to get in, and say you're from IT Support.
It would be best if you did some background research. Do they even have in-house IT Support? Is it outsourced? To whom? Can you use sites like LinkedIn to find the names of IT Support people?
Your Story
Also, you need a story! Why are you there? You can't just turn up and say, "Hi, I'm from IT Support", and expect to be let in (Although, in fairness, I have done this before and, yes, it worked, but it was an exceptional set of circumstances).
It would be best to have a reason to be there, doing what you want/need to do. Think of a story and an explanation and your knowledge and skill set.
You could be from IT Support and there to fix a slow internet issue.
What's great about this, assuming you have an IT Support background, is that it would be difficult to check whether a ticket has been raised, and it's very unlikely someone will check if you are from IT.
More importantly, EVERYONE wants their internet to run fast and smooth.
However, this is just an example. Fit it around your knowledge, your target, and the situation.
Just Because
If you've read Robert Cialdini's book "Influence", there's some excellent psychological research around just using the word "because".
If you walk into a coffee shop and see a massive queue, people will be annoyed with you, if you loudly proclaim, "I need a coffee urgently!". You're going to get booted to the back of the queue.
However, and there's research to prove this, if you say, "I need to jump the queue because my car is double parked", you've got a 94% chance that no one will mutter a word.
What's crazy, and again they've proved this, you could say, "Because the sky is blue", and it would STILL work!? The percentages are less, but still oddly high at 60%.
Match Your Outfit
Whatever you choose as your pretext, match your dress style and outfit to that pretext. There are caveats to this theory.
Let's work through some examples;
You're an IT Support engineer, and from the reconnaissance (Link to come), you've seen that everyone in your target office dresses smartly.
If everyone is dressed in a suit, shirt, tie, nice trousers (pants my American friends), then you need to match that dress style and outfit because it's very likely that the IT Support team will wear the same as the rest as the general office staff.
Ok, that works, but let's say your pretext is you're an outsourced or third-party alarm engineer. Well, that's different.
It's likely that the "company" that you're pretending to work for has an entirely different dress style.
To generalise, there's a good chance it could be a polo neck with an embroidered logo, maybe cargo/work trousers (remember pants US friends).
You'll also need a toolbox, some tools, a clipboard with a worksheet, etc. You get the idea.
What I'm saying is you want things to add up. An alarm engineer probably doesn't wear a suit, but maybe an officer worker doesn't wear a suit either, it might be dressed down.
Do the reconnaissance and find out. This blog is part of a SE101 series, and originally appeared here: