13 minutes reading
Pretexting is a cybercrime tactic where attackers will create a believable story or backstory that’ll trick someone into providing sensitive information, transferring funds or giving permission in some other way. Note that pretexting is not fear tactics or threats; it is based on trust. The attacker will likely pretend to be someone already familiar to the target (another employee, bank official, IT technician, etc.) and use this trick to manipulate their target.
What Is Pretexting in Cybersecurity?
Pretexting scam is a type of social engineering in which a scammer creates a fake but convincing identity or scenario to fool people into providing information, money or access.
Attackers use pretexting scam to:
- Stealing passwords
- Redirecting payroll or vendor payments
- Obtaining private records or access to the system or records
- Physically gaining access to a secure space
10 Common Pretexting Techniques (With Example and Case Study)
1. Impersonation
In this scheme, the attacker poses as a trusted person (for example, an executive, co-worker, or vendor) to obtain access, information, or money from the victim by deception. Impersonators frequently rely on realistic emails, calls, or in-person interactions to trick victims, typically relying on information from public records data in order to claim they are a trustworthy person.
- Example: An attacker pretends to be the CEO and sends an urgent email asking for a confidential wire to be sent.
- Case Study: Ubiquiti Networks suffered a $46.7 million loss in a business email compromise (BEC) scam when attackers impersonated executives.
2. Tailgating
Tailgating is a physical security incident where an unauthorized individual follows the authorized individual into an area they are not legally allowed to access. This leverages people’s politeness and reluctance to interfere with someone walking behind them. In many situations, the attacker may carry props that allow them to look less suspicious, such as a box of equipment or coffee.
- Example: The attacker stands by a secure office entrance and follows an employee through when they are entering.
- Case Study: An intruder gained access to a healthcare facility through a security breach by tailgating staff into a secure room that contained a server. The intruder then installed his rogue device, possibly for compromise in later stages.
Book a Free Demo Call with Our People Security Expert
Enter your details
3. Piggybacking
Similar to tailgating but with one, crucial difference, piggybacking is a request for permission. The attacker may claim they left their access badge at home and they are asking for assistance in getting access. They rely on an employee’s helpfulness to bypass security and access vulnerabilities.
- Example: “Hey, sorry I forgot my badge — can you hold this door for me?”
- Case Study: A tech firm experienced internal leaks of data after an attacker piggybacked into an R&D department.
4. Baiting
Baiting is the act of providing an enticing experience, like a free USB drive, job opportunity or media download, which lures the person into compromising their system. The ‘bait’ is usually crafted with malware or spyware that gets installed once opened or connected.
- Example: USB drives labelled “Confidential – Salaries 2024” are placed around the office parking lot.
- Case Study: Employees plugged in rogue USB devices they found in the lobby at an energy company, which got infected with malware.
5. Phishing with Pretexting
This method is phishing and if believable enough, a pretext. When someone sees a phishing email, they are given a disaster of an email and have no idea where it came from. Pretexting establishes a scenario that builds trust; the common approach is to send the malicious link or attachment to take on the role of a vendor or invoke the legal authority of a company.
- Example: An attacker emails an employee pretending to be a vendor; the attacker sends an “updated invoice” with malware.
- Case Study: MacEwan University was scammed out of $9 million because attackers posed as a vendor and requested staff to direct payments to a different account.
6. Vishing (Voice Phishing)
Vishing is another type of phishing that uses voice phone calls, pretending to be someone they trust to manipulate a person into revealing their personal information (e.g., login information). Attackers can also spoof caller ID, use features of urgency, authority, or technical details to influence a target’s decision making.
- Example: The call may say you are from tech support and you request their system password.
- Case Study: During a vishing event in 2022, remote workers at a U.S. company provided their VPN credentials which led to a company system compromise.
7. Smishing (SMS Phishing)
Smishing is a scam when an attacker utilizes SMS (text messages) to trick individuals into clicking links that will provide malicious payloads or to request sensitive, personal, or account information. These SMS are sent, posing as a known institution, such as, for example, a bank, postal delivery service, government agency, etc, and are usually worded to create urgency for a response or action.
- Example, “Your package delivery has not completed. Click here to schedule a new delivery”.
- Case study: There was a jump in smishing attacks against customers waiting on deliveries during the COVID-19 pandemic which after some time resulted in thousands of credentials stolen.
8. Scareware
Scareware produces fake warnings – normally popups or banners – that suggest your machine is infected. These warnings are meant to scare you into installing fake antivirus software that could be malware itself.
- Example: A pop-up says, “Your computer is infected! Download this antivirus now.”
- Case Study: The staff at a regional hospital downloaded scareware, then the scareware locked up their systems with ransomware.
9. Fake Surveys or Job Offers
Cybercriminals create fake job postings, surveys, or HR documents with the goal of stealing personal information, such as resumes, social security numbers, or scans of personal ID – often by using email, social media and job boards to reach victims.
- Example: “We’re hiring! Fill out this survey and upload your resume.”
- Case Study: In 2023, a fake recruiter targeted technology employees and got resumes and ID scans to try and commit fraud.
10. AI-Powered Deepfakes & Voice Cloning
Criminals are utilizing AI to create synthetic audio and video recordings, including deepfakes, of a trusted person to manipulate a target to act such as moving funds or providing personal or confidential information.
- Example: A voice message from an imaginary “CEO” is requesting an urgent transfer of funds.
- Case Study: A Hong Kong company was defrauded $25M in 2023 after they received a deepfake video call of their CEO.
Industry-Specific Pretexting Examples
Healthcare
Attackers impersonate doctors, nurses, or insurance agents to obtain access to patient health records or billing systems. Violating HIPAA regulations, which puts the organization at risk of lawsuits and fines, is not the only way to breach personal patient privacy.
Finance
Scammers present themselves as CFO, external auditors, or regulators to trick employees into rerouting wire transfers, opening payroll platforms, or authenticating fraudulent transactions. Often, these attacks are done in tandem and the actors know the organization’s internal processes.
Education
Attackers send fake emails of faculty or operational staff (e.g., registrar) asking for student records, financial aid information or account information, subsequently selling that information or committing identity theft or fraud.
Legal
Cybercriminals impersonate law enforcement, court officials, attorneys, etc., sending subpoenas or legal requests to push law firms or clients to release sensitive case files, or client data.
Government
Attackers use pretexts to present themselves as suppliers or inspectors as part of the procurement processes. Access is then given to siphon off classified documents, insert malicious hardware or gain access to secured systems.
Legal Context of Pretexting
Pretexting is prohibited by law in many places — especially with financial data and health data. Pretexting can trigger several legal penalties.
Gramm-Leach-Bliley Act (GLBA): Prohibits the use of false pretenses to gain access to financial information.
Telephone Records Protection Act (2006): Criminalizes the use of false identities to gain access to call records.
GDPR & CCPA: Penalize mishandling or unauthorized collection of personal data.
Legal consequences may include fines, lawsuits, audits, and/or criminal prosecution.
Risks & Consequences of Pretexting Attacks
Financial Implications
Pretexting can result in fraud, such as phony wire transfers, or invoice fraud. In most cases, recovery of funds will be next to impossible. For example, MacEwan University lost $9M due to a single bogus email.
Compliance Financial Penalties
Failure to safeguard against data under legislation like HIPAA, SOX, and GDPR may result in an audit and penalty fees. ENISA recently noted that 39.4% of GDPR penalty fees were as a result of breaches associated with pretexting.
Reputation Damage
Data breaches can affect reputation and erode trust, and ultimately share price, combined with adverse media attention. According to Ponemon in 2020, 65% of consumers lost trust in a company following a data breach, even if their data was not disclosed.
Identity Theft
When personal data are stolen the data is then packaged for sale or schema fraud will continue to affect victims substantially once they become a victim. Organizations may also face the notification of a data breach and in many cases must then provide identity theft protection services.
Operational Disruption
Attackers generally require a method of infiltrating your organization, and in some cases may be able to utilize ransomware or just steal data. Consider what happened to Colonial Pipeline when they had errors associated with social engineering that disrupted fuel supply for their entire U.S. East Coast.
Legal Liability
If the victims seek legal recourse over a preventable data breach, bins typically come down against your organization. If you did not have safeguards for your organization like staff training, a lack of multi-factor authentication, etc. Legal damage claims and independent oversight may be significantly high.
Pretexting vs. Phishing: Know the Difference
Pretexting and phishing are both forms of social engineering; however, the tactics are different. Phishing relies on urgency or fear to motivate you to click quickly based on unsolicited requests, usually through a generic email or text. Pretexting is more personal since research, conversation, and staged interactions build trust.
Let’s compare the key differences in the table given below:
Feature | Pretexting | Phishing |
Strategy | Trust and story | Fear and urgency |
Duration | Long-term setup | One-time trigger |
Personalization | Highly targeted | Often generic |
Goal | Access and manipulation | Immediate click or reply |
Pretexting is harder to detect and often more damaging.
How to Prevent Pretexting Attacks
Utilize Email Authentication Mechanisms (SPF, DKIM, DMARC)
Implementing Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). Each of these mechanisms is designed to confirm that emails are truly a part of your domain, which greatly reduces the risk of spoofed emails as a part of an impersonation attack.
Use AI for Threat Detection
Email security solutions that are powered by artificial intelligence can spot uncharacteristic patterns based on employees’ behavior, such as a request for finance at an odd timeframe or an employee receiving a file from a vendor they’d never done previous business with. These tools enhance a risk detection strategy.
Require Zero Trust for Physical Security
Don’t let an otherwise nice and friendly looking visitor gain access simply because of their friendliness. Require your visitors to present ID, use keycard access, and train staff not to hold secure entry doors open for non-verified colleagues or employees. Tailgating and piggybacking are very real threats when it comes to pretexting.
Verify Sensitive Requests Out-of-Band
If somebody is requesting sensitive data, sensitive funds, or sensitive access, try to confirm the request through some other communication method. If you receive an email from your CEO requesting a wire transfer, if you are in the organizational funnel, you can then validate the request by calling them or messaging them through their own app which is not email.
Train Employees with Scheduled Phishing and Pretexting Simulations
Phishing and pretexting simulations help employees experience real time decision making under pressure. To make these simulations truly effective, ensure the training explains why these tactics succeed, not just what they look like, so employees learn to think critically in the moment.
Implement Multi-Factor Authentication (MFA)
MFA creates impediments to the attacker’s desire to access systems ordinarily, but attackers can often get one person to provide their credentials if they only understand usernames and passwords. There should be a requirement for MFA on all sensitive systems including corporate email accounts and remote access.
Vetting Employees and Contractors Screening
The most obnoxious type of insider threats can start with pretexting an engaged contractor. This is also an excellent spot to run a complete background check on their history and work experience as it relates to hiring and pre-commencement screening of employees. While recruitment staff can screen new employees, they should also routinely evaluate existing contractor access only to sensitive systems or sensitive data.
Conclusion
Pretexting attacks are on the rise, evolving as social manipulation converges with new technologies. We must not rely upon instinct alone – we need systems, training, and policies.
Encourage your team to question strange requests, even those that look like they come from a trusted party, because verification isn’t rudeness, it’s security. With security awareness awareness tools, and preparation, organizations can identify and stop pretexting before damage is done. Share this guide with your teams – as more people are educated about this threat, only increases the challenge for attackers.
By being aware of the dangers, having the right tools, and creating a risk-averse culture, organizations can prevent pretexting attempts and detect pretexting before it causes damage. Pass this guide on to your teams, more people will know about what pretexting in cybersecurity is, the harder it will be for attackers.
FAQs: Pretexting Attack
How can we prevent pretexting?
To prevent pretexting, an individual or organization should avoid sharing personal information with unknown sources. Also, organizations should implement cybersecurity practices and tools, as a wall against those cyber attacks.
What is pretexting calling?
The attack that is done by the mode of communication of voice phone calls can be said as pretexting calling. Pretexting is also a crucial component of vishing, which is basically phishing through phone calls. It is a portmanteau of the words “voice” and “phishing.”
What are some common pretexting methods?
One of the most common pretexting examples is that the scammer will act as your senior employee and will ask you for some details or money.
