Building a cover identity

A pretext is a story, and like any story it needs internal consistency more than it needs to be true. The goal is not to construct an airtight biography but to give the target enough familiar reference points that they stop checking. People do not verify identity. They verify plausibility. If you sound like you belong in the context they’re already in, most of them will fill in the gaps themselves.

Choosing a role

The best pretexts exploit existing expectations rather than creating new ones. Every organisation already has a population of contractors, auditors, vendors, IT support staff, and new hires that employees interact with without really knowing. Slotting into one of these categories is considerably easier than inventing something unusual.

IT support and managed service providers are perennially useful because they have a reason to ask sensitive questions, they often work across multiple sites, and nobody can quite remember which company handles which contract. An external auditor carries a similar authority gradient: people are motivated to be helpful to auditors because unhelpfulness tends to get noticed. A new hire is the opposite, useful not for authority but for invisibility. Nobody challenges someone who looks lost and slightly overwhelmed.

Vendor representatives occupy a comfortable middle ground. They have a plausible reason to be on site, a reason to need access to specific systems or areas, and a reason to be carrying equipment. They are also commonly escorted by whoever booked the visit, which provides a second layer of cover if anyone asks questions.

Building the legend

A convincing persona needs enough surface detail to survive casual scrutiny. That means a name that matches the claimed employer’s naming conventions, an email address on a domain you control that resembles the real vendor or contractor, and if the engagement justifies it, a LinkedIn profile with a plausible employment history and a few connections to real people in the relevant industry.

Business cards remain surprisingly effective. They are cheap to produce, immediately familiar as a social object, and hand something tangible to the person you’re talking to, which tends to end the question of who you are rather than extend it. The card does not need to match a real company, it needs to match a plausible one.

If the target organisation has a supplier portal, a contractor management system, or a visitor pre-registration process, understanding how that works before the engagement is valuable. Some organisations send confirmation emails to visitors in advance. Knowing the format of those emails, the name of the person who sends them, and what a legitimate confirmation looks like makes it considerably easier to pre-register yourself or to construct a convincing reason why you are not in the system.

The name-drop

The single most effective element of a pretext is usually a name: a real person at the target organisation who can plausibly have arranged the visit or sent the email. People do not call their colleagues to verify routine arrangements. They assume someone else has handled it. If you can say “Sarah in facilities said to come straight up,” most people will let you straight up, because calling Sarah to check would imply you didn’t trust Sarah’s judgement, and that is socially awkward.

Finding the right name requires reconnaissance, but it doesn’t require a particularly senior one. A coordinator, an office manager, or an IT helpdesk lead is often more useful than a director, because they are the kind of person who plausibly arranges external visits without needing sign-off from anyone else.

Maintaining the story

The pretext lives or dies on consistency under pressure. The most common failure mode is over-elaborating when challenged: adding unnecessary detail in an attempt to be convincing, which has the opposite effect. A real contractor who is asked why they’re on the fourth floor says “I’m here for the server room” and keeps walking. They do not explain the full project history.

Rehearse the likely objections. What happens if the person you named is not available? What happens if someone asks to see a purchase order? What happens if the access you need is not where you expected it to be? Having a short, plausible answer to each of these questions is more valuable than a detailed cover story that only works when nothing goes wrong.

Runbooks