What is pretexting?

Pretexting is a type of social engineering attack where the attacker creates a false story, the “pretext,” to trick a person into giving away sensitive information, money, or access.

Understanding pretexting

According to IBM, pretexting aims to “gain a victim’s trust and trick or manipulate them into sharing sensitive information, downloading malware, sending money to criminals or otherwise harming themselves or the organization they work for.” The article further explains that "cybercriminals—and mere terrestrial criminals—might also use pretexting alone to steal valuable information or assets from individuals or organizations.”

How does pretexting work?

According to IBM, pretexting relies on two core components:

• Character: The fake identity the attacker adopts. To seem credible, the attacker will impersonate someone the victim trusts or feels obligated to obey, such as a boss, an IT staff member, a service provider, or even a personal contact. The goal is to appear legitimate, so the target is more likely to follow requests or divulge information.
• Situation: This is the story or scenario the attacker creates to justify their request. The situation gives a reason for the character’s contact and makes the request seem plausible. It might be something generic like “you must update your account details,” or it could be a more personal storyline, such as “I’m stuck and need your help.”

“The bad news is that there's no shortage of scenarios or sensitive data that can be leveraged by savvy social engineers,” says Verizon. The attackers could gather information from social media and corporate websites. Additionally, cybercrime forums are teeming with stolen login credentials and personal and financial data.

What types of attacks does pretexting precede or form part of?

Pretexting is usually the first step in a larger cyberattack. When the attacker creates a believable story and gains the victim’s trust, they lay the groundwork for more damaging attacks. These include:

Phishing

According to IBM, “Pretexting is common in targeted phishing attacks such as spear phishing, and whaling.”

The impact is especially severe in healthcare. According to Paubox, phishing is the leading cause of healthcare data breaches, serving as the primary entry point for cybercriminals to compromise sensitive information. As of 2024, over 70% of healthcare data breaches originated from phishing attacks.

Baiting

Baiting relies on curiosity, greed, or urgency to entice victims into taking action. According to IBM, “Scammers often use pretexting to make the bait more alluring.”

Baiting examples include:

• A USB drive labeled “Executive Salaries 2026” left in a parking lot.
• A downloadable file labeled “Updated Payroll Adjustments.”
• A fake reward offer requiring login credentials.

Tailgating

Tailgating occurs when an unauthorized person gains access to a restricted area by following someone with legitimate access. “Scammers use pretexting to make their tailgating attempts more successful—by, say, posing as a delivery person and asking an unsuspecting employee to open a locked door for them.”

Defending against pretexting

Organizations can defend against pretexting attacks by strengthening people, processes, and technology. According to a Verizon article, defending against pretexting involves:

• Training employees on how to identify the warning signs of pretexting. “Courses should run continuously, include real-world simulations and last only 10-15 minutes.”
• Using simulation exercises with login banners and regular emails.
• Deploying multi-factor authentication (MFA) to reduce the risk of password theft.
• Updating and patching software.
• Installing anti-malware, including phishing protection.
• Deploying Domain-based Message Authentication, Reporting, and Conformance (DMARC).
• Using AI-powered email protection, such as Paubox’s Inbound Email, which can identify “suspicious writing styles and email behavior indicative of account takeover.”
• Updating business procedures to require approval from multiple team members for all high-value money transfer requests.
• Updating incident response plans to reduce the impact of successful pretexting attacks.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

How can employees tell if a request is a pretexting attempt?

Warning signs include:

• Unusual urgency
• Requests to bypass normal procedures
• Pressure to keep the request confidential
• Slight inconsistencies in email addresses or phone numbers
• Requests for sensitive information that should never be shared

Why do attackers research their targets before pretexting?

Research helps attackers create more believable and personalized stories. Publicly available information can make the pretext more convincing and harder to detect