Security

What is pretexting? Definition, examples, and how to spot an attack

Jacob Fox

May 29, 202410 min read

What is pretexting? Definition, examples & how to spot an attack: Header image

Pretexting is a technique used in most social engineering scams and many cyberattacks. Sophisticated scammers perform detailed research into their targets to come up with convincing pretexts to trick them into handing over their personal information. But what is pretexting? And what can you do about it?

Thankfully, there are ways to detect and prevent pretexting attacks. Read on to find out how pretexting works and how to keep yourself and others safe from it.

What is pretexting in cybersecurity?

Pretexting is a common social engineering technique. It refers to the use of a pretext — a made-up reason or justification — to trick someone into giving up their personal information, downloading malware, transferring money, or giving access to an organization, network, or system.

The Federal Trade Commission (FTC) gives the following pretexting definition: “A term coined by the private investigation industry, [referring] to the practice of obtaining personal information under false pretenses. For example, an investigator who obtains a bank account balance by posing as the account holder would be engaged in pretexting.”

How does pretexting work?

Pretexting usually begins with research to come up with a sophisticated and believable backstory to target an individual. A victim, for instance, might not believe that an attacker is an official representative of their bank until presented with the user’s own information, such as their home address.

Researching to find such useful personal information is, therefore, usually the first step of a pretexting attack. So, the bigger your digital footprint, the easier it will be for an attacker to research you and come up with a convincing pretext.

A good pretext involves both a character and a situation. For instance, a pretexting attacker might play the character of your bank account representative in a made-up situation in which they require that you verify your identity to authenticate a payment transfer. The best kind of character for a pretexting attack is either one who the victim trusts or one who has authority over the victim, such as their boss or a government official.

Once the attacker has researched their victim and found a good pretext, they contact the victim via phone, email, or message and use the made-up character and situation to trick them into giving up their personal data, downloading malware, or giving access to a system.

What are the differences between pretexting and phishing?

Phishing is one of the most common kinds of cyberattacks. It attempts to trick a user into giving up personal information, such as banking details, by pretending to be a trusted person, organization, or institution.

The most common phishing attacks involve sending generic emails to many people in the hope that a few of them click a sketchy link and give up their information. There’s technically a pretext even in these cases, such as that the attacker is sending an official email from a social media company. Thus, phishing normally involves a basic kind of pretexting.

A pretexting attack usually refers to an attack that involves a more sophisticated type of pretext. The attack may require some research on a specific target in order to be convincing.

Pretexting is, therefore, a kind of spear phishing attack — a phishing attack targeted at a specific victim based on research into the victim to create a convincing pretext.

An image of a browser phishing warning on a site linked to darcula.
A screenshot of a browser phishing warning on a site linked to darcula malware.

What does the law say about pretexting?

When pretexting attacks are brought to trial, sentencing is often based not on the pretexting itself but on the illegal acts that it enables.

For instance, an attacker might use a pretext to trick someone into giving up their personal information, which the attacker then uses to commit identity theft. In this case, it’s likely that identity theft laws would be used to convict the attacker rather than something specific to pretexting.

There are, however, some laws relevant specifically to pretexting. In particular, the 1999 Gramm-Leach-Bliley Act makes it illegal to use pretexting to obtain someone else’s financial records from a financial institution or one of its customers. Similarly, the 2006 Telephone Records and Privacy Protection Act makes it illegal to use pretexting to attempt to obtain someone else’s telephone records.

In most states, it’s also illegal to pretend to be a certain kind of person, such as a police officer or a licensed professional in a particular trade, like computer forensics. Many states have their own additional laws and regulations surrounding pretexting, too.

Real-life examples of pretexting attacks

We don’t have to look far to see the real-world impact of these attacks. Here are a few of the biggest pretexting incidents to make the news.

  • Nordic banking theft: In 2007, Russian cybercriminals installed trojans on the devices of 250 account holders at Swedish bank Nordea. This malware then stole their banking information, which was used to access their accounts and steal their money. The attackers did this by first conducting research to identify customers of this bank. They then emailed known customers, pretending to be Nordea with a pretext that, in reality, led to victims downloading and installing malicious software. (Story reported by The New York Times.)
  • State-sponsored hack of RSA: In 2011, American security company RSA was hacked as a result of pretexting. An employee at the company was targeted with an email pretending to have a “2011 Recruitment plan,” attached as an Excel file containing an Adobe Flash vulnerability, which the employee then downloaded. Wired describes the widespread and devastating impact of this attack: “RSA had added an extra, unique padlock to millions of doors around the internet, and these hackers now potentially knew the combination to every one.” This is because the attack compromised SecurID seeds for user authentication, which were “relied on across the globe to protect the internet.”
  • Facebook and Google lose over $100 million: Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas sent fake invoices to Facebook and Google, pretending to be Quanta Computer, a supplier that both companies used. Rimasauskas researched both companies to forge the names and signatures of people working for Facebook and Google to lend credibility to his pretext. He ended up amassing fraudulent income of over $100 million. (Story reported by CNBC.)

Pretexting attack techniques

Because most scams involve creating some kind of pretext, there are several kinds of pretexting attacks. Here are some of the most common pretexting scams to watch out for.

Impersonation

This is the technique that most defines pretexting. A pretexting attack requires the impersonation of a person, organization, institution, or service. This can be anything from pretending to be a generic bank official to using a spoofed SIM card and pretending to be someone the victim knows.

Tailgating

Tailgating is when an attacker follows close behind someone who has access to a restricted building or location, aiming to slip in behind them when they enter. This is considered a kind of pretexting because it involves an attacker pretending that they should be somewhere that they shouldn’t.

An image of a padlock and bolt on a blue barn door.
Image by Omar González from Pixabay.

Baiting

Many pretexting attacks try to bait the target with the promise of something alluring. For instance, one attack might send an email claiming to be from a successful crypto investor, offering to share their expert knowledge on a crypto trading site. Another attack might send an email with a malicious attachment disguised as something enticing, such as details of a pay bonus.

Phishing

Phishing attacks attempt to trick you into divulging your personal information or installing malware by pretending to be someone you trust. They usually occur over email and involve creating a pretext that at least some targets are likely to fall for.

Piggybacking

A piggybacking attack is when the attacker pretends to be someone who should be authorized to enter a restricted area as a means of trying to get you to let them in. In other words, it’s like tailgating but uses social engineering to get a target’s express consent. For example, an attacker might pretend to be another employee who has forgotten their key and ask you to hold the door for them.

Scareware

Scareware is software that attempts to scare you into performing an action that will eventually compromise your personal information. For example, if this kind of malware gets onto your system, it might create browser pop-ups that claim that your computer is infected and you need to download an antivirus by clicking on the download button. If you download the software indicated, however, it might log your keystrokes to steal your account login information.

Vishing

Vishing means “voice phishing” and refers to phishing attacks conducted over the phone. This is where an attacker pretends to be someone you trust in order to get you to divulge personal info.

Vishing commonly uses financial pretexts. An attacker may pose as a bank official requesting ID verification, for example, because people often expect financial institutions to contact them over the phone rather than email or text.

How to detect pretexting scams

Pretexting scams can sometimes be difficult to spot because they involve very believable characters and stories. However, there are a few simple ways to detect most of them. Here are some of the most common signs of a pretexting scam.

Asking for personal information

While someone asking for your personal information doesn’t automatically indicate that you’re being targeted by a pretexting scam, such requests for personal info should be considered with caution.

Most organizations and institutions won’t ask you for personal information over the phone or via email. Instead, they’ll ask you to perform some action via their official website or by having you call their official company number.

Asking to bypass verification

Most organizations, services, and institutions will require some kind of verification from you and from themselves to protect both parties. This might involve directing you to their secure website to communicate or telling you some of your personal information that only an official source should know. If the official skips this step, it might be a sign that they’re not who they say they are.

Pressure from authority

Many pretexting scams rely on victims giving up their personal information or giving access to the attacker out of deference to authority. For instance, an attacker might pretend to be your boss, emailing from their personal email address. This pretext might make you feel like you can’t question their identity because of the potential consequences of questioning someone with authority over you.

Unverifiable contact information

One way to spot a pretexting scam is to see if you can verify the contact information the possible pretexting attacker is communicating from. If a person claims to be a representative of a particular company, for example, check whether their email address or phone number is listed as an official one for that company on its website.

How to prevent a pretexting attack

The best defense against a pretexting attack is preventative. It’s better to prevent the attack from happening in the first place, or at least spot it when it does occur, rather than fall for it and attempt to fix it after your information has already been stolen. Here are some of the best ways to avoid pretexting attacks.

Reduce your digital footprint

Attackers can craft some pretty compelling stories if they have enough information on you. For instance, they might be able to convince you that they’re a co-worker if they know a lot of information about where you work.

This is why it’s important to reduce the amount of information potential attackers can access by reducing your digital footprint. The process involves scrubbing your internet accounts of as much personal information as possible.

Screenshot of Optery digital footprint report tool service on desktop browser.

Verify and authenticate

Don’t forget to do your best to verify and authenticate everyone you communicate with online or over the phone. Think of things you can ask the other person that they would only know if they were the real deal.

Try to practice this even with communications you’re not so worried about. This will help you develop a habit of verification and authentication so you’re more prepared should you be the target of a pretexting attack.

Research the sender’s contact information

If you want to verify the identity of someone contacting you, a great way to start is by checking their contact information. If someone claims to be a representative of a trusted company, for example, check that the email address or phone number they’re contacting you from matches the official company website.

Use domain-based authentication (DMARC)

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication standard that helps prevent email spoofing. (In other words, it helps prevent you from seeing emails claiming to be from someone they’re not.) You should ensure that your email provider is using this standard and that it is set up correctly.

Use AI filtering

One of the benefits of artificial intelligence (AI) is that it can be used to improve your cybersecurity attack detection. Some paid protective services offer AI-powered email filtering to detect pretexting attacks based on analysis of the content of the emails received. This isn’t foolproof because attackers can always change how they format and structure their pretexting attempts, but it can help.

Start a new line of communication

If you’re ever unsure if an email, text message, or phone call has come from an official source, you can start a new line of communication with the person whom the potential attacker is claiming to be.

If someone calls you claiming to be a representative of your bank, you can tell them that you’ll call them back and then call their official customer service helpline.

Stay aware and report anything suspicious

To avoid pretexting, practice vigilance by carefully considering the legitimacy of each phone call, text message, and email communication you receive. If anything seems fishy, report it to your IT department, your email provider, or those in charge of whatever service or system you’re using.

Keep your systems clean and secure

Some pretexting attacks rely on malware that collects information about you that an attacker can use to create a convincing pretext for their scam. And some malware, such as pop-up scareware, attempts to scam you under the pretext of being something it’s not.

As such, it’s important to keep your devices and systems free of malware. You can do this quickly and easily by using software such as CleanMyMac X to run a malware scan.

Pretexting is involved in most social engineering and phishing scams, and it is, therefore, incredibly important to understand and combat. It involves researching a target and coming up with a fake character and story to trick them into giving up their personal information, giving the attacker access to something they shouldn’t, or downloading malware.

While pretexting attacks can be sophisticated, there are things you can do to stay safe. Most importantly, you should always try to verify and authenticate the identity of those whom you’re communicating with before downloading any files or divulging personal information.

Jacob Fox Jacob Fox
In addition to being an academic, Jacob is a lifelong technology expert and cybersecurity writer who has helped his readers understand information security for almost five years. He has written for TechRadar, PCGamer, and other online technology publications.