Pretexting
What is it and how can we defend against it?
Pretexting is a form of social engineering attack in cybersecurity where a malicious actor creates a fabricated scenario or identity – a “pretext” – to manipulate a target into revealing sensitive information or performing actions that compromise security. Unlike phishing, which often relies on urgency or fear, pretexting is more strategic and deceptive, often involving detailed background research and psychological manipulation.
Here's how it works:
In a pretexting attack, the attacker impersonates a trusted individual or authority figure, such as an IT technician, HR representative, bank official, or even a colleague. The attacker builds a believable story to gain the victim’s trust and extract confidential data such as:
- Login credentials
- Social Security numbers
- Bank account details
- Internal company information
- Access to secure systems or physical locations
Pretexting often involves multiple interactions and may be carried out over phone calls, emails, text messages, or even in person. The attacker may use publicly available information (from social media or company websites) to make their story more convincing.
Common examples of Pretexting:
IT Support Scam
An attacker pretends to be from the IT department and asks an employee to verify their login credentials to “fix a system issue.”Bank Fraud
A scammer impersonates a bank representative and requests account verification details under the guise of detecting suspicious activity.CEO Fraud (Business Email Compromise)
The attacker poses as a company executive and instructs an employee to transfer funds or share sensitive documents.Vendor Impersonation
A fake vendor contacts the finance department to change payment details for an upcoming invoice.
Why it’s dangerous:
Pretexting is particularly dangerous because it exploits human trust rather than technical vulnerabilities. It can bypass even the most advanced firewalls and antivirus systems because the attack vector is psychological manipulation. Once trust is established, victims are more likely to comply with requests that they would otherwise question.
Pretexting vs. other social engineering attacks
While phishing typically uses deceptive emails and baiting involves offering something enticing (like free software), pretexting is unique in its use of elaborate stories and impersonation. It often requires more effort but can yield highly valuable information.