Pretexting is a form of social engineering where an individual creates a fabricated scenario, the “pretext“, to trick a victim into surrendering sensitive information or performing an action they wouldn’t normally do. Unlike a simple phishing email that might just ask you to “click here“, pretexting relies on building a believable narrative or persona to establish a false sense of trust.
How It Works?
The attacker usually starts by gathering some basic information about the target (OSINT) to make their story more convincing. They then contact the victim via phone, email, or even in person posing as someone with a legitimate “need to know” such as:
- An IT professional needing a password to fix a server error.
- A bank auditor verifying suspicious transactions.
- A colleague from a different department asking for a specific client file for an urgent meeting.
- A delivery driver needing a door code to drop off a package.
Key Characteristics of Pretexting
- Persona: The attacker assumes a role that carries authority or a specific responsibility.
- Hook: They present a situation that requires immediate attention or seems perfectly routine.
- Data Grab: The goal is usually to obtain Social Security numbers, bank records, private account credentials, or proprietary corporate data.
Difference Between Pretexting and Phishing
While often used together, they differ in their approach:
- Primary Tool
- Phishing: Mass emails/links
- Pretexting: Narrative and character work
- Focus
- Phishing: Fear or urgency (e.g., “Account suspended!”)
- Pretexting: Trust and logic (e.g., “I’m doing a routine audit.”)
- Complexity
- Phishing: Usually automated/broad
- Pretexting: Often manual and highly targeted
Why It is Effective?
Pretexting exploits human psychology, specifically our tendency to be helpful and our habit of complying with perceived authority figures. Because the attacker often provides a small piece of proof (like knowing your boss’s name or your employee ID), the victim’s natural defenses are lowered.
