The longer the plan, the more you save

Save up to

What is pretexting?

Kamile Viezelyte
Cybersecurity Content Writer
Pretexting

Imagine opening your inbox to find an urgent demand to pay a utility bill, otherwise, you’ll end up in legal trouble. The sender seems reputable, and the panic starts to seep in—am I in trouble? In reality, this email is part of a scheme known as pretexting. Today, we’ll talk about pretexting scams, how they work, and how to avoid becoming their next victim.

Pretexting and social engineering

Pretexting is a type of social engineering attack—a tactic used by cybercriminals to psychologically manipulate their targets into giving up login credentials, banking information, or other sensitive data, often without realising it. Pretexting specifically requires hackers to create a pretext (as implied by the name) to lure the information out of the target.

The psychology of pretexting is twofold. The perpetrator needs to simultaneously create a feeling of trust, which is achieved by pretending to be an authoritative figure, and build a sense of urgency by creating a high-pressure environment for the target. The goals are typically to extract sensitive information, obtain payment details to make fraudulent payments, or gain unauthorized access to important accounts.

To be truly effective, pretexting campaigns often borrow a few tricks from spear phishing—a more personalized approach that targets a specific individual or group using identifiable details. Hackers may pretend to be migration office workers contacting foreign students for urgent updates, tax institutions seeking out undeclared earnings, or gas companies going after unpaid bills. Scams involving pretend relatives asking for money following an emergency are also common.

Although pretexting is effective against individuals, it’s often used to target organizations and create a passageway into their networks. Dodgy HR emails, requests from higher-ups coming from emails that don’t have the company’s domain, or even unsolicited external service offerings can all be used as a pretext to obtain employee or client data.

How does pretexting work?

There are different tactics and approaches that a pretexting attack can involve. Primarily, they fall into two categories:

  • Remote

  • Face-to-face

Remote pretexting is the easiest method. In this scenario, the attacker reaches out to the target, usually by calling or emailing them. Once they’ve made contact, they can pretend to be someone the victim will naturally trust. If the pretext is convincing enough, the attacker can extract useful information about either the target or the company they work for.

Face-to-face is a high-risk approach for the attacker, but it’s not unheard of. Unlike the remote version, a face-to-face pretext is built in person, using a persuasive disguise and cover story. A malicious actor can get into an office or a household by wearing a fake uniform and convincing people of their authenticity in person. Posing as a repairman or a courier, the attacker can bypass security restrictions without raising too many eyebrows.

Businesses are particularly vulnerable to these attacks. If the pretexting is successful, the perpetrator can coax login details for company accounts or emails out of an employee. Then, they can launch further operations using these compromised accounts.

All social engineering attacks are quite similar. They leverage trust to trick the potential victim into giving up valuable information to fraudsters. However, all such attacks have their nuances. Here are some examples of social engineering attacks akin to pretexting.

Tailgating

Tailgating is a type of social engineering attack when fraudsters pose as someone else to gain physical access to restricted areas where they can obtain valuable information. They usually attempt to follow an employee through a secured door, hence the name. Tailgating attacks can be extremely devastating for businesses. For instance, bad actors might impersonate food delivery personnel to bypass regular security and gain access to the servers or unlocked devices containing sensitive information.

Phishing

Phishing is one of the most common types of social engineering attacks. The idea behind phishing is to leverage the name of a well-known entity to get someone to reveal their sensitive information, such as passwords and usernames. Usually, phishing attacks are carried out over email, when hackers craft fake email messages that resemble a famous brand to fool unsuspecting users.

Vishing and smishing

Vishing, which means voice phishing, is a social engineering attack that uses phone services to trick people into giving up valuable information. A classic example would be a fraudster calling up their victim and pretending to be a bank representative to gain access to their account.

Smishing is a form of phishing carried out over SMS messages. Essentially, smishing follows the same approach and techniques as phishing attacks—the only major difference is the medium over which the attack is carried out.

Scareware

Scareware is a type of software designed to intimidate and scare the victim. It floods the user with a variety of false warnings and error messages. In most instances, messages prompted by scareware include download links and falsely claim that the user needs a specific piece of software to clean up their device. Unfortunately, those download links usually lead to malware, often designed to steal private data.

Whaling

A whaling attack, also called CEO fraud, is very similar in its approach to a phishing attack. It employs all the same ideas but targets bigger fish, usually in the corporate sea. The targets tend to be high-ranking employees within a company who receive emails supposedly from a CEO or someone equally senior. The goal is to lure out sensitive information.

All these cyberattacks that lead up to pretexting have one thing in common: the exploitation of users’ trust. In most cases, that is done through impersonation tactics, which can be quite hard to spot for an untrained eye.

Pretexting examples

Just like social engineering attacks in general, pretexting comes in many shapes and sizes. Some tactics only focus on individuals, while others are tailored to specific businesses. Here are some of the common pretexting scenarios used against organizations.

Account update scams

If you’ve ever received a suspicious email asking you to log in to your account to update sensitive information, you’ve likely encountered an account update scam. These pretexting attacks see hackers pretending to represent a company or a website and asking their victims to confirm personal data related to a payment or a bill. Once the user opens the link and inputs their password or banking details, the hackers can see this information and use it nefariously.

Business email compromise (BEC) scams

BEC attacks pose a significant risk to companies, as they exploit employee trust and human error in sensitive data management. The scammers use sophisticated methods, like spoof emails and even AI-generated imagery, to successfully execute business email compromise scams.

They pretend to be high-ranking employees, going as far as the C-level, and message their “colleagues” asking to urgently make a payment or send login credentials. This allows cybercriminals to access the organization’s sensitive data from the inside.

Cryptocurrency scams

Cryptocurrency scams are primarily fueled by financial motivation. Scammers can use a number of methods to trick their targets out of their assets. One common method is a “rug pull,” where scammers build trust by presenting a legitimate project, only to delete everything after they’ve received investors’ money. Other scams involve seemingly legitimately trading of non-fungible tokens (NFTs) which actually contain malware to overtake the target’s digital wallet.

Grandparent scams

Grandparent scams target the elderly, who may not be as aware of digital threats. The scammer pretends to be a close family member, often a grandchild (hence the name), who got into an incident and now urgently requires money. Grandparent scams are often conducted over the phone using AI-generated voice messages or a simple SMS. However, they can also be executed via email.

IRS/Government scams

Scams where the perpetrators pretend to be the IRS or a governmental organization are perhaps the most common examples where pretexting is involved. The script follows a similar pattern each time: the target is contacted by the IRS, claiming that some of the taxes went unpaid. The target is urged to make a payment to a specific account urgently to avoid a criminal record. In reality, it’s the scammers who receive the money. Variations of this scam include having to pay immigration or visa fees, overdue mortgage, or a speeding ticket.

Tech support scams

Pretexting can be valuable for hackers who aim to overtake a device or a whole network in an organization. They reach out to their potential victims pretending to be tech support who noted an issue with the hardware or software. They may ask the target to install remote control software on their device to grant access, or simply request key login credentials to access a program or an account. From there, the scammers can wreak havoc on the device or the user’s accounts.

How to prevent pretexting

  • Check the pretext

The biggest weakness of pretexting is the fact that attackers usually have to rely on a recognizable company name. This means that an employee can contact the business the perpetrator claims to work for and check their legitimacy. As part of best practice, employees should always attempt to double-check the pretext.

  • Always ask for ID in a face-to-face situation

If someone is attempting to enter an office or gain information face to face, always ask for an ID. A uniform or courier’s outfit can be faked, but an ID is often harder to fake. Combined with the checking step, this should help weed out any malicious actors and keep your office space secure.

  • Raise awareness among employees

The company’s employees are the first line of defense when combating security threats. They’re also the biggest vulnerability, especially if they don’t follow the right account management practices. It’s imperative that employees are aware of security protocols and best practices, and that they use cybersecurity software on their work devices.

Using tools like business password managers help maintain a high standard of password compliance and sharing in your organization. It builds a sense of both individual and shared responsibility. A password manager like NordPass lets you set up centralized, company-wide password requirements, such as length, complexity, and frequency of password changes. It also offers an easy and safe way to share credentials over an encrypted channel, eliminating the habit of sharing sensitive data over email or text messages, which often opens the door to pretexting.

By establishing a security standard in your organization, you can ensure your employees feel comfortable double-checking when in doubt and spot scam attempts more easily. Such measures can go a long way toward repelling pretexting attacks.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.