Pretexting
An attack technique in which an attacker creates a fabricated identity or scenario (pretext) to manipulate the victim into disclosing information or performing certain actions—the refined foundation of every social engineering attack.
Pretexting is a social engineering technique in which an attacker constructs a credible backstory (the "pretext") to gain the victim's trust. Unlike generic phishing emails, pretexting is always tailored and context-specific.
How Pretexting Works
A typical pretexting attack goes through four phases:
1. Reconnaissance (OSINT) The attacker gathers information about the target company and the target individual: LinkedIn profiles, company websites, press releases, organizational charts, job titles, names of supervisors and colleagues, and project names.
2. Pretext Development Based on the research, a credible role and situation are developed:
- IT support staff ("Your account has been locked; I need your password to unlock it")
- External auditor ("As part of our compliance audit, I need access to the financial reports")
- New colleague (“I started in accounting on Monday; could you quickly send me the list of suppliers?”)
- Government official (“BSI Incident Response; we are investigating an incident in your infrastructure”)
3. Building rapport The attacker establishes credibility through details that only “insiders” would know: Employee names, ongoing projects, technical jargon, internal abbreviations.
4. Execution Once trust has been established, the actual manipulation takes place: requesting credentials, getting the victim to open a malicious link, instructing a bank transfer, granting access.
Typical Pretexting Scenarios
CEO/CFO Fraud (BEC): The attacker impersonates the CEO and instructs the accounting department via email to urgently process a confidential bank transfer. The pretext often includes: time pressure (“Must go out today”), confidentiality (“Don’t tell anyone yet”), and authority.
IT Support Impersonation: "Your login credentials expire today—I’ll connect you directly to our system." Common in help desk compromises (vishing).
Vendor Fraud: Fake supplier invoices with altered bank details. The pretext: "We’ve changed our bank account information; please update your records."
Contractor Pretexting: "I’m from Facility Management; the camera in the server room needs to be replaced." Physical access to the data center.
Vishing (Phone): AI-generated voices can now convincingly imitate supervisors. Deepfake audio in video conferences is a real threat in 2024.
Pretexting in Professional Penetration Tests
As part of red team assessments and physical penetration tests, security experts use pretexting to test access controls, employee awareness, and security processes. This is legal and contractually agreed upon.
Typical red team scenarios:
- Fake IT support calls and requests password reset confirmation
- Pretending to be a cleaning service to gain access to the server room
- Fake supplier enters the office using fake access cards
Important: Pretexting without authorization is a criminal offense—even if no data is obtained. Section 263 of the German Criminal Code (Fraud) and Section 269 of the German Criminal Code (Falsification of Evidence-Relevant Data) may be relevant.
Protective Measures
Procedural Controls:
- Mandatory callback for unknown callers requesting access credentials or wire transfers
- Dual-control principle for payments exceeding a threshold
- Verification protocol: Confirm requests via a second channel
Technical measures:
- DMARC/SPF/DKIM against email spoofing (prevents fake sender addresses)
- Caller ID validation (detect spoofed caller IDs)
- Anti-phishing filters for specific pretexting patterns
Training: Security awareness training with specific pretexting scenarios. Employees must learn: Authority and urgency are warning signs—not reasons to act quickly. Effective training establishes “saying no as a safe action.”
Pretexting vs. Phishing vs. Social Engineering
| Pretexting | Phishing | Social Engineering | |
|---|---|---|---|
| Scope | Tailored | Mostly generic | Umbrella term |
| Medium | In person, phone, email | Email, SMS | All channels |
| Effort | High | Low-medium | Variable |
| Effectiveness | Very high | Medium | Variable |
| Detectability | Difficult | Easier | Variable |
Pretexting is the foundation of most targeted attacks (APT). While generic phishing can be intercepted by technical filters, a well-crafted pretext is difficult to detect automatically.
