Pretexting is use of a fabricated story, or pretext, to gain a victim’s trust and trick or manipulate them into sharing sensitive information, downloading malware, sending money to criminals, or otherwise harming themselves or the organization they work for.
Pretexting is a core tactic of targeted social engineering attacks such as spear phishing, whaling, and business email compromise or BEC (see below). But cybercriminals—and mere terrestrial criminals—may also use pretexting on its own to steal the valuable information or assets from individuals or organizations.
In Social Engineering Penetration Testing (link resides outside ibm.com), security experts Gavin Watson, Andrew Mason, and Richard Ackroyd write that most pretexts are composed of two primary elements: a character and a situation.
The character is the role the scammer plays in the story. To build credibility with the potential victim, the scammer typically impersonates someone with authority over the victim, such as a boss or executive, or someone the victim is inclined to trust, such as a coworker, IT staffer or service provider. Some attackers may attempt to impersonate a targeted victim's friends or loved ones.
The situation is the plot of the scammer's fake story—the reason why the character is asking the victim to do something for them. Situations may be generic—e.g., ‘you need to update your account information—or they may be very specific, especially if the scammers are targeting a particular victim.
To make their character impersonations and situations believable, threat actors typically research their character and their target online. It’s not that difficult to do. According to a report from Omdia (link resides outside ibm.com), hackers can craft a convincing story, based information from social media feeds and other public sources, after just 100 minutes of general Google.
Other techniques for making characters more believable include spoofing the character’s email address or phone number, or gaining outright unauthorized access to the character’s actual email account or phone number and using it to send the message. In what may be glimpse into the future of pretexting, in 2019 scammers tricked a U.K. energy firm out of USD 243,000 by using artificial intelligence (AI) to impersonate the voice of the CEO of the firm's parent company, and make fraudulent phone calls requesting payments to the firm's suppliers.
Business email compromise scams
Business email compromise (BEC) is a particularly fiendish type of targeted social engineering that relies heavily on pretexting. In BEC, the character is a real-life company executive or high-level business associate with authority or influence over the target. The situation is the character’s need for help with an urgent task—e.g., I’m stuck in an airport and forgot my password—can you send my password to the payment system (or can you wire $XXX,XXX.XX to bank account #YYYYYY to pay the attached invoice)?
Year after year, BEC ranks among the most costly cybercrimes. According to the IBM Cost of a Data Breach 2022 report, data breaches resulting from BEC cost victims an average of USD 4.89 million. And according to data from the FBI’s Internet Crime Complaint Center (PDF, 2.1 MB; link resides outside ibm.com) BEC resulted in total losses of nearly USD 2.4 billion for victims in 2021.
Account update scams
Here the scammer pretends to be representatives of a company alerting the victim to a problem with their account, like lapsed billing information or a suspicious purchase. The scammer inludes a link that takes the victim to a fake website that steals their authentication credentials, credit card information, bank account number or social security number.
Grandparent scams
Like many social engineering scams, this one preys on the elderly. The cybercriminal poses as the victim's grandchild and pretend they are in some kind of trouble—e.g., they were in a car accident or arrested—and need their grandparents to send them money so they can pay for hospital bills or post bail.
Romance scams
In dating pretexting scams, the scammer pretends to want a romantic relationship with the victim. After winning victim's heart, the scammer typically requests money that will remove some final obstacle to their being together—e.g. a crippling debt, a legal obligation, or even the cost of a plane ticket to visit the victim.
Crytocurrency scams
Posing as a successful investor with a surefire cryptocurrency opportunity, the scammer directs the victim to a fake cryptocurrency exchange, where the victim's financial information or money is stolen. According to the Federal Trade Commission (FTC) (link resides outside ibm.com), U.S. consumers lost more than USD 1 billion to crypto scams between January 2021 and March 2022.
IRS/government scams
Posing as IRS officials, law enforcement officers or other government representatives, the scammer claims the target is in some kind of trouble—e.g., they failed to pay taxes, or have a warrant out for their arrest—and directs the target to make a payment to avoid a mortgage lien, garnished wages, or jail time. The payment, of course, goes to the scammer's account.
Pretexting is a key component of many social engineering scams, including:
Phishing. As noted earlier, pretexting is particularly common in targeted phishing attacks, including spear phishing, which is a phishing attach that targets a specific individual), and whaling, which is spear phishing that targets an executive or an employee with privileged access to sensitive information or systems.
But pretexting also plays a role in non-targeted, ‘spray-and-pray’ email phishing, voice phishing (vishing) or SMS text phishing (smishing) scams. For example, a scammer might send a text message such as ‘[GLOBAL BANK NAME HERE]: Your account is overdrawn’ to millions of people, expecting that some percentage of the recipients are customers of the bank, and some percentage of those customers will respond to the message.
Tailgating. Sometimes called "piggybacking," tailgating is when an unauthorized person follows an authorized person into a location that requires clearance, like a secure office building. Scammers use pretexting to make their tailgating attempts more successful—by, say, posing as a delivery person and asking an unsuspecting employee to open a locked door for them.
Baiting. In these types of attacks, a criminal tricks victims into downloading malware by enticing them with an attractive but compromised bait. The bait can be physical (e.g., USB sticks loaded with malicious code and left conspicuously in public places) or digital (e.g., advertising free downloads of movies that turn out to be malware). Scammers often use pretexting to make the bait more alluring. For example, a scammer might affix labels to a compromised USB drive to suggest it belongs to a particular company and contains important files.
Several industry-specific laws target pretexting explicity. The 1999 Gramm-Leach-Bliley Act criminalizes pretexting with regard to financial institutions, making it a crime to obtain a customer's financial information under false pretenses; it also requires financial institutions to train employees in detecting and preventing pretexting. The Telephone Records and Privacy Protection Act of 2006 explicitly outlaws the use of pretexting to access customer information held by a telecommunications provider.
In December 2021, the FTC proposed a new rule (link resides outside of ibm.com) that would formally prohibit the impersonation of any government agency or business. The rule would empower the FTC to enforce a ban on common pretexting tactics like using a business's logo without permission, creating a fake website that mimics a legitimate business, and spoofing business emails.
As with any other form of social engineering, combating pretexting can be difficult because it exploits human psychology rather than technical vulnerabilities that can be remediated. But there are effective steps organizations can take.
Put your people to the test through phishing, vishing and physical social engineering exercises with X-Force Red social engineering services.
Protect your business with an intelligent, integrated unified threat management approach that can help you detect advanced threats, quickly respond with accuracy, and recover from disruptions.
Embed AI, analytics and deep learning for proactive protection, machine learning for more accurate detection, and automation and analysis for faster response.
Phishing scams trick victims into divulging sensitive data, downloading malware, and exposing themselves or their organizations to cybercrime.
Social engineering attacks rely on human nature rather than technical hacking to manipulate people into compromising their personal security or the security of an enterprise network.
Understand what mobile security is, why it's important, and how it works.