In Social Engineering Penetration Testing (link resides outside ibm.com), security experts Gavin Watson, Andrew Mason, and Richard Ackroyd write that most pretexts are composed of two primary elements: a character and a situation. 

The character is the role the scammer plays in the story. To build credibility with the potential victim, the scammer typically impersonates someone with authority over the victim, such as a boss or executive, or someone the victim is inclined to trust, such as a coworker, IT staffer or service provider. Some attackers may attempt to impersonate a targeted victim's friends or loved ones.

The situation is the plot of the scammer's fake story—the reason why the character is asking the victim to do something for them. Situations may be generic—e.g., ‘you need to update your account information—or they may be very specific, especially if the scammers are targeting a particular victim.

To make their character impersonations and situations believable, threat actors typically research their character and their target online. It’s not that difficult to do. According to a report from Omdia (link resides outside ibm.com), hackers can craft a convincing story, based information from social media feeds and other public sources, after just 100 minutes of general Google.

Other techniques for making characters more believable include spoofing the character’s email address or phone number, or gaining outright unauthorized access to the character’s actual email account or phone number and using it to send the message. In what may be glimpse into the future of pretexting, in 2019 scammers tricked a U.K. energy firm out of USD 243,000 by using  artificial intelligence (AI) to impersonate the voice of the CEO of the firm's parent company, and make fraudulent phone calls requesting payments to the firm's suppliers. 

Business email compromise scams

Business email compromise (BEC) is a particularly fiendish type of targeted social engineering that relies heavily on pretexting. In BEC, the character is a real-life company executive or high-level business associate with authority or influence over the target. The situation is the character’s need for help with an urgent task—e.g., I’m stuck in an airport and forgot my password—can you send my password to the payment system (or can you wire $XXX,XXX.XX to bank account #YYYYYY to pay the attached invoice)?

Year after year, BEC ranks among the most costly cybercrimes. According to the IBM Cost of a Data Breach 2022 report, data breaches resulting from BEC cost victims an average of USD 4.89 million. And according to data from the FBI’s Internet Crime Complaint Center (PDF, 2.1 MB; link resides outside ibm.com) BEC resulted in total losses of nearly USD 2.4 billion for victims in 2021.

Account update scams

Here the scammer pretends to be representatives of a company alerting the victim to a problem with their account, like lapsed billing information or a suspicious purchase. The scammer inludes a link that takes the victim to a fake website that steals their authentication credentials, credit card information, bank account number or social security number.

Grandparent scams

Like many social engineering scams, this one preys on the elderly. The cybercriminal poses as the victim's grandchild and pretend they are in some kind of trouble—e.g., they were in a car accident or arrested—and need their grandparents to send them money so they can pay for hospital bills or post bail.

Romance scams

In dating pretexting scams, the scammer pretends to want a romantic relationship with the victim. After winning victim's heart, the scammer typically requests money that will remove some final obstacle to their being together—e.g. a crippling debt, a legal obligation, or even the cost of a plane ticket to visit the victim.

Crytocurrency scams

Posing as a successful investor with a surefire cryptocurrency opportunity, the scammer directs the victim to a fake cryptocurrency exchange, where the victim's financial information or money is stolen. According to the Federal Trade Commission (FTC) (link resides outside ibm.com), U.S. consumers lost more than USD 1 billion to crypto scams between January 2021 and March 2022.

IRS/government scams

Posing as IRS officials, law enforcement officers or other government representatives, the scammer claims the target is in some kind of trouble—e.g., they failed to pay taxes, or have a warrant out for their arrest—and directs the target to make a payment to avoid a mortgage lien, garnished wages, or jail time. The payment, of course, goes to the scammer's account. 

Pretexting is a key component of many social engineering scams, including:

Phishing. As noted earlier, pretexting is particularly common in targeted phishing attacks, including spear phishing, which is a phishing attach that targets a specific individual), and whaling, which is spear phishing that targets an executive or an employee with privileged access to sensitive information or systems.

But pretexting also plays a role in non-targeted, ‘spray-and-pray’ email phishing, voice phishing (vishing) or SMS text phishing (smishing) scams. For example, a scammer might send a text message such as ‘[GLOBAL BANK NAME HERE]: Your account is overdrawn’ to millions of people, expecting that some percentage of the recipients are customers of the bank, and some percentage of those customers will respond to the message.

Tailgating. Sometimes called "piggybacking," tailgating is when an unauthorized person follows an authorized person into a location that requires clearance, like a secure office building. Scammers use pretexting to make their tailgating attempts more successful—by, say, posing as a delivery person and asking an unsuspecting employee to open a locked door for them. 

Baiting. In these types of attacks, a criminal tricks victims into downloading malware by enticing them with an attractive but compromised bait. The bait can be physical (e.g., USB sticks loaded with malicious code and left conspicuously in public places) or digital (e.g., advertising free downloads of movies that turn out to be malware). Scammers often use pretexting to make the bait more alluring. For example, a scammer might affix labels to a compromised USB drive to suggest it belongs to a particular company and contains important files. 

Several industry-specific laws target pretexting explicity. The 1999 Gramm-Leach-Bliley Act criminalizes pretexting with regard to financial institutions, making it a crime to obtain a customer's financial information under false pretenses; it also requires financial institutions to train employees in detecting and preventing pretexting. The Telephone Records and Privacy Protection Act of 2006 explicitly outlaws the use of pretexting to access customer information held by a telecommunications provider.

In December 2021, the FTC proposed a new rule (link resides outside of ibm.com) that would formally prohibit the impersonation of any government agency or business. The rule would empower the FTC to enforce a ban on common pretexting tactics like using a business's logo without permission, creating a fake website that mimics a legitimate business, and spoofing business emails.

As with any other form of social engineering, combating pretexting can be difficult because it exploits human psychology rather than technical vulnerabilities that can be remediated. But there are effective steps organizations can take.

• Domain-based message authentication reporting (DMARC): DMARC is an email authentication protocol that can prevent spoofing. DMARC verifies whether an email was sent from the domain it claims to come from. If an email is found to be spoofed, it can be automatically diverted to a spam folder or deleted.
  
  
• Other cybersecurity technologies: In addition to DMARC, organizations may implement AI-powered email filters that detect phrases and subject lines used in known pretexting attacks. A secure web gateway can prevent users from following phishing email links to suspicious websites. If an attacker gains access to the network through pretexting, cybersecurity technologies such as endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR) platforms can intercept malicious activity.
   
• Security awareness training: Because pretexting manipulates people into compromising their own security, training employees to detect and properly respond to pretexting scams can help protect an organization. Experts recommend running simulations based on real-life pretexting examples to help employees differentiate between pretexting and legitimate requests from colleagues. Training may also include clear protocols for handling valuable information, authorizing payments, and verifying requests with their supposed sources before complying.