The legend you build before you walk in the door¶

Every successful social engineering engagement begins long before anyone shows up carrying a clipboard or a pizza box. The preparation is the attack. Who are you, why are you there, how did you get the name of the person you’re asking for, and why does your story hold together when someone decides to be unhelpful? Pretexting answers all of those questions in advance, so that by the time you’re standing in a reception area or sending an email from a plausible-looking domain, you’re not improvising. You’re just performing something you’ve already rehearsed.

The organisations that get taken apart by social engineering are rarely undone by clever tricks. They’re undone by attackers who did their homework.