Run the pretexting walkthrough¶
The pretexting walkthrough tests physical access control and identity verification through a live scenario rather than a presentation about why they matter. A facilitator, or a colleague from another department, approaches the building’s access points or working areas claiming a plausible false identity. What happens next is the exercise.
The Home’s front-of-house culture is warm and accommodating by design, which is appropriate for an organisation that depends on public goodwill and volunteer participation. It is also a culture that is easier to exploit than one that begins with scepticism. The exercise is not about making the culture less warm. It is about giving staff the tools to maintain appropriate scepticism about identity claims without making the experience unpleasant for the overwhelming majority of visitors who are exactly who they say they are.
Scenario types¶
Contractor visit. The pretextor arrives at reception claiming to be from Fabulist Systems, sent to check the Bestiary server in the comms room. They have a name, a company, and a plausible technical reason for being there. They do not have an appointment confirmed in the system, and they are mildly impatient about it.
Auditor or inspector. The pretextor claims to represent the Circle Sea Creature Welfare Consortium, conducting an unannounced welfare compliance check. They have documentation that looks official and ask to see the resident medical records in Bestiary.
New volunteer. The pretextor claims to be a new volunteer due to start in the east wing, says their induction is scheduled with Priya, and needs someone to let them in because their access card has not been issued yet. They are friendly and slightly apologetic about the inconvenience.
Delivery. The pretextor arrives with a package addressed to the IT coordinator, asks to leave it in the server room because it contains sensitive equipment, and produces a delivery note that looks correct except for a detail that is slightly wrong on examination.
Preparation¶
Select one scenario per session. Match the scenario to the access point being tested: contractor and auditor scenarios for reception and the IT area; new volunteer for the east wing entrance; delivery for the front desk.
Prepare the pretextor’s supporting materials: a business card, a printed letter, a delivery note. These do not need to be convincing to an expert. They need to be convincing to someone who is not expecting to scrutinise them.
Announce to staff that “we are reviewing our visitor and access procedures this month” without specifying when or what form the review takes. Do not announce the specific scenario or the timing of the exercise.
Brief the pretextor separately: the scenario, the objective, and the instruction to stop immediately if a staff member becomes genuinely distressed or if the exercise creates a situation that cannot be resolved calmly. The exercise ends when the pretextor is either admitted, refused, or detected.
During the exercise¶
The pretextor approaches the access point and runs the scenario. The facilitator observes from a distance without intervening. Do not follow the pretextor closely. Do not make it obvious that something is being watched.
Record:
How long before the pretextor was challenged on identity.
Whether supporting documentation was examined or accepted without scrutiny.
Whether the pretextor was asked to wait while someone else was consulted.
Whether the pretextor was admitted, refused, or redirected.
What the decisive moment was: the question that resolved the outcome, or the absence of a question that would have.
Debrief¶
The debrief includes the staff member who handled the interaction, the facilitator, and the pretextor. The debrief is not a blame exercise. State this clearly and mean it.
Walk through the scenario from both sides. The pretextor describes what they attempted and what they observed. The staff member describes what they noticed, what they thought, and what made them decide to act as they did.
Then cover the correct procedure:
Unexpected visitors without confirmed appointments are received at reception and asked to wait while the appointment is verified through an internal contact, not through the visitor’s own phone or documentation.
Access to restricted areas, the server room, the east wing residential areas, the medical bay, is not granted without confirmation from the named internal contact and sign-in in the visitor log.
A visitor who becomes impatient about verification is not a reason to skip verification. Impatience is a social engineering technique. Politeness does not require abandoning the process.
When uncertain, it is always appropriate to say: I need to check with someone before I can help you with that. There is no situation in which a legitimate visitor will object to this.
The debrief closes with a practical note on what the staff member did well. Most people handle these situations with more instinct than they realise. The exercise makes the instinct conscious and gives it a name.