What Is Pretexting?

How Does Pretexting Work?

Pretexting is a technique that finds its way into many different kinds of cyberattacks. Like any other type of social engineering, the perpetrator’s goal is to convince their victim to give them something—generally information, access, or money—under false pretenses. They do this by creating a believable story, often including characters and specific details like private information, that plays on the victim’s emotions, sense of trust, or even fears.

Take the classic “Nigerian Prince” scam as an example. A simple pretext by today’s standards, it hinges on the promise of giving a little now for a large return later on, whether the pretext is a locked bank account, a financial venture, or whatever other explanation. A prince emailing strangers for help might sound too far-fetched to be effective, but in 2019, electronic security company ADT estimated Nigerian Prince schemes were still pulling in $700,000 every year.

Sophisticated pretexting attempts often use more intimate pretexts to be more convincing, with some involving fake websites, fabricated businesses, leaked account numbers and credentials, names of victims’ coworkers, and things of that nature.

Because pretexting is fundamentally about storytelling, it can take many forms and doesn’t always rely on email, the internet, or malware. For instance, with AI-powered deepfake technology, threat actors can manipulate voice patterns, facial expressions, and gestures to produce highly realistic simulations that are difficult to distinguish from authentic audio and video, and which can be powerful tools in phishing attacks.

Pretexting Attack Techniques

Malicious pretexts are built on the same social engineering techniques used by con artists throughout history to manipulate victims, including deception, validation, flattery, and intimidation. Attackers might strengthen their pretexts through:

• Roleplaying and impersonation: Attackers may play a character such as a customer, service provider, colleague, or authority figure so the victim feels inclined to cooperate. This could include exploiting vulnerabilities in authentication processes or exploiting trusted relationships.
• Research and reconnaissance: Often using open, publicly available resources, attackers can gather information about a target’s job and responsibilities, coworkers, personal details, and more.
• Developing relationships: As in any archetypal “long con,” attackers can use manipulation techniques to establish credibility and trust with a target, possibly through phone calls, social media, or even face-to-face conversations.
• Exploiting emotions: Nothing creates urgency like uncertainty, doubt, and fear. Attackers may fabricate emergencies, one-time opportunities, and more to fool targets into taking hasty action and bypassing security measures.
• Leveraging generative AI: The youngest technique in this toolbox by centuries—maybe millennia—modern AI tools can help attackers rapidly create pretexts with strikingly human-like language and detail, even in languages in which they may not be proficient.

Finally, one of the biggest factors working in malicious actors’ favor isn’t a technique at all, but more like a vulnerability in human psychology: for many people, it’s easier to say “yes” than to say “no.” Simply put, we want to get along, so we’ll often agree or acquiesce to requests, even when doing so works against our best interests.

Attackers know this, and they know that many people will let a little trust go a long way. Put those two together and, often enough, all they need to do to get a credit card number is ask for it.

How Do Cybercriminals Use Pretexting?

Pretexting scenarios are central to the success of many different kinds of cyberattacks, such as:

• General phishing: Simple pretexts are part of most “wide net” phishing attacks, which can be as basic as an email asking you to “kindly review the attached invoice” or limitless other variations. Such tactics often serve as entry points to more sophisticated attacks like ransomware.
• Spear phishing: Attackers aiming for highly sensitive or valuable information may create painstakingly detailed stories to make potential victims believe they’re legitimate and trustworthy.
• Vishing: With just a call and a convincing pretext (often including phone number spoofing), attackers can steal financial information, social security numbers, and other confidential information. Today, AI-powered deepfake tools let attackers imitate almost any voice, saying whatever they want.
• Theft and espionage: Skilled impersonators posing as employees or contractors can fool real employees and “tailgate” into private/secure areas, where they may have access to valuable equipment or privileged information.

Real-Life Pretexting Examples

Pretexting plays a part in countless cybercrimes and financial scams, and because it exploits human trust and can take almost any shape, it remains one of the most pervasive and effective social engineering tactics. Here are a few examples:

The “AIDS” Trojan (1989)

Considered the grandfather of ransomware attacks, attendees of an international AIDS conference received floppy disks laden with a trojan virus under the pretext of “AIDS Information.” The trojan would hide all directories on an infected system, encrypt all files on the infected hard drive, and demand a $189 ransom payment (quaintly, via post) to an address in Panama.

Quanta Computer Fraud (2013-2015)

In what may be the most costly pretexting attack ever, attackers posed as representatives of Quanta Computer, a Taiwan-based manufacturer working with Facebook and Google. Using forged invoices sent from fake email accounts, fake supporting documents, and more, the attackers defrauded these tech giants of more than US$100 million in total.

Job Seeker Phishing and Extortion (2023)

When layoffs hit the tech industry, opportunistic scammers hit the job seekers. Posing as recruiters on sites like LinkedIn, scammers copied real job listings and created fake career portals to convince victims to fill out fake employment paperwork, upload personal documents, and more. You can read a full analysis of these attacks over on the Zscaler blog.

Deepfake CFO Impersonation (2024)

Used publicly available video and audio clips, attackers generated realistic facsimiles of multiple senior managers, including a chief financial officer, and used them to lead a fraudulent video conference. Ultimately, the fake senior leadership convinced an employee to transfer some HK$200 million to the attackers. Read more on the Zscaler blog.

How to Protect Your Organization from Pretexting Attacks

Modern email services automatically block many phishing emails, but attackers are always devising clever new ways to slip through. A user outside your network may not be able to move through it freely, but an internal user, granted implicit trust on the network, can be fooled into thinking they’re doing the right thing while playing directly into an attacker’s hands.

So, what can you do to keep your users and sensitive data safe?

• Make sure your users know the signs of an attack. Many data breaches still stem from human mistakes. Think of security awareness training as a way to patch human vulnerabilities. Employees, especially those with elevated privileges, need to know when to be skeptical—how to identify phishing attempts, recognize social engineering—and understand the importance of strong password management and MFA.
• Be willing to refuse unusual or suspicious requests. Saying “no” is harder than saying “yes,” and fraudsters are experts at getting you to let your guard down. A central tenet of the zero trust approach to security, “never trust, always verify,” applies just as much to these human interactions as it does to authentication protocols and access permissions. Encourage users to verify requests through independent means/channels or by consulting IT and security personnel.
• Prevent successful attacks with the right technology. If a hacker does manage to trick your users (and it’s safest to assume one will, eventually), you’ll need security measures you can count on to neutralize their attacks by enforcing airtight role-based access control, preventing threats from moving laterally across your network, and stopping data loss.

How Zscaler Can Help

Pretext attacks are challenging to overcome because they rely on exploiting human nature, not just technology, to succeed. To detect active breaches and minimize the damage of a successful attack, you need to implement effective controls against malicious traffic, data exfiltration, and more as part of a complete zero trust strategy.

Built on a holistic zero trust architecture, the Zscaler Zero Trust Exchange™ platform starts with the premise that no user, workload, or device is inherently trustworthy. It verifies identity, determines destination, assesses risk through AI, and enforces policy before brokering a secure connection between a user, workload, or device and an application—over any network, from anywhere—to effectively:

• Prevent attacks: Features like full TLS/SSL inspection, browser isolation, AI-powered phishing and C2 detection, and policy-driven access control prevent access from malicious websites.
• Prevent lateral movement: Once in your system, malware can spread to cause even more damage. The Zscaler platform connects users directly to apps, not your network, preventing the potential spread of malware.
• Stop insider threats: A cloud native proxy architecture stops private app exploitation attempts and detects even the most sophisticated attack techniques with full inline inspection.
• Stop identity-based attacks: Detect and block credential theft, multifactor authentication bypass, and privilege escalation, and more with Zscaler ITDR™ identity threat detection and response.
• Stop data loss: Our platform automatically identities and protects sensitive data in motion and at rest to prevent active attackers from executing successful data theft.