Building a cover identity

A pretext is a story, and like any story it needs internal consistency more than it needs to be true. The goal is not to construct an airtight biography but to give the target enough familiar reference points that they stop checking. People do not verify identity. They verify plausibility. If you sound like you belong in the context they’re already in, most of them will fill in the gaps themselves.

Choosing a role

The best pretexts exploit existing expectations rather than creating new ones. Every organisation already has a population of contractors, auditors, vendors, IT support staff, and new hires that employees interact with without really knowing. Slotting into one of these categories is considerably easier than inventing something unusual.

IT support and managed service providers are perennially useful because they have a reason to ask sensitive questions, they often work across multiple sites, and nobody can quite remember which company handles which contract. An external auditor carries a similar authority gradient: people are motivated to be helpful to auditors because unhelpfulness tends to get noticed. A new hire is the opposite, useful not for authority but for invisibility. Nobody challenges someone who looks lost and slightly overwhelmed.

Vendor representatives occupy a comfortable middle ground. They have a plausible reason to be on site, a reason to need access to specific systems or areas, and a reason to be carrying equipment. They are also commonly escorted by whoever booked the visit, which provides a second layer of cover if anyone asks questions.

Building the legend

A convincing persona needs enough surface detail to survive casual scrutiny. That means a name that matches the claimed employer’s naming conventions, an email address on a domain you control that resembles the real vendor or contractor, and if the engagement justifies it, a LinkedIn profile with a plausible employment history and a few connections to real people in the relevant industry.

Business cards remain surprisingly effective. They are cheap to produce, immediately familiar as a social object, and hand something tangible to the person you’re talking to, which tends to end the question of who you are rather than extend it. The card does not need to match a real company, it needs to match a plausible one.

If the target organisation has a supplier portal, a contractor management system, or a visitor pre-registration process, understanding how that works before the engagement is valuable. Some organisations send confirmation emails to visitors in advance. Knowing the format of those emails, the name of the person who sends them, and what a legitimate confirmation looks like makes it considerably easier to pre-register yourself or to construct a convincing reason why you are not in the system.

The name-drop

The single most effective element of a pretext is usually a name: a real person at the target organisation who can plausibly have arranged the visit or sent the email. People do not call their colleagues to verify routine arrangements. They assume someone else has handled it. If you can say “Sarah in facilities said to come straight up,” most people will let you straight up, because calling Sarah to check would imply you didn’t trust Sarah’s judgement, and that is socially awkward.

Finding the right name requires reconnaissance, but it doesn’t require a particularly senior one. A coordinator, an office manager, or an IT helpdesk lead is often more useful than a director, because they are the kind of person who plausibly arranges external visits without needing sign-off from anyone else.

Maintaining the story

The pretext lives or dies on consistency under pressure. The most common failure mode is over-elaborating when challenged: adding unnecessary detail in an attempt to be convincing, which has the opposite effect. A real contractor who is asked why they’re on the fourth floor says “I’m here for the server room” and keeps walking. They do not explain the full project history.

Rehearse the likely objections. What happens if the person you named is not available? What happens if someone asks to see a purchase order? What happens if the access you need is not where you expected it to be? Having a short, plausible answer to each of these questions is more valuable than a detailed cover story that only works when nothing goes wrong.

AI-synthesised identity

Building a convincing LinkedIn profile used to require either a real person’s cooperation or a meaningful investment of time seeding an account with connections and history. Both remain valid approaches, but generative tooling has shifted the economics considerably.

AI-generated profile photographs are the most commonly used element. Diffusion models produce faces that read as convincing headshots, free from the reverse-image-search results that stock photography reliably produces. The generated images lack the visual signature of a real person’s photo library: the lighting is consistent, the background is neutral, and there is no inadvertently identifiable context in the frame. For a profile that needs to survive a quick visual check, this is usually sufficient.

Synthetic employment histories benefit from language model assistance in a different way. The problem with fabricated work histories has generally not been plausibility at the sentence level but coherence at the career level: the skills, titles, and transitions need to fit together in a way that someone with industry knowledge would recognise. A model prompted with a target industry, a desired seniority level, and a regional employment market produces career progressions that hold up to scrutiny from someone casually checking whether the profile looks real.

Maintaining a synthetic social media presence over the course of a longer operation is where AI assistance has the most leverage. A persona that posts occasionally, comments on industry news, and appears to have mild opinions about sector developments is considerably more convincing than one that was created last week with three connections. Automated posting cadences and AI-generated commentary can sustain the appearance of an active professional across LinkedIn, Twitter, and relevant forums without continuous manual effort.

The operational limit is depth. A well-maintained synthetic persona survives a thirty-second LinkedIn check by a mildly suspicious receptionist. It is unlikely to survive a deliberate background verification by someone who has decided to investigate. For most social engineering engagements the former is the relevant threshold.

Playbooks