Pretexting is a social engineering technique in which an attacker creates a fabricated scenario - the pretext - to establish trust with a target and manipulate them into revealing sensitive information or performing an action. The attacker invents a believable identity and backstory to justify their request..
What is Pretexting?
Pretexting is a social engineering technique in which an attacker creates a fabricated scenario - the pretext - to establish trust with a target and manipulate them into revealing sensitive information or performing an action. The attacker invents a believable identity and backstory to justify their request.
How Pretexting Works
An attacker researches the target and their organization, then creates a scenario that gives them a plausible reason to contact the target and request information or access. For example: impersonating an IT technician who needs login credentials to fix an urgent issue, a vendor who needs updated payment details, or an executive requesting sensitive financial data. The pretext is designed to override the target's suspicion by providing a logical explanation for the request.
Why Pretexting Matters
The 2023 Verizon DBIR found that pretexting accounted for more than 50% of social engineering incidents - surpassing phishing as the most common social engineering technique. Pretexting is particularly dangerous because it's the foundation of all sophisticated social engineering. Every effective vishing call, BEC email, and help desk attack begins with a well-crafted pretext.
How to Protect Against Pretexting
- Monitor employee exposure for the data attackers use to build pretexts
- Simulate pretexting attacks across multiple channels (phone, email, in-person)
- Train employees to verify identities through independent channels before complying
- Establish clear processes for sensitive requests that can't be bypassed by urgency
- Reduce publicly available organizational data that aids pretext construction
Frequently Asked Questions
How common is pretexting in real attacks?
Very common. The 2023 Verizon DBIR found that pretexting accounted for more than 50% of social engineering incidents - surpassing phishing as the most frequent technique. It's the foundation of sophisticated attacks like vishing, BEC, and help desk manipulation.
What makes a pretext convincing?
A convincing pretext has logical justification, creates urgency, targets someone with authority to grant the request, and uses details gathered through OSINT. For example: 'I'm the new IT vendor setting up systems' sounds more plausible than 'I need your password.' Research makes the difference.
Can you train employees to detect pretexting?
Partially. Teaching employees to verify identities through independent channels, establish clear approval processes, and question unusual requests helps. However, skilled pretexting exploits trust and authority, making it harder to resist than phishing. Multi-channel simulations that test pretexting scenarios are more effective than generic training.
What's the connection between OSINT and pretexting?
Attackers use OSINT to build the details that make pretexts believable. LinkedIn reveals org structure and projects. GitHub shows what employees work on. Job postings disclose infrastructure. The more data available publicly, the more convincing the pretext can be.