What is pretexting? Definition, examples, and attacks

Pretexting definition

Pretextingis form of social engineering in which an attacker fabricates a story to convince a victim to give up valuable information or access to a service or system. The distinguishing feature of a pretexting attack is that the scammer comes up with a story — or pretext— to fool the victim. The pretext generally aims to cast the attacker as someone in a position of authority who has the right to access the information sought, or who can use the information to help the victim.

Pretexting has a long history; tabloid journalists for years have used pretexting in the UK, where it’s also known as blagging, to get access to dirt on celebrities and politicians. But today, pretexting is commonly used to target private individuals and companies to get access to financial accounts and private data. To achieve their ends, pretexters will use any form of communication, including emails, texts, and voice calls.

Anatomy of a pretexting attack

In Social Engineering Penetration Testing, security engineer Gavin Watson lays out the techniques that underlie every act of pretexting: “The key part … [is] the creation of a scenario, which is the pretext used to engage the victim. The pretext sets the scene for the attack along with the characters and the plot. It is the foundation on which many other techniques are performed to achieve the overall objectives.”

There are two main elements to a pretext: a character, played by the scam artist; and a plausible situation, in which the character needs or has a right to specific information.

For instance, because errors can arise with automatic payment systems, it’s plausible that a recurring bill payment we’ve set up might mysteriously fail, prompting the company we owe to reach out as a result. An attacker taking on the character of a helpful customer service rep reaching out to help us fix the error might ask for bank or credit card information as the scenario plays out to gain the information necessary to steal money from our accounts.

How pretexting works

The key to pretexting success is ensuring the victim believes the attacker is who they say they are. It’s not enough for the victim to find the character and scenario plausible; they must trust the attacker actually is, for example, a customer service rep from their cable company.

To do so, pretext attackers must:

1. Conduct research on their targeted victims, gathering information that could be leveraged in their scenario. For example, an attacker might go through someone’s garbage to obtain their cable bill to know the name of their cable provider and their account number when calling their intended victim to make their character and scenario more believable.
2. Develop a scenario that is not only plausible but also tailored to their intended victim, crafting it in a way that justifies their need for the information they seek.
3. Build trust with their targeted victim while establishing authority to receive the targeted information. This is where the confidence game is played out, building rapport and using psychological tactics to encourage intended victims to let down their guards and go along with the mapped-out scenario.
4. Execute the request once they are confident their intended victim will pass along the sensitive data or enable the access that they seek, without incurring suspicion.
5. Collect the goods by leveraging the data or access obtained from the victim, whether this involves completing a simple transaction or launching another series of attacks privileged by the information or access achieved via pretexting.

Calling further attention to the first step, the more specific the information a pretexter knows about you before they get in touch with you, the more valuable the information they can convince you to give up. That’s why careful research is foundational for pretexters, who have a wealth of efficient research techniques available to them, including so-called “open source intelligence” — information that can be pieced together from publicly available information, ranging from government records to LinkedIn profiles. Gigabytes of personally identifying data is also available on the dark web due to innumerable data breaches. This data can be purchased at relatively low prices to serve as a skeleton for pretexting scenarios.

Pretexters can also add plausibility to their scenarios using other techniques. For instance, they can spoof the phone number or email domain name of the institution they’re impersonating to make themselves seem legit.

Pretexting examples

One of the first ways pretexting came to the world’s notice was through a series of scandals involving British tabloids in the mid-2000s. These papers, desperate for even minor scoops on celebrities and royals, used various techniques to snoop on victims’ voicemail. In some cases, this involved dumpster diving, testing to see whether victims employed default voicemail PINs (a surprising number did), and bluffing phone company customer service reps to allow access to voicemail boxes.

Many Americans’ first introduction to pretexting came in 2006, when internal strife at Hewlett-Packard boiled over into open scandal. HP’s management hired private investigators to find out whether board members had leaked information to the press. In doing so, the PIs impersonated those board members, in some cases using their Social Security numbers, which HP had provided, to trick phone companies into handing over call records. The whole thing ended with HP’s chairwoman Patricia Dunn resigning in disgrace and criminal charges being filed.

Outside the celebrity and corporate realm, the KnowBe4 blog gives a great example of how a pretexting scammer managed to defeat two-factor authentication to hack into a victim’s bank account. The victim was supposed to confirm with a six-digit code, texted to him by his bank, if he ever tried to reset his username and password; the scammers called him while they were resetting this information, pretending to be his bank confirming unusual charges, and asked him to read the codes that the bank was sending him, claiming they needed them to confirm his identity. With those codes in hand, they were able to easily hack into his account.

Pretexters are more likely to target companies than individuals, because companies generally have larger bank accounts. It’s hard to find details of successful attacks, as companies aren’t likely to admit they’ve been scammed. VTRAC’s Chris Tappin and Simon Ezard, writing for CSO Australia, describe a pretexting technique they call the Spiked Punch, in which the scammers impersonate a vendor that a company sends payments to regularly. Using information gleaned from public sources and social media profiles, they can convince accounts payable personnel at the target company to change the bank account information for vendors in their files, and manage to snag quite a bit of cash before anyone realizes.

In another example, Ubiquiti Networks, a manufacturer of networking equipment, lost nearly $40 million dollars due to an impersonation scam. The pretexters sent messages to Ubiquiti employees pretending to be corporate executives and requested millions of dollars be sent to various bank accounts; one of the techniques used was “lookalike URLs” — the scammers had registered a URL that was only one letter different from Ubiquiti’s and sent their emails from that domain.

Pretexting and phishing

Spoofing an email address is a key part of phishing, and many phishing attempts are built around pretexting scenarios; for instance, an attacker could email an HR rep with attached malware designed look like a job-seeker’s resume. The targeted variety of phishing, known as spear phishing, which aims to snare a specific high-value victim, generally leads to a pretexting attack, in which a high-level executive is tricked into believing that they’re communicating with someone else in the company or at a partner company, with the ultimate goal being to convince the victim to make a large transfer of money. (Deepfakes are starting to be seen used in this capacity.)

Pretexting is also a key part of vishing — a portmanteau of “voice” and “phishing” that involves, in essence, phishing over the phone. Many pretexters get their victim’s phone number as part of an aforementioned online collection of personally identifying information and use the rest of the victim’s data to weave the plausible scenario that will help them reach their goal (generally, a crucial password or financial account number).

Tailgating attack

Often lumped under the heading pretexting, tailgating is a common technique for getting through a locked door by simply following someone who can open it inside before it closes. It can be considered pretexting because the tailgater often adopts a persona that encourages the person with the key to let them into the building — for instance, by wearing a jumpsuit and claiming they’re there to fix the plumbing, or by carrying a pizza box they say must be delivered to another floor. Like many social engineering techniques, this one relies on people’s innate desire to be helpful or friendly; as long as there’s some seemingly good reason to let someone in, people tend to do it rather than confront the tailgater.

Pretexting law 

Pretexting is, by and large, illegal in the United States. For financial institutions covered by the Gramm-Leach-Bliley Act of 1999 (GLBA) — which is to say just about all financial institutions — it’s illegal for any person to obtain or attempt to obtain, to attempt to disclose or cause to disclose, customer information of a financial institution by false pretenses or deception. GLBA-regulated institutions are also required to put standards in place to educate their own staff to recognize pretexting attempts.

One thing the HP scandal revealed, however, was that it wasn’t clear if it was illegal to use pretexting to gain non-financial information — remember, HP was going after their directors’ phone records, not their money. Prosecutors had to pick and choose among laws to file charges under, some of which weren’t tailored with this kind of scenario in mind. In the wake of the scandal, Congress quickly passed the Telephone Records and Privacy Protection Act of 2006, which extended protection to records held by telecom companies. 

How to prevent pretexting 

One of the best ways to prevent pretexting is to simply be aware that it’s a possibility, and that techniques like email or phone spoofing can make it unclear who’s reaching out to contact you. Any security awareness training at the corporate level should include information on pretexting scams. (As noted, if your company is an American financial institution, these kinds of trainings are required by law.) And to avoid situations like Ubiquiti’s, there should be strong internal checks and balances when it comes to large money transfers, with multiple executives needing to be consulted to sign off of them.

On a personal level, it’s important to be particularly wary whenever anyone who has initiated contact with you begins asking for personal information. Remember, your bank already knows everything it needs to know about you — they shouldn’t need you to tell them your account number. If you’re suspicious about a conversation with an institution, hang up and call their publicly available phone number or write to an email address from their website.

Finally, if a pizza guy tries to follow you inside your office building, tell them to call the person who ordered it to let them in. Don’t worry: if they’re legit, they’ve got a special box that will keep the pizza warm for the few extra minutes it’ll take to deliver it.