Pretexting in cyber security is commonly used but not widely known. When employees don’t know what pretexting is – or how convincing it can be – it makes them more vulnerable to the tricks of a cyber criminal.

By teaching your team members the definition, applications, and examples of pretexting, they’ll be prepared to identify pretexting in any situation and stop a scam before it goes too far. In this blog, we’ll be covering all of these topics and sharing examples along the way. Let’s get into it: 

What is pretexting in cyber security?

Pretexting is a social engineering technique where an attacker creates a fake scenario to deceive an individual into providing confidential information. Unlike other forms of phishing that often rely on fear or urgency, pretexting takes longer and involves building trust with the target. The attacker typically pretends to be someone in a position of authority or someone the target knows, such as a co-worker, a bank representative, or a government official.

A phone with brand impersonation scam calls on the screen

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Cybersecurity Awareness Training for ALL

Take proactive steps to invest in your business’s cyber resilience now to protect your organization from costly data breaches and disruptions. Start easily with our Quickstart Training Bundles. To learn more CLICK HERE.

The goal of pretexting is to gather information that can be used to access systems, steal identities, or commit fraud. This information can include passwords, social security numbers, bank account details, or other personal data.

For example, when you get a fake call from the CRA saying you need to pay a fee, the scammer may say the last few digits of your SIN number. The scammer pretending to be a CRA agent, having your phone number, SIN, and any other information is “pretexting”. They hope that by creating a believable story, you’ll give them information they can sell on the black market or use to access your financial accounts. 

Applications of pretexting

When will you see the term “pretexting”?

As a non-security professional you’ll rarely see the term pretexting. It may come up in your security awareness training, but most importantly knowing what pretexting is can help you identify when pretexting is happening to you. 

When will pretexting be used against you?

Pretexting will be used by a cyber criminal in any social engineering scenario. When you receive a phone call, see someone you don’t recognize at the office, or get texts from a brand you could be experiencing pretexting. 

How to spot pretexting

Now that you understand what pretexting is, let’s learn how to spot it before the cyber criminal can get to your personal information. Here are some key red flags that could mean something is pretexting:

  1. They contact you. The CRA, Amazon, or Secret Services will rarely call you first. If you think the call is legit, tell the caller you are going to hang up and call back. Their reaction should be a great tell. If they are a scammer, they will try to convince you to stay on the line. If they are a real customer service agent, they should understand and allow you to hang up, find the real number by doing your own research, and call them back. 
  2. Unexpected asks. Stay on guard for calls, in-person requests, or texts requesting information that you weren’t expecting. Ask yourself if you have spoken to this person before and have verified your trustworthiness. Did you know this person would be calling and asking you for this information?
  3. Pressure tactics. Beware of any company representative who pressures you to give information or stay on the call. They will likely use fear, urgency, and uncertainty as emotions to trick you into getting information. 
  4. Verification failure. Verify the caller yourself. While the caller is speaking, ask for their name and search on LinkedIn or the company’s website to see if they are a real person. Beware though, scammers are learning of this verification technique and are starting to make fake LinkedIn profiles. Use this along with the other listed red flags to spot pretexting. 

Real life case

One of the most famous cases that serves as an example of pretexting is the MGM attack from 2023. The cyber attack led to week-long issues for room keys and virtual gambling machines, completely disrupting the operations of the entertainment giant. 

The attack was claimed to have begun after a cyber criminal found information about an employee on LinkedIn and called the Help Desk using the found information to impersonate the employee. The attacker gave enough information and built enough trust (pretexting) to convince the IT Desk employee to give them access to an account. They used this access to detonate ransomware and demand ransom. 

Other terms 

  • Social engineering: Manipulating or deceiving a victim to trick them into giving information or access to a network
  • Phishing: An attempt to steal information by using emails or text messages that pretend to be a reputable source 
  • Security awareness: The knowledge and attitude members of an organization have towards their cyber security 
  • Baiting: Enticing victims with a promise of something they want, such as free software or a gift, to get them to provide information or download malware.

Pretexting is a sophisticated and manipulative tactic used by cybercriminals to gain access to sensitive information. By understanding what pretexting is, where it is likely to occur, and how to recognize the signs, you can better protect yourself and your organization from falling victim to these deceptive schemes. Stay informed about related terms and always practice caution when dealing with unsolicited requests for information. Awareness and vigilance are your best defences against pretexting and other forms of social engineering attacks.