Key Takeaways
- Pretexting scams account for 30% of all social engineering incidents. (Secureframe)
- Phishing and pretexting are the top causes of costly data breaches. (Verizon 2025 DBIR).
- BEC attacks are among the most expensive types of breaches, costing around $4.89 million. (IBM)
Introduction
Cybercrime continues to grow and become more lethal. Cybercriminals constantly look for new ways to trick people and steal their valuable data. One of the popular methods they are using these days is ‘Pretexting’. Pretexting scams are based on attackers fabricating a false story or pretense to gain the trust of innocent people. Once the victim is taken into confidence, the attackers manipulate them into sharing sensitive information such as credit card numbers, bank details, passwords, or personal details.
But that’s just the tip of the iceberg. We will dive into the details of pretexting scams, how they work, and how you can protect yourself from such scams.
What are pretexting scams?
A pretexting scam is a form of social engineering fraud where a scammer creates a false story to manipulate a victim into revealing sensitive information or taking action that benefits the scammer. These scams rely on impersonation and deception to earn the victim’s trust. Scammers pretend to be company representatives, bank employees, colleagues, or even family members.
Once the person starts believing in the scammers, they ask for confidential information. Most people confuse phishing and pretexting scams, but they are different. Phishing scams take advantage of the urgency or fear of the people, and pretexting scams rely on creating a believable situation to manipulate the victim.
How do Pretexting Scams Work?
Pretexting scams involve a series of steps that allow scammers to fool their targets. Here’s a breakdown of how these scams typically work:
1. Research: It all begins with research. Attackers gather information about the potential victims from public sources like social media, company websites, and online databases. They want to obtain as much information as possible about their targets to be able to build a believable story.
2. Create a Pretext: Once they gather enough information, they create a fake story or pretext, which aligns with the victim’s situation. They might pose as someone from the victim’s company or bank, and since they have real details, it’s easy for them to make the interaction seem more genuine.
3. Make Contact: The attacker finally contacts the victim through a phone call, text message, or email. They use a false story using the victim’s information to establish trust and legitimacy. Attackers use personal or professional references to make the conversation as real as possible.
4. Manipulate the Victim: As the scammer gains the victim’s trust, they ask for sensitive information. It can be account numbers, credit card numbers, passwords, or other confidential data. Their way of asking for the information seems harmless because they add logical reasoning to it, such as confirmation or verification of account details.
5. Exploit the Information: Once the scammers obtain information from victims, they use it to carry out malicious activities such as stealing money, accessing confidential data, or committing identity theft.
Common Types of Pretexting Scams
Scammers always come up with different ideas to scam people, but the following types seem to be used on most occasions:
1. Impersonation Attacks: In this, attackers pose as trusted figures, which could be a bank employee, colleague, old friend, or even a family member. They often use spoofed numbers or forged emails to deceive victims.
2. Business Email Compromise (BEC): Attackers impersonate company executives or vendors to request sensitive information or funds transfer. Here, a sense of urgency is created to build pressure on victims to take action that would benefit the scammers.
3. Tech Support / IT Helpdesk Scams: Scammers pose as IT support or cybersecurity staff to obtain remote access or login access to the victim’s computer. This pretext exploits trust and urgency within organizations.
4. Government or Law Enforcement Impersonation: In this, attackers impersonate police, tax officers, or legal officials and demand information or payment for a made-up legal issue or unpaid taxes.
5. HR or Job Offer Scams: Scammers here pose as HR recruiters to steal sensitive data like bank details, IDs, or SSNs under the pretext of background checks or onboarding.
6. Customer or Vendor Pretexting: Scammers pretend to be genuine customers or suppliers to obtain internal business details, pricing, or banking information. This type of scam happens in the finance or procurement sectors.
7. Voice-Based Pretexting: Scammers impersonate legitimate figures from banks, government departments, or service providers on phone calls to trick victims into revealing sensitive data or installing a tool to take remote access of their devices.
Real World Examples
There have been several instances where big organizations have been victims of pretexting scams.
MGM Resorts International Data Breach (2023)
The popular hotel chain experienced a data breach triggered by a pretexting attack in September 2023. Attackers posed as the company’s employees and contacted MGM’s IT helpdesk. They asked for network access, which the helpdesk provided after falling for their deception. After getting access, attackers stole customer names, email addresses, phone numbers, driving license numbers, and more.
The company shut down some of its systems and launched an investigation to get to the bottom of the issue. Following the investigation, they took strong steps to enhance further their safety measures to prevent such incidents from happening again.
Deepfake CFA Impersonation (2024)
A UK-based firm named Arup got scammed out of GBP 20 million. This scam used publicly available video and audio clips to generate realistic facsimiles from several senior managers, including a Chief Financial Officer (CFO). Scammers used them to lead a fraudulent video conference. The deception was so real that the employee was convinced that the request was indeed made by senior leadership. The employee made transfers of around HKD 200 million or 20 million pounds sterling.
Psychology Behind Pretexting
The psychology behind pretexting is to exploit fundamental human tendencies. Scammers try to build trust, manipulate emotions, and bypass skepticism. They create a believable story, called a pretext, and impersonate a trusted authority figure to convince their targets to reveal sensitive information or perform an action beneficial to them.
Warning Signs and Red Flags to Watch
Suppose you receive a phone call, message, or email from an individual or company asking for personal or business-related information that isn’t usually asked for. In that case, you need to be very careful. It could be a scam. Here are 6 red flags you must know to identify the manipulation early:
1. Threatening or Urgent Language: Scammers create urgency because they know people make foolish decisions when they are pressured. They would fabricate a story like your account will be locked or respond immediately. If you receive any demand with a strict deadline, that’s a warning sign of a scam.
2. Poor Grammar or Awkward Tone: Pretexting messages have a lot of spelling errors and unnatural tone. If you see a message or email with these issues, don’t respond and check the sender’s phone number or email address.
3. Requests for Gift Cards or Unusual Payments: Many scammers ask for payments via gift cards, cryptocurrency, or wire transfers. No legitimate company does that, so it’s a clear warning sign.
4. Unfamiliar or Random Messages: Pretexting also happens through text messages or social media DMs, so don’t entertain any unknown contacts pretending to represent trusted entities.
5. Unexpected Email Attachments or Links: Attackers can spoof any email account, so even if you receive an email from a familiar sender, verify its authenticity before downloading attachments.
6. Inconsistent Details or Behavior: If you receive a job opportunity, then check the job title, company details, or communication patterns. You are most likely to find errors in them. These inconsistencies can expose a pretexting attempt.
What to Do If You Suspect a Pretexting Attempt
First, don’t hit the ‘panic’ button. Remain calm and follow an action plan to prevent attackers from inflicting damage.
Stop Communication: Don’t respond to the calls, messages, or emails.
Verify the Source: Use official contact details from a trusted website to confirm if the request is legitimate.
Report Internally: Inform your IT/Security team so they can investigate and alert others.
Change your credentials: If you have shared any information, then make sure to reset all the passwords and enable multi-factor authentication.
Monitor Accounts: Keep checking your business systems, emails, and bank accounts for any suspicious activity. Report Externally: Report the incident to cybercrime authorities and hire cybersecurity experts to enhance your security measures to prevent future recurrence.
Make sure not to delay your actions, or else the attackers will penetrate deep into your network and inflict greater damage.
How Businesses Can Prevent Pretexting Attacks
Businesses need proactive security policies to prevent pretexting attacks. Moreover, they need to ensure employee awareness and technical controls. All businesses should implement the following key measures.
1. Employee Training & Awareness: Since human error is the leading cause of pretexting attacks, organizations must conduct cybersecurity awareness programs to help employees understand different security threats.
2. Encourage Quick Reporting: Organizations must create a culture where employees feel comfortable reporting suspicious emails, phone calls, or unusual data requests. Fast reporting helps the security team act before the attack escalates.
3. Enable Multi-Factor Authentication (MFA): Adding a verification layer makes it harder for attackers to compromise accounts despite getting valid credentials.
4. Verify External Parties & Vendors: All the vendors, contractors, or partners must verify themselves before being given access to sensitive systems or information.
5. Keep Systems Patched & Updated: It’s important to update all the software programs regularly to close security gaps. Also, all operating systems, browsers, and security tools must be continuously patched.
6. Update Cybersecurity Policies Regularly: With new pretexting techniques coming every year, organizations need to review and revise their cybersecurity policies to stay ahead of the attackers.
7. Refine Incident Response Plans: Organizations must have a clear plan of action for identifying, containing, and reporting social engineering fraud incidents. This helps minimize damage and maintain business continuity in case of a breach.
The Rise of AI & Deepfake Pretexting Scams
Pretexting scams have become more dangerous with the integration of artificial intelligence (AI). Cybercriminals now easily create convincing emails, cloned voices, and deepfake videos using AI. With these techniques, they easily impersonate trusted executives or public figures with alarming accuracy.
Tools like AI voice cloning make this even easier, allowing scammers to replicate real human voices and trick victims into believing the call or message is genuine. With the rise in deepfake technology, it’s not possible to trust what we see and hear. Both individuals and organizations need to verify identities through independent channels.
Conclusion
The surge in pretexting scams confirms their potential to harm the reputation and finances of an individual or company. Attackers are using sophisticated ways to carry out these scams. Organizations must take necessary steps to protect their systems and the data stored within. Connect with cybersecurity experts like SafeAeon for fast detection of pretexting attempts and strengthening your organization’s security posture. Closing security gaps and ensuring proper awareness are critical to protecting your company against these scams.