What Is Pretexting in Cyber Security? [Easy Guide & Examples]

What Is Pretexting in Cyber Security

Have you ever received a call and been told that your identity has been stolen and that your social security number is needed to verify it?

Or maybe you received an email from what looked like the IT department claiming you need to change your password ASAP.

If you’ve been on the receiving end of an elaborate ploy to get you to take action, whether it be to click a link or hand over sensitive information, then you may have fallen victim to pretexting.

A hacker uses pretexting to win over a victim’s trust. With that trust, the hacker may persuade the victim to download malicious software, hand over sensitive information, transfer money, or do whatever else the hacker has in mind.

Let’s explore how pretexting is used in social engineering attacks to help attackers accomplish their goals and what you can do to protect against it.

If you’re ready, we’re too. Let’s go!

What Is Pretexting in Cyber Security?

Pretexting in cyber security can be defined as a social engineering attack whereby the attacker seeks to build a relationship with the victim.

Once a relationship has been established through various psychological means, an attacker will leverage it to force a victim into taking some sort of action.

Pretexting is just one of the many tactics a black or white hat hacker will have in their arsenal.

To be clear, social engineering is a psychological attack that tricks a user into sharing sensitive information or performing an action that benefits the hacker.

Some other popular social engineering attacks include:

The steps involved in carrying out a pretexting attack are similar to those used in a social engineering attack.

Step One: The first step involves gathering information about your target. Pretexting attacks won’t work if you don’t know who your target is. Conduct research by using techniques to gather open-source intelligence (OSINT) to learn as much about the target as possible.

Step Two: Before or after gathering reconnaissance, you’ll want to figure out how to weaponize your attack. In this phase, you’ll use or decide upon a weapon. Maybe you want them to click on a link, hand over sensitive information via phone calls, wire you money, or send over login credentials via a fake website.

Step Three:

Next comes the execution. Now that you know how to manipulate the victim and the exploit you’ll use to get the desired action, it’s time to put it all together.

Common Prexting in Cyber Security Scenarios

A pretexting definition in cyber security may seem a little abstract at this point, so let’s look at some more concrete and common pretexting scenarios within this context.

  • IRS impersonation: Someone claiming to be from the IRS calls to tell you that your personally identifiable information (PII) has been exposed in a hack. They want to help you out but will first need your address and social security number.
  • IT support impersonation: Once they know where you work, a hacker will call you, claiming to be part of IT support. They’ll tell you that your password has been compromised and you need to change it immediately. They’ll then ask for your current password to help facilitate the process.
  • Vendor impersonation: The marketing agency you work with lists its clients on its website. A hacker sees you’re a client of this marketing firm, decides to impersonate your vendor via email, and sends you a fake invoice.
  • Survey scam: Black hat hackers may impersonate researchers, students, clients, or vendors and send you a seemingly innocuous form asking for sensitive information. They may then collect it and use it to create a more custom social engineering attack.
  • Phishing attack: Phishing attempts often use pretexting to convince a victim to take a certain action. In this attack, you receive an email from PayPal claiming that your PayPal account has been charged $500.

To dispute this charge, you need to click the link provided to log into your account. Once clicked, you’re sent to a PayPal-like page where you provide your login credentials to the hacker.

Goals of Pretexting

The goal of a pretexting scam is to have the victim carry out an action that benefits the attacker.

Hackers are after all types of information that can be used throughout the course of a larger social engineering hack. Pretexting is simply used to convince a target to do what the hacker wants them to, whether that means accessing malicious websites and links or handing over PII.

Some types of information hackers commonly target include:

  • Social security numbers
  • Name/address/birthday
  • Credit card numbers
  • Account and routing numbers
  • Login credentials (passwords, usernames, email addresses)
  • Trade secrets
  • Medical records

Pretexting Techniques

Let’s illustrate how this attack works by examining a real-life example of a pretexting scenario.

One incredibly elaborate scam that uses pretexting to gain the confidence of a victim is a pig-butchering scam.

Surely you’ve received a message recently from a stranger. This message may read something like:

Hey, I forgot my bag at Gemma’s house, can you give it to me?” or “Hey, it was so nice meeting you at Rick’s, maybe we can get coffee this week?”

These opening messages are used as a pretext to draw you into the conversation. Naturally, if you receive messages like these, you want to reach out and help or at least respond by saying they have the wrong number.

This is exactly what the scammer wants.

From here, they’ll carefully build a relationship with you as they attempt to win over your confidence. Pro Publica recently published a real exchange a victim from Connecticut had in 2020 with a scammer:

[12/28/20, 12:06 AM] SCAMMER J: Long time no see, how are you recently

[12/28/20, 10:10 AM] SCAMMER J: 🙈Are you not Kevin? Sorry, I guess I added the wrong person, sorry

[12/28/20, 10:16 AM] TARGET C: Not Kevin.

[12/28/20, 10:16 AM] SCAMMER J: Sorry, I made the wrong call. Since I have many business partners, my assistant saved the wrong number, please forgive me

[12/28/20, 10:17 AM] TARGET C: No prob. What country are you calling from?

[12/28/20, 10:17 AM] SCAMMER J: I come from Hong Kong. Hong Kong is a metropolis with technology, finance and food. Have you ever been here

[12/28/20, 10:18 AM] SCAMMER J: Acquaintance is fate, where are you from

[12/28/20, 10:18 AM] TARGET C: I’m from NYC originally

[12/28/20, 10:19 AM] SCAMMER J: Your place is a very beautiful place, I went there years ago

These scammers won’t strike immediately but will continue to form a relationship.

This scam is called a pig butchering scam because, just like a pig, the scammer fattens up their victim with trust until the opportune moment to strike presents itself.

After weeks or months of building a relationship, the scammer will begin to talk about investing—more often than not—in cryptocurrency. They’ll try to persuade the victim to sign up to a fake crypto site that the scammer controls and deposit money which they’ll ultimately steal.

But first, the scammer may alter the victim’s investment so that it appears as though the investment is working. This will convince them to deposit more money until the scammer takes the money and runs.

One man from California was persuaded to deposit $440,000 which he then quickly lost. Desperate to earn that money back, he then deposited $600,000 more, which the scammer subsequently stole as well.

This is a snippet of the conversation he had with the scammer that bamboozled him.

[11/18/21, 11:59:16 AM] TARGET Y: I lost all my money

[11/18/21, 11:59:18 AM] SCAMMER J: If the principal is not enough, it cannot be supported to the profit point.

[11/18/21, 11:59:34 AM] SCAMMER J: Don’t worry,

[11/18/21, 11:59:46 AM] TARGET Y: I am negative $480k

[11/18/21, 12:00:01 PM] SCAMMER J: Prepare the funds and earn them back.

[11/18/21, 12:00:12 PM] TARGET Y: I don’t have any money or funds to prepare

[11/18/21, 12:00:20 PM] TARGET Y: That’s all I have!!!!!!!!!!!!

In 2023, it was reported that victims around the world lost $75 billion from pig butchering scams.

You may think a ruse like the one above could never happen to you. However, cybercriminals are savvy professionals who use an array of psychological tricks when pretexting.

Here are some tricks they’ll use to convince you to take action:

  • Authority: Pretending to be a CEO to get information quickly.
  • Urgency: Creating a sense of urgency so the victim feels compelled to hand over sensitive information they wouldn’t otherwise.
  • Closeness: Quickly gaining the trust of the target by being cordial and building a bond.
  • Fear: Scaring the target into taking action by pretending to be the IRS and claiming their SS number has been stolen.
  • Social Proof: Claiming that everyone else has already taken an action that the attacker wants the victim to take, creating a sense that what they’re being asked to do is not only safe but that they’ll miss out if they don’t take action now.

In-Person Pretexting Example

Someone claiming to be from an IT support company shows up at the office. They bypass security by claiming to work with a trusted IT vendor and were called in to respond to an IT emergency. They then manage to gain access to this company’s physical hardware and use a USB Rubber Ducky to execute malicious software on the company’s computer.

Impact of Pretexting Attacks

The impacts of pretexting attacks will depend on the attack, and a personal pretexting attack only targeting you could lead to any number of issues.

If a pretexting attack is successfully carried out, your identity could be stolen, your computer could be hacked and used in a botnet, you might be the victim of ransomware, or any number of other issues could occur.

Of course, the impact of an attack is amplified if a major company is targeted.

In total, Americans lost $12.5 billion to cybercrime attacks in 2023. We have no way of knowing how much was lost in attacks where pretexting tactics were used, but most social engineering attacks use some form of pretexting to accomplish their goals.

To illustrate the impact a pretexting attack can have and just how easy they are to carry out, here’s a journalist who gets hacked while at DefCon:

Detecting and Defending Against Pretexting Attacks

Detecting a pretexting attack can be incredibly difficult.

Hackers can spoof phone numbers, use email addresses that appear legitimate, and even use AI to impersonate the voices of your co-workers.

Here are a few ways you might identify a pretexting attack:

  • You’re being asked for information you shouldn’t give out.
  • Your psychology is being played with in order to coax information out of you.
  • Wrong email address, logo, faulty spelling, suspicious link/attachment, or non-sensical request made via email.

Even if you’re mindful of how to identify a social engineering pretexting attack, cybercriminals may still be able to spoof their way into impersonating someone you trust.

The best way to confirm someone’s identity is to contact them via a trusted source.

If you work in IT and just received a suspicious call or email from Joe in accounting, look up his email or phone number and contact him to ascertain whether it was he who actually contacted you.

The best possible way to prevent pretexting from occurring is to provide employees with security awareness training. While cyber security professionals are tasked with protecting a company, every employee can play a role in safeguarding a company’s sensitive data.

Pretexting in Ethical Hacking

Thus far, we’ve discussed pretexting in relation to hacking, but it’s also a tool that many ethical hackers use while Red Teaming.

Remember that ethical hackers working in Red Teams are employed to use the same tactics, techniques, and procedures (TTPs) as cybercriminals to find vulnerabilities in a company’s physical and digital security setups.

Social engineering tactics are often used by penetration testers to test a company’s digital security, and pretexting is a popular tactic ethical hackers use when conducting a penetration test.

While there are no pretexting-only cyber security positions, the closest thing would be a penetration tester.

To become a penetration tester, you’ll have to learn a number of technical hacking skills. While on the job, you may also develop and use social engineering skills such as pretexting.

To learn more about social engineering, we recommend reading the following books:

Even when you’re employed to carry out a social engineering attack, there are still lines you don’t want to cross. For instance, attacks should not shame the target, and certain sensitive data should not be dug up or used against targets.

Prior to carrying out a penetration test, you should go over the dos and don'ts with the client so both parties know what is considered fairground.

Conclusion

Pretexting is such a common tactic that it’s used in just about every social engineering hack.

A criminal will impersonate someone or quickly try to strike up a relationship before asking you to do something for them. They may be after sensitive information, such as your social security number or email address, or want you to deposit money into their account.

The best way to defend against such an attack is to train employees on how to spot them.

Hackers use an array of sophisticated tools, many powered by AI, to create more refined attacks. It’s vital that all employees—and not just those in IT or cyber security—learn how to identify and defend against these attacks.

To learn more about pretexting and social engineering attacks, we encourage you to join the StationX Accelerator Program.

Here, you’ll find over 1,000 courses and labs on a range of cyber security-related topics. You’ll also be welcomed into our community of cyber professionals, receive one-on-one mentorship, learn which career and certifications to pursue, and even join an accountability group.

To learn more about pretexting and social engineering, check out these courses:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Spencer Abel

    Spencer is part cyber security professional and part content writer. He specializes in helping those attempting to pivot into the vast and always-changing world of cyber security by making complex topics fun and palatable. Connect with him over at LinkedIn to stay up-to-date with his latest content.

>