Pretexting is a form of social engineering in which an attacker gets access to information, a system or a service through deceptive means. The attacker will present a false scenario — or pretext — to gain the victim’s trust and may pretend to be an experienced investor, HR representative, IT specialist or other seemingly legitimate source. This attack is not limited to online — it can take place through other forms of communication, including in person.

Learn More

With cyber criminals devising ever-more manipulative methods for tricking people and employees, organizations must stay ahead of the game. Read about more social engineering attacks here:

10 Types of Social Engineering Attacks

How does Pretexting work?

Attackers use a variety of methods to gain the trust of unsuspecting victims so they divulge sensitive information. Pretexting plays on a victim’s emotions by utilizing a sense of urgency, offering a deal that is too good to be true or trying to gain sympathy to scam a victim. Common techniques include baiting, phishing, piggybacking, scareware, tailgating and vishing/smishing.

Pretexting Techniques

Phishing: Phishing attacks involve impersonating a person or organization through email with the objective of stealing information. Many phishing attacks are built on pretexting; for example, an email can be sent to a high-level executive claiming to be someone within the organization. The email will include an attachment with malware, which when opened can affect the whole system.

Vishing/smishing: Vishing, or voice phishing, utilizes phone calls to con a victim into giving up sensitive information. Smishing is similar but utilizes SMS or text messages to target individuals.  A common vishing attack targets older individuals and seems to be coming from an IRS official or Social Security representative who needs personal information.

Baiting: A baiting attempt can use an attractive promise to gain the victim’s trust and spread malware or steal confidential information. This technique can involve an enticing attachment that contains malware, but it is most commonly carried out through physical media. One common scheme is to leave a flash drive with the company logo on the company property, so that an employee will think it's legitimate and plug it into a computer. This, in turn, deploys malware into the system.

Piggybacking: Piggybacking is used to gain physical access to a facility by following an authorized individual into a controlled area. An attacker might linger at the entrance of a building claiming to have lost their access badge. An authorized individual may unsuspectedly  then allow the attacker access to the facility.

Scareware: Scareware is an elaborate pretext that claims to have detected a virus or another issue in a system and tells the victim to install what seems to be antivirus or other protection but is actually malware.

Tailgating: Similar to piggybacking, tailgating is an attempt to gain physical access to a facility. Unlike piggybacking, the attacker goes undetected by the authorized individual. An attacker may closely follow the authorized person and catch a door before it completely closes. The victim is completely unaware that an unauthorized person used them to gain access to the facility.

Examples of Common Pretexting Attacks

There are several common pretexting attacks that individuals need to be aware of to not fall victim.

Cryptocurrency scams:

This scam is often seen on professional networking platforms. An attacker might message a victim posing as an expert investor with an opportunity to “get rich quick.” The attacker may even create a website that seems legitimate and could include fake reviews to gain the victim’s trust. If the victim sends money and then tries to withdraw any, the attacker will say this cannot happen because of taxes, additional fees or a minimum account balance that hasn’t been met.

Impersonation scams:

To gain the victim’s trust, an attacker might try to pose as someone the victim knows. This can be someone at the same organization or a friend on social media. An example of a message a victim might receive is “Hi, this is tech support from your organization, we need to confirm your account information.” The victim is more trusting, especially if the attacker poses as a legitimate person in the organization, such as the CEO with an “urgent request.”

Romance scams:

Similar to the cryptocurrency scam, romance scammers will try to convince the victim to invest into something using cryptocurrency. Instead of the pretext involving an expert investor, the scammer will gain the victim's trust by pretending to be interested in the victim romantically. The attacker may then mention an investment opportunity and encourage the victim to send large sums — but of course they never see a return.

How to Identify and Detect Pretexting Attacks

Training employees on detecting and being aware of potential pretexting attacks and common characteristics helps them identify potentially abnormal requests. Organizations can also establish policies for financial transactions and validating credentials. For example, verification of personal or confidential information must be done in person or through video chat and never through text or email. This measure can prevent pretexting attempts that impersonate company individuals.

How to Prevent Pretexting

There are several measures an organization can put in place to help prevent employees from falling victim to a pretexting scam.

Tip 1. Encourage employees to be constantly aware and report anything that they think could be malicious, even if it turns out to be legitimate.

Regularly reminding employees to report any suspicious communication and encouraging anyone to speak up can keep your workforce vigilant and stop a pretexting attack early. Constantly having employees aware of potential phishing is crucial.

Tip 2. Provide regular training on how to spot suspicious activity like a spoofed domain.

Encourage employees to check the domain of a website link or email to verify that communication is coming from the person it seems to be coming from and is not directing to a spoofed domain. Other tips are to examine the URL to make sure it’s legitimate, never open an attachment or use a USB drive from an unknown source, and make sure a website has a SSL (secure sockets layer) certificate.

Tip 3. Monitor the environment for malicious activity.

CrowdStrike Falcon® Insight™ endpoint detection and response (EDR) continuously monitors endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods alone. Proactive threat hunting ensures that organizations can stop attacks before they ever happen and protect sensitive company details.

Receive a phishing email? Here’s how to report it:

Users can’t prevent phishing attempts, but they can protect themselves and their organizations by  being vigilant at all times and reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov.

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.