What's a Pretext?

Often when performing some kind of social engineering, you'll need a pretext.

Well, what actually is a pretext? The Cambridge dictionary lists it as:

A pretended reason for doing something that is used to hide the real reason

It's a fancy way of saying; it's your back story (or legend as they call it in the UK, undercover, police world).

The back story that you'd use in justification if you were challenged or asked why you're in the server room (when you shouldn't be).

Fitting Your Pretext

If you're physically socially engineering into a building or office, fit your pretext around your knowledge and skill set, i.e. don't say you're a plumber if you've never plumbed before.

There's a chance you're going to be asked questions, and/or terminology which you probably have no idea about.

But if, like me, you've got an IT Support and IT Network background, these are ideal things to fit you pretext around.

If you get challenged, or asked questions, not only do you know the terminology but, more importantly, the answers will come to you quickly and you'll answer with confidence.

It's a subject you know, you won't be umm'ing nor arrrr'ing, you'll just answer without thinking about it. Doing that will give the person asking the question no concerns that you shouldn't be there.

Obviously there's much more to it than that. Don't just wing it, try to get in, and say you're from IT Support.

You absolutely need to do some background research. Do they even have in house IT Support? Is it outsourced? To who? Can you use sites like LinkedIn to find some names of IT Support people?

Your Story

Also, you need a story! Why are you there? You can't just turn up and say "Hi, I'm from IT Support", and expect to be let in (Although, in fairness, I have done this before and, yes, it worked but it was an exceptional set of circumstances).

You need a reason to be there, doing what you want/need to be doing. Think of a story, a reason, and think about your knowledge and skillset.

You could be from IT Support and there to fix a slow internet issue.

What's great about this, assuming you have an IT Support background, is that it would be difficult to check whether a ticket has been raised, and it's very unlikely someone will actually check you are from IT.

More importantly, EVERYONE wants their internet to run fast and smooth.

However, this is just an example. Fit it around your knowledge, your target, and the situation.

Just Because

If you've read Robert Cialdini's book "Influence", there's some great psychology research around just using the word "because".

If you walk into a coffee shop, and see there's a massive queue, people are going to be annoyed with you, if you loudly proclaim, "I need a coffee urgently!". You're going to get booted to the back of the queue.

However, and there's research to prove this, if you say "I need to jump the queue because my car is double parked" you've got a 94% chance that no one will mutter a word.

What's crazy, and again they've proved this, you could literally say "because the sky is blue" and it would STILL work!? The percentages are less, but still oddly high at 60%.

Match Your Outfit

Whatever you choose as your pretext, match your dress style and outfit to that pretext. There are caveats to this theory.

Lets work through some examples;

You're an IT Support engineer and you've seen, from the reconnaissance (Link to come), that everyone in your target office dresses smartly.

If everyone is dressing in suit, shirt, tie, nice trousers (pants my american friends), then you need to match that dress style and outfit because, it's very likely that the IT Support team will wear the same as the rest as the general office staff.

Ok, so that works, but lets say your pretext is you're an outsourced or third party alarm engineer. Well, that's different.

It's likely that the "company" that you're pretending to work for has a completely different dress style.

To generalise, there's a good chance it could be a polo neck, with an embroidered logo, maybe cargo/work trousers (remember pants US friends).

You'll maybe also need a toolbox, some tools, a clipboard with a work sheet, etc. You get the idea.

What I'm saying is you want things to add up. An alarm engineer probably doesn't wear a suit, but maybe, an officer worker doesn't wear a suit either, it might be dress down.

Do the reconnaissance and find out.