When I am performing a physical penetration test I like to call someone at the target and ease my way in if possible. These people usually are either secretaries or IT personnel. Secretaries are so busy that it is relatively easy to convince them to set meetings (this gives you a reason to be at the premises) or to download interesting marketing material, otherwise known as weaponized Word documents or PDFs. IT people are either bored out their minds or extremely busy and stressed. You can fake several scenarios with them and chances are they will help you.

In this particular case my partner and I wanted to test a new approach. This is what we did.

We called a vendor that provided a very unique software to our target. We told them that we were from the IT department (we gave them information that was acquired via open source intelligence gathering) and that we suspected that there was a problem with their software, to send someone to check. This is a very specific software that needs a very specific hardware and problems are bound to happen so we knew that they would send someone.
We then called our target pretending to be the vendor and told them that we needed to perform a routine check of the software and that we would send [insert name of the technician that the vendor gave us] to perform the check. This way if the would call the vendor and check whether [name of the technician] was assigned to their company it would hold true.
With this we had a fake vendor ID made (not too hard in this case) and a few hours later I arrived at their premises. I pretended to be [the technician]. They checked my ID and lead me to the server room where the software is installed. After 10 minutes or so (I was pretending to connect different cables to the servers and reading the output), the IT person told me to “have fun!” and left me alone.

The rest is history.