Pretexting 

Pretexting can be defined as the practice of presenting yourself as someone else, with the intention of obtaining information. Pretexters can impersonate co-workers, IT staff, bankers, friends and family, or anyone that can be perceived as trustworthy or having authority over the target.

Pretexting forms the foundation for any social engineering attack. When you're performing a penetration test, make sure that you spend enough time building a solid and believable pretext.

For example, we have all received emails claiming that we have inherited a small fortune, but in order to claim it, we need to either provide some kind of information or click on a link. The chances of a person falling for this is very slim, as the pretext is very poor. Let's assume that you always purchase online from Amazon, and now you receive an email from Amazon stating that there is a package that cannot be delivered due to missing information. This becomes more believable as the pretext is more solid.

During a penetration test, you need may need to simulate a social engineering attack. Conducting proper information gathering on your target is critical to building a believable pretext. Some of the things that you would consider are company size, locations, number of employees, emails, employee information, and so on. You would also look at what is available from a technological standpoint, such as public-facing web servers, VPNs, and email servers. 

Once you have obtained enough information, you can start defining success criteria for each pretext. For example, if the target organization does not have offices spread across the country, the chance of success of posing as an employee is low, as the employees are probably well-known. However, if the organization has a large presence that spans across multiple countries, you have a higher success rate of posing as an employee from a department in another location.