Principle One: T hinking T hrough Your Goals

Fire extinguisher inspector, pest control serviceman, HR manager—these are just a few of the pretexts I mentioned that I have used. How did I go about determining which one to use at each location or target?

It all starts with OSINT, where I dig into the details of the person or company and look for relevant stories, news, hobbies, likes, dislikes, events, and so on (and which I cover in more detail in Chapter 2, “Do You See What I See?”). These significant bits of data can tell me a lot about which pretext I should I focus on. But there is one other key piece of information that will determine which pretext jumps out of my arsenal into action: the goal. Understanding what it is I am trying to accomplish is more important than just understanding the business I am trying to infiltrate. Let me illustrate by telling you a story that I call, “The 18th-Floor Escapade.”

I was hired to gain entry to the 18th floor of a secure building. The building was owned and operated by a property management company that was not my client (a company that produces online audio content). The only floor I was allowed to gain access to in this test was the 18th. Generally, this company does not allow walk-in appointments. The elevators were key-carded. And corporate headquarters was in another state.

During the OSINT phase, my team had found very little about the names and identities of the client company's employees who worked inside the target building. However, we did find a manager of the company’s name as well as some of the content that manager produced there.Additionally, we located some documents on a file server that the company didn't intend to be public: a safety checklist, some internal communications newsletters, marketing material about upcoming projects, and a few other miscellaneous documents.

Based on just this information, what seems like a good pretext to you? Think about it for a second before reading on. Try to come up with at least one pretext.

Maybe you thought of an elevator repairman? That would give you reason to be in the elevator without alarming security. Maybe you thought of a rep from the company's headquarters who was at the office to conduct a surprise audit? Or maybe you thought of a different pretext that I didn't even mention here.

Here are a few other details that will help inform the pretext: My mission, if I did get inside the building and to the 18th floor, was to successfully take video and photos of exits and entryways. I was to take photos of any unlocked computers and try to get pictures of any papers or projects that were not public.

Given all those details, I had to make sure my pretext covered the ability to roam close to computers and desks, and I had to either have a camera out or be able to use a hidden camera to get the required photos.

An elevator repairman would have been a terrible pretext to accomplish the goals. Would it have gotten me in the building? Yes, but I wouldn't have gotten anywhere near my goals.

Posing as a representative from headquarters—might have gotten me into the building and onto the floor and even into offices, but there would have been limitations. I would have needed to know who worked in that office so my “surprise visit” could be fruitful.

From the safety checklist that I'd found on the file server, I learned that this company had strict guidelines about their staircase doors. They were never to be unlocked from the staircase. As a matter of fact, there weren't even supposed to be handles on the doors that were accessible from the stairwell.

Using this information, I developed a pretext that I was a third-party safety consultant. Because of a problem found in another branch, I had been sent to do quick 15-minute checks of the exits to ensure that proper policies were being followed. My visit was not announced, so the staff at the office I was visiting could be surprised and be found handling things correctly without any warning. To ensure the client that I was honest, I needed to record the whole event on my camera.

Do you see how having specific goals changed my pretext for the better? Having the full details enabled me to develop a part of the pretext that helped me achieve all my goals without causing alarm. Powerful, right?

Armed with this information, let's jump into the second principle, where I'll give you more details about “The 18th-Floor Escapade.”

Principle Two: Understanding Reality vs. Fiction

This principle can be easily defined by explaining how much easier it is to remember your pretext if you base it in reality—for you and for the target. By this, I mean you should try to use pieces of your real life and use knowledge you already have or can easily assimilate. I often tell people that I think one of the hardest relationships to fake is a father-daughter relationship. I didn't understand this relationship until I had my own daughter. The way I talk about her and the emotions I feel are near impossible to fake, I think. If I didn't have a daughter but needed to build rapport with a target who did, it would be dangerous to have a pretext that includes a fake daughter. But, I can have a niece, right?

My point is that your pretext should be based on facts, emotions, and knowledge that you already possess or can easily fake. Going back to some of my proposed pretexts from the previous section, I know very little about elevators and their operation, so trying to fake my way as an elevator repairman would most likely have led to my failure if I were to be quizzed.

In addition, I tend to choose a name that I can easily answer to. Some people can answer to a name that is not theirs, but most choose to go with one that they have used or been called or that is a variation of their name.

This probably goes without saying, but generally, I try to stick with male characters for onsite, in-person social engineering. But I have pretexted as a female when doing online, social media, and even phone social engineering.

In terms of reality for the target, you should try to base your pretext on something that will keep your target in that alpha mode. (You might remember the discussion of alpha mode in Chapter 1, “A Look into the World of Social Engineering.”)

If the subject is familiar to the target—meaning the words, titles, and context are expected—then you are more likely to leave the target in alpha mode so the person isn't alerted to potential danger.

For my “The 18th-Floor Escapade,” I was using a document that I had found during OSINT. I wasn't trying to learn new skills, so I was not only in the reality zone for my targets but also in my own reality zone.

Sometimes, though, as you start to plan out the reality, you may have trouble trying to decide how much is too much.

Principle Three: Knowing How Far to Go

Knowing how far to go—without going too far—is very important. In my classes, I often have students who want to build whole lives for their pretexts. Some want to get as detailed as what they ate at their 11th birthday party.

When it comes to deciding how much detail to create, keep this in mind: people will only care about what they have to in order to complete the “social contract” you have created.

Let me elaborate on that a bit. In my safety-inspector pretext for “The 18th-Floor Escapade,” what do you think the target cared about?

In this case, they didn't care about my kids' names, my dogs, or what I had for breakfast. They cared about the four questions I mention in Chapter 3, “Profiling People Through Communication”:

• Who are you?
• What do you want?
• Are you a threat?
• How long will this take?

Let's think through what the target will want to know ASAP regarding my pretext:

The rest of the details are extras that the target doesn't need or care about. Does that mean you can go in unprepared? Not at all. You should still be prepared with some basic information about your “character” in case your target asks. So, I developed a pretext that followed a path like this:

• I am Phil Williams, a 40-year-old safety inspector. I have one child. I'm married. I don't have any pets, but I love dogs and cats. I'm pretty boring; I go to work and go home. I've lived in X state for X years.

With that very basic pretext, what knowledge do I need to know to make sure I can pull it off?

• Name of wife
• Name of child
• Age of child
• The state
• The city within that state
• My job role and what I do for the company

That's basically it. Maybe there are a couple more tidbits that are worth planning, but for the most part, these basics are all I'd be asked to reveal.

Let me give you an example of a time when someone didn't know when to reel it in on the pretext: I was once working with a student on a homework assignment. He'd had a failure at approaching a stranger the night before, and to help him build confidence in the wake of that failure, we went to the hotel lobby so I could watch him engage with a stranger. My goal was to watch him engage to see where he was going wrong and then offer advice on how to “fix” it.

The student walked up to a woman and started off so nicely. He had a warm smile, and he was really friendly looking. The woman started to engage with him, and I saw her body language change to warm and friendly with her hips turned toward him. (You'll read more about body language in Chapter 8, “I Can See What You Didn't Say.”) The student asked the woman where she was from, and she responded with a smile, “Philadelphia.”

He says, “Oh really? That's amazing. Me, too!” Unfortunately, nothing was further from the truth. As I heard those words come from his mouth, I saw the train wreck starting in slow motion.

The woman replied, “Well, that's amazing! Where do you live?”

The student realized that he had just shoved not only a foot in his mouth but his whole leg. He replied, “Umm, you know. By that big bell thing …” His voice trailed off because he knew he was about to be hit head-on.

“The bell thing?” she asked. “You mean the Liberty Bell?”

“Oh, yeah. That is what I meant … ,” he said sheepishly.

“First of all, I don't know what your game is, but ‘bell thing’? No one from Philly would call it the ‘bell thing.’ And secondly, there is no housing near the bell thing. This conversation is over.” She turned and walked away.

The student came over to me and said, “Man, that is basically my last two nights.”

I asked him to tell me in detail how the last two nights' conversations went. As he described the conversations, the problem became clearer to me: he just agreed to whatever the target said without having the knowledge to back it up.

He took the lesson on “tribe mentality” (which I discuss in detail in Chapter 5, “I Know How to Make You Like Me”) to mean he needed to join whatever tribe the target said they were in, and they would automatically love him.

This student's experience is a good lesson in pretexting for all of us. It is important to have some knowledge of the details of your pretext. In the student's encounter with the woman from Philadelphia, all he would have needed to do to become part of her tribe was to change one sentence into a validating question, something like this: “Philly? I hear that's a great city to go be a tourist in. I've never been. What are your favorite things about Philly?” That would have told her he was listening and interested and wanted to learn more—instead of pretending that he had knowledge that he didn't.

Mastering this one concept can make a huge difference in the success you have with pretexting. After you are successful with the initial contact, people you interact with start to give you lots of details. All that detail can become hard to remember—which leads us to the next principle.

Principle Four: Avoiding Short-Term Memory Loss

It happens to all of us: you meet someone for the first time, engage in a good conversation, and then, as you are leaving, you can't remember the person's name. This can be a real deal-breaker for some folks, and it can make you appear as if you aren't interested in the person.

I have found there are more people who have a hard time remembering the details than those who have no problem at all. That is the reason this section is so important. You don't inspire confidence if you whip out a notebook mid-conversation to look at some details about your story. And it is even more concerning to the person you are speaking to if they catch you writing down details about them.

We have all heard the tips that say something like this: “Use the name as many times as you can in the first 20 seconds of hearing it, and you will remember it.” That tip does work, but it doesn't always make practical sense to repeat a person's name rapidly right after hearing it. I can almost imagine meeting you for the first time, and as you exhale, you say, “Ah, Chris, Chris, Chris … yes Chris … Chris is your name. So, Chris, what were we talking about, Chris?”

Umm … creepy. Please don't do that when we meet.

With that said, I do find that using a person's name in some meaningful way can aid in remembering it. In “The 18th-Floor Escapade,” as I entered the building and headed straight for the elevator, a security guard stopped me. She held one hand up and said, “Excuse me, where are you going?”

I stopped, knowing I would have to enter this into the report, “Oh, I'm so sorry, ma'am.” I held my hand out and said, “I'm Phil Williams from “[the name of the company, which I'd prefer not to divulge] headquarters. We have an office here on the 18th floor.”

She looked through a list she had on a clipboard and then said, “I'm sorry, Mr. Williams. I don't see your name on the list of approved visitors today.”

“You are 100% right. My name won't be there. I'm sorry—I'm so rude. What is your name?” I said as I looked at her name badge. “Claire, nice to meet you.”

I paused for only a second, “See, Claire, we had an incident at one of our locations due to some safety policies not being followed, and I was sent out to visit our NE offices to ensure that all policies are being followed. These need to be surprise visits, so we can ensure that the findings are legit.”

“I see.” Claire said.

“And one of the sections on this report is front-desk security. I'm happy to have your name, so I can report that you followed all procedures perfectly. I have your first name—and how do you spell your last name?” As I said this, I pulled out my pen, looked down at my clipboard, and wrote her first name on my own list.

She didn't even pause before she said, “Farclay. That's F-A-R-C-L-A-Y.”

“Okay, Ms. Farclay. You have gotten this audit off to a great start. Thank you for that. Now, what I hope to find is that my surprise visit ends with as high marks as you will get.”

She then did something I had not expected. “Well, Mr. Williams, how about I badge you to 18, and you can see if your surprise audit yields some positive results?” she offered.

“Claire! Wait, can I call you Claire?” She nodded, so I continued, “Claire, you are a genius! That is a great idea.”

With pride, she walked her new friend (me) over to the elevator bays and used her security badge to open the doors and then badge me to the 18th floor. I thanked her and said, “I will see you in 15 minutes.”

So, what was the key for me in that situation?

• Using the guard's name a few times in quick order
• Having as part of my pretext a reason to write everything down

For me, although these techniques work wonders, they're not always practical. For that reason, you need to have other methods in your arsenal. I employ a few different techniques:

• The business card: Exchanging business cards with a target is a great way to get all their details. But don't start off with this—wait until you build some rapport or are leaving.
• Recording devices: I sometimes record both audio and video of live engagements and audio of phone engagements to ensure I capture all the details. This can be a great tool, but make sure to get permission from the company before you record anything or anyone on their premises.
• A partner: I find it helpful to have someone else work with me so that person can help remember the details while I focus on other things.

All these ideas are great for keeping the details safe for the report that will follow, but they are not too useful for remembering the details while you're in the middle of an engagement.

Here are a few tips:

• Practice. As often as you can, practice remembering details where and when it's not part of your job to do so—family gatherings, parties, meetings at the office, sales calls, and other times when you are engaging with someone.

  Challenge yourself to remember things like the color of a person's shirt, what kind of jewelry they were wearing, their full name, or other details you would not normally care about.

  For me, memory works like a muscle. The more I exercise it, the better and stronger it gets.

• Read. I've found that spending some time reading an actual printed (hardcover or paperback) book helps my memory. There's no book in particular that I suggest you use for this purpose—just read something that's not on a screen. I don't have science to back this up this suggestion, but I can tell you that the more time I spend exercising my brain, the better it “stretches” when I need it to. I have also spent time solving math problems to enhance my ability to remember details.

My final tip for this section is that when you have short breaks, take a few minutes to record your thoughts. I do this in one of two ways: by writing down the details I need to remember or by using a voice-recording app on my phone.

When Claire badged me to floor 18 in the elevator, I whipped out my phone and hit the recording app so I could speak all the details I could remember into the program. This serves two purposes. First it helps me with my reporting later. More importantly, I find that when I say the details out loud, it helps me recall them later.

My quick recording went like this:

• Claire Farclay. About 5 feet, 4 inches, blonde, medium-build security guard wearing white shirt, badge, black pants. Badge on left breast area. Pictures of two dogs at security desk. Used clipboard. Build rapport by praising that she followed procedures. Badged me to 18 using white HID badge she had clipped to a retractable lanyard on her right hip. Code she entered into elevator pad was 4381.

I just recalled those details from memory even though “The 18th-Floor Escapade” took place more than two years ago. That's how powerful this is for me now.

The next arrow to add to your quiver for successful pretexting is support.

Principle Five: Getting Support for Pretexting

I want you to stop and picture the pretext I have been using in this chapter: a safety auditor for a corporation. Now answer these questions:

• What would a safety auditor wear?
• What tools or supplies would a safety auditor have?
• Is there any special knowledge a safety auditor would need to have?

The answers to these questions are the basis for this section. Let's consider each one separately so we can clearly see how this principle plays out.

I was once breaking into a building with Michele, and a security guard to whom I had given a fake business card asked me where I lived because he'd never heard of my company. I wasn't expecting that question, so I pointed to the west and said, “Oh, I live over in that direction.”

The guard replied, “In the industrial sector? Where did you find housing there?”

I realized that I was about to get caught, so I said, “Oh, I meant past the industrial sector. You know, in the housing past that?”

“I am sorry, sir. I don't mean to be a jerk, but your business card says, ‘Family Owned for 20 years,’ and you don't even know the area where you live?” the guard questioned respectfully.

My fatal flaw here was not having enough knowledge of my pretext area that I could answer questions intelligently.

I could not have foreseen that I would be asked this question, so the guard definitely gets points for being aware, but I didn't make that mistake again. From then on, if I had a business card that said I had been there for some period, my supporting information was ready to prove that true.

More often than not, though, I'd rather make things easy, so I allow my pretext to be that I am new in the area or from out of town. That gives me freedom to not have to know everything about the location where I am.

In “The 18th-Floor Escapade,” I found that having the clipboard enabled me to not just look the part, but it also allowed me to have the very thing I needed to support my detail recording. Because I looked the part, Claire had no reason to question my motives.

And that brings us to the last principle: execution. It almost seems if you follow the five preceding principles, the very last one should be easier to implement.

Principle Six: Executing the Pretext

Execution of the pretext means so much more than just applying the first five principles. By the time you're executing the pretext, nerves, unforeseen events, and—the wildcard—other humans are thrown into the mix, which means anything can happen.

I have been doing this now for close to a decade, and I still get nervous for every gig—whether it's walking into a place or picking up the phone or clicking Send on an email. Did I forget something? Will they catch me? Will I fail? These questions always race through my mind as I am starting off.

The following things help me execute the pretext more easily:

• Practice
• Stretch and breathe
• Communicate
• Do not use a script

It is important to remember that even with all the previous preparation there is still the unknown factor: the very observant employee, the overzealous guard, or the locked door you didn't plan for. In other words, you have to be prepared to be flexible.