Social Engineering - Part 3 - Pretexting




What is Pretexting?

Pretexting is defined as the act of presenting oneself as someone else in order to obtain private/confidential information. It can go from a simple lie to impersonate someone to even creating a whole new identity and using that identity to obtain said private information. Depending on the situation, pretexting can be as simple as playing out a role or acting a part, where in others it could mean that you will be living that persona for a while…

The main goal of pretexting is to create a scenario or a situation where your target is comfortable with releasing confidential infomartion.

It is in pretexting that a great amount of the information you gathered will come in handy, as the quality and credibility of your pretext is closely related to the information you gathered (for example, if your backstory or your identity has some holes, your target will probably notice something is wrong and get suspicious).

Like Part 1 of this series (Information Gathering) no piece of information is irrelevant. The more information the better.

Many social engineers create social media and email accounts to add credibility to their persona.

As you carry on SE Attacks, you’ll create/develop various pretexts. It is not something you create just one time hoping it will work on every other attack you plan.

Planning the Pretext

Like every other skill we’ve discussed on previous posts, there are certain steps that help us plan out our attacks. Pretexting is no exception. Below is a small list of certain points I think are worth mentioning:

  • As previously mentioned, by gathering more information the chance of success will be higher.

  • Involve your personal interests - Like I mentioned in my last post, nothing can kill a conversation faster if you look uncomfortable and with little confidence while in a conversation. This step helps you with that. By including your own personal interests and things that you know a lot about in your pretext (basically topics that you are comfortable talking about), you have the opportunity to talk about a lot of stuff and at the same time it gives the so-needed confidence. This also helps to avoid those awkard silenece’s that nobody likes.

  • Practice your accents and expressions - For example, if you’re impersonating someone that was born and raised in Scotland, you should try to speak with a scottish accent and be familiar with common scottish terms and expressions. This all helps you give credibility to your persona and to avoid suspicion.

  • Keep it simple - Of course having a meticulous and detailed approach is not only important, but necessary. However, having too many details to worry about can be complicated. Keep details important, but small. Don’t go for an extremely elaborate pretext.

  • Try to look spontaneous - Again, planning ahead is necessary, but try not to create a script and follow it by the letter, otherwise you’ll look like a robot while talking to other people and you’ll scare them off. Try to go for something that looks more natural.

  • Acessorize - i.e, if you are impersonating a tech support guy try to bring items or tool that an actual tech support would have, like a briefcase, nametag, clipboard etc… (Honestly, I don’t know what tools and other gear a tech support guy has, but you get the idea).

That’s it for this post. Hope you enjoyed reading and again, if you’d like to add something to what I said or have any suggestions, feel free to comment below.

This might be the last post in this series since what I have left to talk about is pretty much the actual human psychology and how the mind works and reacts - topics that are really hard (and long) to write about, but who knows, maybe sometime in the future… But for now, that’s all I have for you!

(oaktree) #2

How about IDs and whatnot?


A very useful post, but I would suggest that you either place more emphasis on the part about about accents and expressions, or suggest that people avoid it entirely. As someone with a strong regional accent I can identify someone from roughly the same area, i.e. within 100 miles or so, quite exactly by the inflection of their voice and the colloquialisms they use. Anyone trying to pretend to be from within my sphere of regional knowledge would have to spend an inordinate amount of time practising their speech patterns to avoid sounding blatantly false. If I was impersonating someone from say, Scotland, I would instead try to create a plausible backstory about only having recent moved there, rather than trying to sound authentically Scottish. As an aside, if I were impersonating someone from Glasgow I could assume no-one south of Newcastle would be expecting to understand me anyway!


Thank you for your suggestion! One thing I keep meaning to say on my posts about SE but also keep forgetting is “Practice, practice, practice!”.
Fortunately, there are tons of videos on YT that teach certain terms/expressions of a given language and that even help you develop the respective accent.

(system) #5

This topic was automatically closed after 30 days. New replies are no longer allowed.