What is Pretexting? How It Works and How to Prevent It

Although you might not hear the term ‘pretexting’ often, it’s among the most common tactics used by cyber criminals.

The technique is at the heart of phishing scams. These attacks, which involve malicious messages being sent to unsuspecting victims, are a pervasive threat. According to CISCO’s 2021 Cybersecurity Threat Report, phishing accounts for 90% of all data breaches.

You probably know how phishing works, but where does pretexting fit into the equation?

What is a pretexting attack?

Pretexting is the underlying framework of social engineering techniques. Meanwhile, social engineering refers to the way fraudsters manipulate people into performing certain actions.

In an information security context, this generally takes the form of phishing scams – messages from a supposedly legitimate sender that ask the recipient to download an attachment or follow a link that directs them to a bogus website.

Social engineering can also be used to cause data breaches in other ways. For example, a scammer might enter an organisation’s premises claiming to be a delivery person and then sneak into a secure part of the building.

What connects all these social engineering methods is that the attacker has an apparently legitimate reason for their request. In other words, they have a pretext to contact people – hence ‘pretexting’.

Establishing the victim’s trust is critical to the attack’s success, so the attacker will research their target and create a plausible backstory to make themselves more credible.

How does pretexting work? Pretexting examples

In pretexting scams, fraudsters build a relationship with the victim to gain their trust.

Consider this example: your organisation’s finance assistant receives a phone call from someone claiming to be from an existing supplier.

After a series of phone calls where the caller explains the need to verify financial information as part of a new process, the finance assistant provides all the details the caller requires.

In this scenario, the caller built a relationship with the victim using a compelling backstory to trick the target into handing over the information.

In other instances, it’s not necessary to build the target’s trust over time. This is often the case if the attacker has compromised a senior employee’s account or is impersonating them.

The mere threat of an urgent message from a director is often enough to ensure that the employee complies with the request.

In these scams, the attacker usually sends a brief message that states that the senior employee needs a favour.

Source: Vae Secure

In the example above, the organisation’s CEO claims that “I need you to personally run a task for me ASAP. I’m caught up in meetings all day. Just reply to my emails. Let me know if you can get this down right now”.

Spotting an illegitimate request isn’t easy, so it’s always best to check with a colleague if in doubt. No matter how convincing the story, it’s important not to give out sensitive information over the phone.

How to prevent pretexting social engineering

The most effective way to protect you and your organisation from scams is to avoid interacting with messages from unknown and suspicious senders.

Scammers’ objective is to trick people into clicking links or downloading infected attachments. Any message that asks you to do one of those things should be met with extreme caution.

If you’re ever uncertain whether a message is genuine, you should look for safe ways to verify it. For example, if you receive a request from an employee, talk to them in person, by phone or via an instant messaging service.

Although you might be hesitant to do this for a senior employee – particularly if their message says that the request is urgent or that they are in meetings all day – it’s better to be safe than sorry.

Your organisation’s information security policy should contain instructions similar to this, so you can be assured that you are following best practice. The advice should also be echoed in any information security staff awareness training you receive.

If your organisation’s staff awareness programme doesn’t cover these risks, you should enrol your employees on GRC eLearning’s Phishing Staff Awareness E-Learning Course.

This online training courses uses examples such as the ones listed in this blog to help you identify the signs of scams.

It covers everything from phony text messages and emails to telephone con artists to ensure that you and your team is equipped to spot fraudulent messages before it’s too late.

Take action against the increasing threat of targeted phishing attacks by educating your employees to be alert, vigilant and secure.


A version of this blog was originally published on 20 November 2018.