CyberPedia

Pretexting

Overview

In cybersecurity, pretexting is a social engineering technique where an attacker invents a believable story or role to gain your trust so you’ll share information, give access, or perform actions that help their attack. Instead of asking for data directly, they wrap the request in a convincing scenario—a “pretext”—so it feels normal and justified.

What Pretexting Looks Like

Pretexting can happen over email, phone, chat, or in person, and usually involves impersonation:

• “IT support” asking for your password to fix a system issue.

• “HR” requesting sensitive employee details for a “payroll correction.”

• “Finance” or a “vendor” asking you to change bank account details for payments.

• “Law enforcement” or “auditors” demanding immediate cooperation and data.

The key is the fabricated backstory: the attacker uses titles, logos, insider language, or references to real events to make their request seem reasonable.

How a Pretexting Attack Typically Works

Most pretexting attacks follow a similar pattern:

1. Research and preparation

   • The attacker gathers information about the organization and people: company website, LinkedIn, social media, press releases, and past breaches.

   • They learn names, roles, systems used, vendors, and recent events to make their story match reality.

2. Building the pretext (the story)

   • They create a specific role and scenario, such as:

     • Internal IT doing “routine security checks.”

     • A vendor chasing an “urgent invoice update.”

     • An executive assistant or finance contact following up on a payment.

   • They prepare answers to likely questions so they can stay believable.

3. Making contact

   • They reach out via email, phone, text, or messaging, using the pretext to start the conversation.

   • The message often looks polished, with correct logos, signatures, and realistic details.

4. The ask

   • Once trust is established, they request something that would normally be sensitive, such as:

     • Usernames and passwords.

     • Multi‑factor authentication (MFA) codes.

     • Bank or payment changes.

     • Access to systems or files.

   • The request is framed as necessary for the “job” they’re pretending to do.

5. Follow‑on abuse

   • With the information or access, they may perform Business Email Compromise (BEC), move money, install malware, or steal data.

Goals of Pretexting

Pretexting is usually aimed at:

• Stealing confidential information

  • Login credentials, customer or employee data, financial records, or internal documents.

• Gaining system access

  • Admin accounts, VPN, cloud services, or back‑office tools that can lead to wider compromise.

• Enabling larger attacks

  • Setting up conditions for Business Email Compromise, wire‑fraud, ransomware, or long‑term espionage.

How Pretexting Differs from Generic Phishing

Both are forms of social engineering, but:

• Phishing often uses broad, generic messages and relies heavily on urgency or fear (“reset now,” “your account will be closed”).

• Pretexting is more targeted and story‑driven, focusing on building trust with believable roles and background details before making the request.

Think of phishing as a mass “spray and pray,” and pretexting as a tailored con job.

Red Flags and Warning Signs

Be alert when you see any combination of these:

• Someone claims a role (IT, HR, vendor, auditor, law enforcement) but you did not expect their contact.

• They request sensitive information or access that doesn’t match what they’d normally need.

• They reference internal details to sound legit, but something in the story feels “slightly off.”

• They push for quick action or say normal verification steps can’t be followed “this time.”

• They ask you to bypass standard processes for payments, account changes, or access approvals.

Key Prevention Tips (Plain‑Language)

For individuals and staff:

1. Verify the person and the request using a trusted channel

   • If an email or call asks for sensitive data or access, contact the person or department using known contact info (company directory, ticket system, vendor portal)—not the contact details in the message.

2. Follow established procedures—no exceptions by email or phone

   • For payments, bank changes, password resets, or access grants, always use documented workflows and approvals.

3. Be cautious of authority plus urgency

   • If someone claims to be high‑level or external authority and demands fast action, treat it as a warning sign, not a reason to skip checks.

4. Never share passwords or full MFA codes

   • Legitimate IT or vendors do not need your password or full one‑time code.

5. Ask questions and trust your instincts

   • A real employee or vendor should be able to answer basic verification questions and won’t be offended if you say, “I’ll call you back via the main number.”

What Organizations Should Do

To manage pretexting risk, organizations should:

• Define and communicate clear rules on what internal teams (IT, HR, finance, security) will and will not ask for.

• Require out‑of‑band verification for financial changes (like new vendor bank details) and high‑risk access requests.

• Provide regular awareness training with realistic pretexting examples.

• Use technical controls (MFA, role‑based access, logging, anomaly detection) to reduce damage if pretexting succeeds.

• Encourage a culture where employees are praised for verifying and reporting, not criticized for “slowing things down.”

What To Do If You Suspect Pretexting

If you think you’re facing a pretexting attempt:

1. Pause and do not provide what’s requested.

2. Verify independently (call back via known numbers, check with your manager or IT).

3. Report the attempt to your security or IT team with full details (emails, numbers, content).

4. If you already shared information, notify security immediately so they can reset accounts, monitor activity, and limit damage.