Pretexting is a form of social engineering in cybersecurity where an attacker creates a fictional scenario to trick an individual, employee, or executive into divulging information or granting access to a system or service. The attacker presents a false scenario, or pretext, to gain the victims trust and may pretend to be an experienced investor, HR representative, IT specialist, or other seemingly legitimate source. Pretexting is a core tactic of targeted social engineering attacks such as spear phishing, whaling, and business email compromise (BEC) . However, cybercriminals and terrestrial criminals may also use pretexting on its own to steal valuable information or assets from individuals or organizations.
Pretexting attacks are not limited to online and can take place through other forms of communication, including in-person. The attacker uses a variety of methods to gain the trust of unsuspecting victims so they divulge sensitive information. Pretexting plays on a victims emotions by utilizing a sense of urgency, offering a deal that is too good to be true, or trying to gain sympathy to scam a victim. Common techniques include baiting, phishing, piggybacking, scareware, tailgating, and vishing/smishing.
Pretexting is particularly common in targeted phishing attacks, including spear phishing, which targets a specific individual, and whaling, which targets an executive or an employee with privileged access to sensitive information or systems. Pretexting also plays a role in non-targeted, spray-and-pray email phishing, voice phishing (vishing), or SMS text phishing (smishing) scams.
To prevent pretexting attacks, individuals and organizations need to be aware of the common characteristics of these attacks and train employees on detecting and being aware of potential pretexting attacks. Organizations can also establish policies for financial transactions and validating credentials, such as verification of personal or confidential information must be done in person or through video chat and never through text or email.
