BlogScams26TH OCT 2023
AuthorSamir Yawar
6 min read

Pretexting: Why You Need to Avoid this Social Engineering Scam

a feature image about pretexting
BlogScams26TH OCT 2023
6 min read

Pretexting: Why You Need to Avoid this Social Engineering Scam

AuthorSamir Yawar
a feature image about pretexting

Pretexting, the art of creating fake stories to lure victims into divulging sensitive information, has more than doubled in 2023. This social engineering scam typically involves you getting an email, text, or social media message from someone claiming to be your client, boss, or even family. The scammer then uses psychological techniques to compel you into taking an action i.e. clicking on a malware-laden link or sharing your password.

Why is pretexting so dangerous? 

It targets the weakest link in any organization: the workforce. It can be you, your boss, or any of the people you work with.

It’s not all doom and gloom though. And there are remedies to address this alarming cyber threat from penetrating your company’s defenses.

Explaining Pretexting: Know thy enemy

What is pretexting and how does it work?

A pretexting attack usually involves three main components:

Security engineer Gavin Watson describes pretexting in his book Social Engineering Penetration Testing as:

"The key part ... [is] the creation of a scenario, which is the pretext used to engage the victim. The pretext sets the scene for the attack along with the characters and the plot. It is the foundation on which many other techniques are performed to achieve the overall objectives."

Watson outlines two main elements that are part of these social engineering attacks:

  • A character played by the scammer.

  • A plausible scenario laid out for the target to give up their information.

We're going to outline two examples that involve both the scammer's character as well as a plausible scenario used to trick people into leaving their guard down.

How it happens in real life:

How it happens online:

Pretexting Attack Types

These techniques exploit human psychology, trust, and vulnerabilities to manipulate individuals into divulging information or performing actions that benefit the attackers.

Awareness and skepticism are crucial in mitigating the risks associated with pretexting attacks.

Pretexting can take various forms, and scammers employ different tactics to deceive individuals into revealing sensitive information or performing certain actions. Most pretexting attacks can be categorized into:

  • Impersonation: Attackers assume false identities, such as pretending to be a trusted individual or a representative of a legitimate organization. They deceive victims into revealing sensitive information or performing actions they normally wouldn't.

  • Piggybacking: The attacker requests entry to a secured area by convincing an authorized individual to let them in. They exploit the person's kindness or lack of suspicion.

  • Baiting: Attackers lure victims with enticing offers like free downloads or giveaways. They trick their targets into clicking on malicious links or downloading malware-infected files. The result: compromising their devices or stealing their information.

  • Phishing: This technique involves sending fraudulent emails or messages that appear to be from reputable sources, such as banks or service providers. It tricks recipients into revealing personal information, login credentials, or initiating financial transactions.

  • Vishing: Vishing, or voice phishing, occurs when attackers use phone calls to impersonate legitimate entities, such as banks or government agencies. It deceives victims into revealing sensitive information or performing actions over the phone.

  • Smishing: Smishing refers to phishing attacks conducted through SMS or text messages. Attackers send text messages that appear to be from legitimate sources. This attack tricks recipients into clicking on malicious links or divulging sensitive information.

  • Scareware: Scareware displays false security alerts or pop-ups on victims' devices, typically claiming their system is infected with malware. The intention is to scare them into purchasing fake security software or providing personal information to resolve the issue.

Pretexting scams continue to grow sophisticated

Here are some common ways scammers can trick you:

Have any pretext-based phishing attacks occurred recently?

Quite a lot of them.

Hackers have succeeded in impersonating people who might call you up out of the blue and demand the most sensitive information.

Just last year, these pretexting scams made headlines:

Is Pretexting illegal?

In the United States, pretexting is generally illegal. The Gramm-Leach-Billey Act of 1999 (GLBA) makes it “illegal for any individual to attempt to obtain, actually obtain, or cause an employee to disclose customer information by deception or false pretenses.”

Another piece of legislation, the Telephone Records and Privacy Protection Act of 2006, requires that telecom companies keep records to protect against pretexting scams.

Preventing pretexting

Organizations should follow these guidelines to stay one step ahead of social engineering attempts:

  • Be skeptical and verify: Always question requests for personal information or actions that seem suspicious. Independently verify the identity of individuals or organizations through trusted channels before sharing sensitive data.

  • Strengthen privacy settings: Regularly review and update privacy settings on social media platforms to limit the amount of personal information available to potential attackers. Be cautious about sharing sensitive details online.

  • Educate yourself and your team: Stay informed about common pretexting tactics and warning signs. Provide comprehensive training to employees on identifying and responding to social engineering attempts.

  • Implement strong security measures: Utilize strong passwords, enable two-factor authentication (2FA) whenever possible, and ensure that your devices and software are up to date with the latest security patches.

  • Conduct security assessments: Regularly assess and evaluate the security measures in place within your organization. Engage professionals to conduct security audits and penetration testing to identify and address vulnerabilities proactively.

  • Foster a culture of cybersecurity awareness: Encourage a culture of vigilance and open communication regarding potential threats. Promote reporting suspicious activities or attempts to relevant authorities or your organization's security team.


We've learned how pretexting is a cunning and manipulative social engineering scam that relies on the power of deception and impersonation. This technique involves crafting false scenarios or identities to access sensitive information or resources. Whether in person, over the phone, or online, pretexting can be used to exploit human trust and empathy for malicious purposes. But with a cybersecurity awareness training program, you can minimize the risk it poses to you and your workplace.

Resources to combat pretexting scams

Most pretexting attempts can be nipped in the bud by following a few rules:

A checklist of things to do to avoid pretexting scams

Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
Pretexting is a social engineering technique where attackers deceive individuals by assuming false identities or scenarios to manipulate them into revealing sensitive information or granting unauthorized access.
Pretexters gather information about their targets, build trust through persuasive techniques, and create plausible scenarios to trick victims into sharing confidential data or performing actions that benefit the attacker.
Look out for unusual requests for personal information, unexpected urgency, inconsistencies in the story or identity of the person contacting you, or requests for bypassing standard security measures.
Stay vigilant by verifying the identity of individuals before sharing personal information or performing requested actions. Regularly update privacy settings on social media, be cautious about what you share online, and educate yourself about common pretexting tactics.
If you believe you've been targeted or have unknowingly shared sensitive information, immediately change passwords, notify relevant authorities or your organization's security team, and closely monitor your accounts for any suspicious activity.