A solid pretext can be the difference between success and failure to a social engineer. Research, information gathering and planning are all key parts of successful pretexting.
Looking the Part
Again simple is better, but never-the-less, we must look the part we are trying to convince others we are. If we will be a software sales man, then we should dress the part and have rate sheets of the software we are “selling” and even a sales contract or two. These simple props can go a long way in developing trust and rapport. The more we look the part the more confidence we will have, in turn that confidence will come across to the target helping solidify that we are who we say we are. It is best to try and rely on past experiences, or experiences close to our heart, as “acting” those parts will come naturally and be more convincing to those around us. For example, it might be very hard to appear as an insurance sales man if you never sold insurance before or do not know the lingo. As opposed, you can probably act the part well if you have previously sold insurance.
Things to Avoid
- Pretexting is a valuable tool, so if we over use the same pretext or become widely known for a certain pretext it will lose its effectiveness.
- When using the phone for a pretext at times we will fail. Our natural reaction might be to hang up on the target. This will most likely cause the target to become alerted to our attempt and become wary, so we should avoid this tendency. The better option is to plan properly and if things still go bad to find a polite way of excusing yourself for a better time.
- Recording your pretext is a great learning tool. Make sure you have sign off from the company to record your efforts as part of your penetration test. A good guide to see if taping a call is legal in the United States can be found here.
Being Suitable to the Situation
This topic cannot be ignored as it can be a major downfall for the social engineer. Trying to either act as something that doesn’t fit the location or period of time can ruin any chance of success. Our pretext should play upon situations that are of concern to the target or would appeal to them. For example, acting as a head hunter to an employee that is disgruntled and may be looking for work would most likely be successful.
Also playing on circumstances that are relevant and believable can add to credibility. For example, If there was a recent strike or massive layoff, a pretext of a reporter interested in some quotes about that event might be very successful.
Here is a company that seems to specialize in developing pretext’s for attorney or private detection services.
Franklin D. Roosevelt
Some have argued that United States President Franklin D. Roosevelt used the attack on Pearl Harbor by Japanese forces on December 7, 1941 as a pretext to enter World War II. American soldiers and supplies had been assisting British and Soviet operations for almost a year by this point. The United States had thus “chosen a side”. However, due to the political climate in the States at the time and some campaign promises made by Roosevelt that he would not send American boys to fight in foreign wars, Roosevelt could not declare war for fear of public backlash. The attack on Pearl Harbor united the American people’s resolve against the Axis powers and created the bellicose atmosphere in which to declare war. Some believe it was even orchestrated by Roosevelt and his advisers.
George W. Bush
Critics have accused United States President George W. Bush of using the September 11th, 2001 attacks and faulty intelligence about the existence of weapons of mass destruction as a pretext for the war in Iraq. Some of these accusations, like A Pretext for War by James Bamford, were arguably “distorted by his own preconceptions.”
Maybe one of the largest examples of a pretext as a business is found here. Perverted Justice is a group of people who act as young girls to lure pedophiles in and entice them so they can be arrested.
USA House of Representatives
Here is a video of the USA House of Representatives meeting on how to prevent pretexting.
The following list shows some examples of how pretexting has been used in entertainment media.
This article shows how penetration testers use pretexting and social engineering to gain access to their clients site.
And finally, on Pretexting.net there is some excellent information on pretexting and its negative effects when used by malicious people.