What is pretexting? Definition, examples, prevention tips

Pretexting is a type of social engineering attack whereby a cybercriminal stages a scenario, or pretext, that baits victims into providing valuable information that they wouldn’t otherwise. 

That information might be a password, credit card information, personally identifiable information, confidential data, or anything that can be used for fraudulent acts like identity theft. As the name indicates, it’s the pretext — fabricated scenario or lie — that’s the defining part of a pretexting attack. 

To that end, here’s an overview of just what is pretexting, what is a pretexting attack, and also techniques scammers deploy to pull them off. This way, you know the whole narrative and how to avoid being a part of it.

How pretexting attacks work + techniques

What is a pretexting attack? For a pretexting definition, it’s a type of social engineering attack that involves a fraudster impersonating an authority — law personnel, colleagues, banking institutions, tax persons, insurance investigators, etc. —  to gain a victim’s trust and, ultimately, their valuable information. 

As for how pretexting attacks work, you might think of it as writing a story. The cybercriminal casts themselves as a character and they come up with a plot, or ploy, that convinces victims to trust their character. The pretexting attack is considered successful when the victim falls for the story and takes action because of it. 

For instance, a scammer could pose as a person working at a credit card company and call victims asking to confirm their account details. If the victim believes them, they might just hand over their payment information, unbeknownst that it’s indeed heading in the hands of cybercriminals. The following are a few avenues that cybercriminals leverage to create their narrative. 

Phishing

Phishing could be considered pretexting by email. To a degree, the terms go hand in hand because both involve a scenario to convince victims of handing over valuable information. That is by communicating under a false pretext, potentially posing as a trusted source. 

So, what is the difference between phishing and pretexting? In addition to the fact that phishing is conducted only by email, it’s also that pretexting relies entirely on emotional manipulation to gain information, while phishing might leverage more technical means like malware to gain information.

Tailgating

Tailgating is like physical phishing. Fraudsters pose in real-life as someone else to gain access to restricted or confidential areas where they can get their hands on valuable information. For example, a tailgating pretexting attack might be carried out by someone impersonating a friendly food deliverer waiting to be let into a building, when in fact it’s a cybercriminal looking to creep on the devices inside.

Smishing

Smishing is phishing by SMS messaging, or text messaging. This can be a trusty avenue for pretexting attackers to connect with victims since texting is a more intimate form of communication — and victims might think only trusted persons would have their phone number.

Vishing

A combination of the words voice and phishing, vishing is just that: voice phishing, meaning phishing over the phone calls. In the context of a pretexting attack, fraudsters might spoof, or fake, caller IDs or use deepfake to convince victims they are a trusted source and, ultimately, get victims to share valuable information over the phone.

Impersonation

Impersonation is a technique at the crux of all pretexting attacks because fraudsters take on different identities to pull off their attacks, posing as everything from CEOs to law enforcement or insurance agents. What makes the impersonation strongest is when the pretexting attacker has done their homework on victims so little suspicion is raised about their legitimacy.

Pretexting attack examples

Pretexting attacks aren’t a new cyberthreat. They’re thought to have begun offline with British tabloids in the mid-2000s when they allegedly snooped on celebrities’ voicemails posing as tech support. Nowadays, pretexting attacks more commonly target companies over individuals. Just consider these real-world examples:       

• In 2006, Hewlett-Packard hired private investigators to see if board members were leaking news to the press. To do this, the PIs posed as the board members and gained access to call records from phone companies.
• In 2015, Ubiquiti Networks Inc. transferred $39.1 million to a scammer posing as a trusted employee acting on behalf of top executives. This is also known as a CEO fraud scam.
• In 2017, MacEwan University transferred over $9 million to a fraudster posing as a vendor and requesting staff members to update their payment details via email.

Pore over these common themes involved in pretexting attacks for more perspective on what is pretexting for hackers and how pretexting attacks work.

Gift card eligibility

In this pretexting example, you might receive an email alerting you that you’re eligible for a free gift card. Exciting, right? But to redeem it, you must answer a few personal questions to confirm your eligibility. When you do, your valuable data is stolen and you’re left gift card free.

TIP: Instead of handing over personal information quickly, question why you’re being asked to provide personal information in the first place. And never share sensitive information via email.

Internet service provider

In this scenario, a person posing as an internet service provider shows up on your doorstep for a routine check. Once they get inside, they have free rein to tap into your devices and snoop through your valuable information.

TIP: Don’t let a service provider inside your home without an appointment. If you’re wary, pry into their position and their knowledge of your service plan to unveil any holes in their story. As for a service company ID, and consider scheduling a later appointment be contacting the company.

Subject line requests

“Are you available?” “Can you help me?” “Nice to see you!” All of these can be pretty catchy email subject lines or, rather, convincing subject lines. In this pretexting example, an urgent or mysterious subject line is meant to get you to open a message and fulfill an information request from a cybercriminal posing as a trusted source, be it a boss, acquaintance, or colleague.  

TIP: If the message seems urgent or out of the blue, verify it with the sender on a different communication channel to confirm it’s legitimate.

Pretexting and the law

Pretexting is generally unlawful in the U.S. because it’s illegal to impersonate authorities like law enforcement. However, private investigators can in some instances use it legally in investigations. That wasn’t the case of the aforementioned Hewlett-Packard scandal, which resulted in Congress passing the Telephone Records and Privacy Protection Act of 2006.

How to prevent pretexting attacks

Similar to social engineering attacks, becoming a targeted victim of a pretexting attack can be humiliating and frustrating to recover from. Knowing the common themes of pretexting attacks and following these best practices can go a long way in helping you avoid them from the start:

1. Never share sensitive information by email, phone, or text message. 
2. Question whether and why someone really needs the information requested from you.
3. Verify requests for valuable information by going directly to a company or source through a different means of communication. 
4. Follow your gut and don’t respond to information requests that seem too good to be true.
5. Don’t leave your devices unattended. 

What’s worth remembering is cybercriminals want to cast you in a narrative they’ve created. Keeping your cybersecurity top of mind can ensure you’re the director of your digital life, not a fraudster.