What is pretexting?

“Confidence” is the “con” in “con man.” The pretext story is how the victim’s confidence is gained in targeted social engineering attacks such as spear phishing, whale phishing and business email compromise (BEC). But cybercriminals—and mere terrestrial criminals—might also use pretexting alone to steal valuable information or assets from individuals or organizations.

A threat actor often creates a fake situation for the victim and poses as a reliable person who can resolve it. In the book Social Engineering Penetration Testing, the authors observe that most pretexts are composed of two primary elements: a character and a situation.¹

The character is the role that the scammer plays in the story. To build credibility with the potential victim, the scammer often impersonates someone with authority over the victim, such as a boss or executive or someone the victim is inclined to trust. This (fake) character might be a coworker, IT staffer or service provider. Some attackers might even attempt to impersonate a friend or loved one of the intended victim.

The situation is the plot of the scammer's fake story—the reason why the character (scammer) is asking the victim to take some action. Situations might be generic, such as: “You need to update your account information.” Or the story might be specific, especially if the scammer is targeting a particular victim: “I need your help, grandma.”

To make their character impersonations and situations believable, threat actors often research their character and their target online. And this research is not difficult. According to some estimates, hackers can craft a convincing story, based on information from social media feeds and other public resources—such as Google or LinkedIn—after just 100 minutes of online search.

Spoofing—falsifying email addresses and phone numbers to make it look as if a message comes from another source—can make pretexting scenarios more believable. Or threat actors might go even further and hijack a real person’s email account or phone number to send the pretexting message. There are even stories of criminals using artificial intelligence to clone people’s voices.

Pretexting is a key component of many types of social engineering tactics, including:

• Phishing
• Baiting
• Tailgating

Pretexting is common in targeted phishing attacks such as spear phishing, which targets a specific individual, and whaling, which targets an executive or employee with privileged access to sensitive information or systems.

But pretexting also plays a role in nontargeted, “spray-and-pray” email phishing, voice phishing (vishing) or SMS text phishing (smishing) scams.

For example, a scammer might send a text message, “[Global Bank Name Here]: Your account is overdrawn” to millions of people, expecting that a percentage of the recipients are customers of the bank and some percentage of those customers might respond to the message. Even a small percentage of victims can add up to a large haul for the scammers.

In these types of attacks, a criminal tricks a victim into downloading malware by enticing them with an attractive but compromised bait. The bait might be physical, such as a USB flash drive loaded with malicious code and left conspicuously in a public place. Or the bait can be digital, such as advertising for free downloads of movies that turn out to be malware.

Scammers often use pretexting to make the bait more alluring. For example, a scammer might affix labels to a compromised USB flash drive to suggest it belongs to a particular company and contains important files.

Pretexting can also be used for in-person scams, such as tailgating. Also called "piggybacking," tailgating is when an unauthorized person follows an authorized person into a physical location that requires clearance, such as a secure office building. Scammers use pretexting to make their tailgating attempts more successful—by, say, posing as a delivery person and asking an unsuspecting employee to open a locked door for them.

Imposter scams such as pretexting are the most common type of fraud according to the Federal Trade Commission, with reported losses of USD 2.7 billion to these scams last year.² Some of the most common types of pretexting scams include:

• Account update scams
• Business email compromise scams
• Cryptocurrency scams
  
• Grandparent scams
• Invoice scams
• IRS and government scams
• Job offer scams
  
• Romance scams and social scams
• Scareware scams

In this cyberattack, the scammer pretends to be a representative of a company alerting the victim to a problem with their account, such as lapsed billing information or a suspicious purchase. The scammer includes a link that takes the victim to a fake website that steals their authentication credentials, credit card information, bank account number or social security number.

Business email compromise (BEC) is a type of targeted social engineering attack that relies heavily on pretexting. 25% of all BEC attacks now begin with pretexting.

In BEC, the character is a real-life company executive or high-level business associate with authority or influence over the target. Because the scammer pretends to be someone in a position of power, many targets will simply comply.

The situation is the character’s need for help with an (almost always) urgent task. For example, “I’m stuck in an airport and forgot my password to the payment system. Can you please remind me?" Or “Can you wire USD XXX,XXX to bank account #YYYYY to pay the attached invoice? Quickly, before they cancel our service.”

By impersonating a boss through texts, emails, phone calls and even AI-generated videos, scammers can often fool employees into exposing sensitive information or even committing crimes.

In one famous case, a prerecorded (and AI-generated) web conference ended with instructions by the fake senior leadership that convinced an employee to transfer HKD 200 million to the attackers.⁴

Year after year, BEC ranks among the costliest cybercrimes and social engineering techniques. According to the IBM® Cost of a Data Breach Report, data breaches caused by BEC cost victim organizations an average of USD 4.88 million.

According to data from the FBI’s Internet Crime Complaint Center, BEC resulted in total losses of nearly USD 2.9 billion for victims in 2023.³

Posing as a successful investor with a "surefire" cryptocurrency opportunity, the fraudster directs the victim to a fake cryptocurrency exchange, where the victim's financial information or money is stolen.

In one long-term variant of this scam, called “pig butchering," the fraudster cultivates a relationship with the victim and gains their confidence through social media. Then, the scammer introduces a “business opportunity” to the victim, who is directed to a cryptocurrency site to make deposits. The site might even falsely report gains in the investment's value, but the currency can never be withdrawn.⁵

As with many social engineering scams, this often preys on older adults. The cybercriminal poses as the victim's grandchild and pretends they are in some kind of trouble—such as they were in a car accident or arrested—and need their grandparents to send them money so they can pay for hospital bills or post bail.

The intended victim receives an invoice for a service or product that they did not order or use. The scammer often wants the victim to click a link in an email to request more information or complain about the charge. The victim is then asked to provide personally identifiable information (PII) to verify their account. That private information is what the scammer was after from the beginning.

Posing as Internal Revenue Service (IRS) officials, law enforcement officers or other government representatives, the scammer claims the target is in some kind of trouble. This trouble might be failing to pay taxes or a warrant for their arrest. Usually, the scammer directs the intended target to make a payment to avoid arrest, a mortgage lien or garnished wages. Of course, the payment goes to the scammer's account.

A job seeker might be willing to divulge normally sensitive information to a potential employer. But if the job description is fake and posted by a scammer, the applicant might become a victim of identity theft.

The scammer pretends to seek a romantic relationship with the victim. After winning the victim's heart, the scammer typically requests money that will remove some final obstacle to their being together. This obstacle might be crippling debt, a legal obligation or even the cost of an airplane ticket to visit the victim.

Scareware is a social engineering scam that uses fear to trick people into downloading malware, losing money or handing over personal data.

The scary pretext might be a fake virus alert, a fake offer of technical support or a law enforcement scam. A pop-up window might warn the victim that “illegal material” was found on their digital device, or an online “diagnostic test” might tell the victim that their device is compromised and they need to download (fake) antivirus software to fix it.

As with any other form of social engineering, pretexting attempts can be difficult to stop because they exploit human psychology rather than technical vulnerabilities that can be remediated. But there are several steps organizations can take.

• DMARC
• Security awareness training
• Other cybersecurity technologies

DMARC is an email authentication protocol that can help prevent spoofing. By analyzing both the text and metadata of messages for common indicators of compromise, DMARC verifies whether an email was sent from the domain it claims to come from. If an email is spoofed, it can be automatically diverted to a spam folder or deleted.

Because pretexting manipulates people into compromising their own security, training employees to detect and properly respond to pretexting scams can help protect an organization. Experts recommend running simulations based on real-life pretexting examples to help employees differentiate between pretexting and legitimate requests from colleagues.

Training might also include clear protocols for strict authentication measures such as multifactor authentication (MFA), handling valuable information, authorizing payments and verifying requests with their supposed sources before complying.

Verification might be as simple as sending a text to the purported sender: “Did you send this to me?” Or a message to the service desk: “Does this look like it’s a hacker?” Procedures for financial transactions might include requirements to validate incoming requests in person or with direct personal contact.

Several industry-specific laws target pretexting explicitly. The 1999 Gramm-Leach-Bliley Act criminalizes pretexting with regard to financial institutions, making it a crime to obtain a customer's financial information under false pretenses. The law also requires financial institutions to train employees in detecting and preventing pretexting.

The Telephone Records and Privacy Protection Act of 2006 explicitly outlaws the use of pretexting to access customer information held by a telecommunications provider.

The Federal Trade Commission (FTC) recently adopted a rule that formally prohibits the impersonation of any government agency or business.⁵ The rule empowers the FTC to enforce a ban on common pretexting tactics such as using a business's logo without permission, creating a fake website that mimics a legitimate site and spoofing business emails.