The phone rings. The caller identifies themselves as a technician from your IT support provider. They explain there has been a critical security alert on your account and they need to verify your login credentials to resolve it before the system locks out your entire team. They know your company name, your IT provider's name, and even the software you use. It sounds entirely legitimate. But it is not — it is a pretexting attack, and if you comply, an attacker will have the keys to your systems within minutes.

TL;DR — Key Takeaways

  • Understand how pretexting attacks use fabricated scenarios to manipulate employees
  • Learn about what Makes Pretexting Different
  • Identify common Pretexts Attackers Use before they impact your business

Visual Overview

flowchart LR
    A["Attacker Creates Pretext"] --> B["Poses as Authority"]
    B --> C["Builds Rapport"]
    C --> D["Requests Sensitive Info"]
    D --> E["Victim Complies"]
    E --> F["Data Exploited"]

Pretexting is a form of social engineering in which the attacker fabricates a convincing scenario — a pretext — to manipulate a target into divulging information, granting access, or performing an action that compromises security. Unlike opportunistic phishing that casts a wide net, pretexting is deliberate, researched, and personalised. It is the confidence trick of the cybersecurity world, and it is remarkably effective against organisations that have not trained their staff to recognise it.

What Makes Pretexting Different

All social engineering involves some degree of deception, but pretexting is distinguished by the depth of the fabricated narrative. A standard phishing email might impersonate a delivery company with a generic "Your package is waiting" message. A pretexting attack, by contrast, constructs an entire backstory: a specific reason for contact, a plausible identity, relevant knowledge about the target, and a clear objective that seems reasonable in context.

The attacker does not simply ask for information — they create a situation in which providing that information feels like the natural, even responsible, thing to do. This is what makes pretexting so dangerous: the victim often believes they are being helpful, not careless.

Common Pretexts Attackers Use

The IT Support Technician

This is perhaps the most prevalent pretext used against small businesses. The attacker poses as a technician from the organisation's IT support provider or internal IT department. They claim there is an urgent issue — a security breach, a system migration, a software update — that requires the employee's cooperation. The request typically involves sharing login credentials, installing remote access software, or clicking a link to "verify" their account.

This pretext is effective because employees are conditioned to cooperate with IT requests. In many small businesses, staff cannot easily verify whether a call is genuinely from their IT provider, particularly if they deal with outsourced support and are unfamiliar with the specific technicians.

The Vendor or Supplier

Attackers impersonate a known vendor, claiming they need to update payment details, verify an invoice, or resolve a billing discrepancy. This is closely related to business email compromise, but in pretexting, the interaction often begins with a phone call or a carefully crafted email exchange designed to build rapport before the fraudulent request is made.

The attacker may reference genuine invoice numbers, project names, or contact details gleaned from publicly available information or previous data breaches. By the time they make their actual request — typically a change to bank account details for future payments — the victim has no reason to doubt them.

The Auditor or Compliance Officer

Posing as an auditor — whether internal, from a regulatory body, or representing a business partner — gives the attacker an inherent position of authority. The pretext typically involves a compliance review, security assessment, or regulatory inspection that requires access to systems, documents, or sensitive data. Employees are reluctant to obstruct an audit, creating pressure to comply without verifying the auditor's legitimacy.

The New Employee or Executive

Attackers sometimes pose as a new hire who needs help accessing systems, or as a senior executive making an urgent request. The executive impersonation variant is particularly effective because employees are hesitant to question authority, especially when the request comes with a sense of urgency. "I am travelling and cannot access my email — can you send me the client spreadsheet?" exploits both authority and the desire to be helpful.

The Customer or Client

In service-oriented businesses, attackers pose as customers to extract information about internal systems, processes, or other clients. A convincing "customer" calling to check on their account can gradually extract details about security procedures, software platforms, and organisational structure — all of which feeds into more targeted attacks later.

How Attackers Research Their Pretexts

The credibility of a pretexting attack depends on preparation. Modern attackers invest significant time in research, drawing on a wealth of publicly available information.

Open-Source Intelligence (OSINT)

Attackers gather information from sources including:

  • Company websites — staff directories, organisational charts, "About Us" pages, and press releases reveal names, titles, reporting structures, and current projects
  • LinkedIn — professional profiles provide detailed information about roles, responsibilities, technology skills, and professional connections. Job postings reveal which software and systems the organisation uses
  • Social media — personal and corporate social media accounts reveal travel schedules, events, interests, and relationships that can be woven into a convincing pretext
  • Public records — business registrations, regulatory filings, and court documents provide organisational details, partner relationships, and financial information
  • Previous breaches — leaked data from earlier breaches may include email addresses, passwords, internal documents, and communication patterns that make a pretext far more convincing

AI-Enhanced Research

Increasingly, attackers are using AI tools to automate and enhance their research. AI can rapidly analyse social media profiles, cross-reference information from multiple sources, and even generate personalised messaging that matches the tone and style of legitimate communications. This dramatically reduces the time required to construct a convincing pretext while increasing its believability.

The most effective pretexting attacks feel mundane, not dramatic. They do not ask for anything outrageous — they ask for small, reasonable things that happen to give the attacker exactly what they need.

The Psychology of Compliance

Pretexting exploits fundamental aspects of human psychology. Understanding these triggers is the first step in defending against them.

Authority

People are inclined to comply with requests from perceived authority figures. An attacker posing as an IT administrator, auditor, or senior executive leverages this tendency. The uniform — whether a job title, a company email address, or knowledge of internal systems — creates an assumption of legitimacy that most employees will not challenge.

Urgency

Creating time pressure short-circuits critical thinking. "We need to resolve this before the system locks out at 5 PM" or "The CEO needs this for a meeting in 30 minutes" pushes the target to act now and verify later — by which time the damage is done.

Reciprocity

Skilled pretexters begin by offering something — helpful information, a warning about a problem, or a small favour. This creates a subconscious obligation to reciprocate, making the target more likely to comply with the subsequent request.

Social Proof

Attackers may reference other employees who have already "cooperated" with their request. "Your colleague Sarah in accounts already provided her details — I just need yours to complete the process" makes non-compliance feel like an outlier behaviour.

Liking and Rapport

Pretexters are typically personable and conversational. They build rapport quickly, using the target's name, showing interest in their role, and finding common ground. People are more likely to help those they like, and even a brief, pleasant interaction can lower a target's defences significantly.

Training Employees to Verify Identities

The most effective defence against pretexting is a workforce that instinctively verifies before complying. Here is how to build that culture.

Establish Verification Procedures

Create clear, simple procedures for verifying the identity of anyone requesting sensitive information or access:

  1. Call back on a known number — if someone calls claiming to be from IT support, a vendor, or a partner organisation, hang up and call back using the number from your official contact records, not a number provided by the caller
  2. Verify through a second channel — if an email requests sensitive action, confirm it via phone or instant message. If a phone call makes a request, verify via email. Never use the same channel to verify
  3. Check with a manager — for any request involving credentials, financial transactions, or access to sensitive data, require manager approval before proceeding
  4. Use challenge questions — establish internal verification questions or codes that outsiders would not know. These are particularly useful for phone-based verification

Conduct Regular Pretexting Simulations

Just as phishing simulations test email awareness, pretexting simulations test how employees respond to phone calls, in-person approaches, and multi-channel social engineering. Engage a trusted security partner to conduct realistic pretexting scenarios and use the results to identify and address gaps in your defences.

Normalise Healthy Scepticism

Many pretexting attacks succeed because employees fear being rude or unhelpful. Combat this by explicitly stating that questioning requests is not only acceptable but expected. Frame verification as professional diligence, not suspicion. Celebrate employees who catch simulated pretexting attempts and share their stories (anonymously if preferred) to reinforce the behaviour.

Address Specific Roles

Certain roles are more frequently targeted by pretexters. Receptionists and front-desk staff field calls from unknown parties daily. Finance teams handle payment requests and bank detail changes. IT support staff receive requests for access and credentials. HR teams hold sensitive employee data. Tailor your training to address the specific pretexting scenarios each role is most likely to encounter.

Technical Controls That Support Human Defences

While pretexting is fundamentally a human-targeted attack, technical controls can reduce its effectiveness:

  • Implement strict access controls — even if an employee is manipulated into providing credentials, strong password policies and phishing-resistant MFA limit what an attacker can do with them
  • Enforce change-management procedures — payment detail changes, access requests, and system modifications should require multi-person approval through a documented process, not ad-hoc requests
  • Deploy AI-powered email security — catch pretexting emails before they reach inboxes by analysing sender behaviour, content patterns, and contextual signals
  • Monitor for leaked data — if employee information appears in data breaches, it may be used to construct pretexts. Early awareness allows you to warn staff and heighten vigilance
  • Limit public information — review what your organisation shares publicly. Detailed staff directories, organisational charts, and technology stack information all feed pretexting research. Share what you must, but do not make the attacker's job easier than it needs to be

Building a Pretext-Resistant Culture

Pretexting will continue to evolve as attackers refine their techniques and leverage new technologies such as AI voice cloning and deepfake video. The organisations most resilient to these attacks are not those with the most sophisticated technology — they are those with a culture in which verification is automatic, questioning is encouraged, and no single request, no matter how urgent or authoritative it appears, bypasses established procedures.

Train your team. Rehearse your verification procedures. Conduct simulations. And remember: the best response to any unexpected request for sensitive information is not compliance — it is verification. A legitimate caller will always understand the need to confirm their identity. An attacker never will.