Pretexting Attacks: How Social Engineers Fabricate Scenarios to Steal Data

Building a Lie Before Making the Call

On August 25, 2022, an 18-year-old attacker called an Uber employee, claimed to be a member of the company's IT security team, and convinced the employee to approve a multi-factor authentication prompt. Within hours, the attacker had access to Uber's internal systems, its Slack workspace, its HackerOne vulnerability database, and its internal financial data. The attacker had not broken any encryption or exploited any software vulnerability. The entire compromise was executed through pretexting — constructing a convincing false identity and scenario to manipulate a human target.

Pretexting is a form of social engineering in which an attacker creates a fabricated scenario (the pretext) to manipulate a target into performing an action or revealing information they would not otherwise share. Unlike phishing, which typically relies on mass distribution and urgency, pretexting is often highly targeted and personalized, relying on research, rehearsal, and psychological manipulation rather than technical exploitation.

The Anatomy of a Pretexting Attack

A successful pretexting attack follows a recognizable structure, regardless of the specific scenario used.

Common Pretext Scenarios

Pretexters select scenarios that give them a plausible reason to request the information they need. The most effective pretexts exploit established roles and relationships.

• IT support impersonation: "I'm from the help desk — we're seeing unusual activity on your account and need to verify your credentials to protect it." This is the scenario used in the 2022 Uber attack.
• Vendor or contractor impersonation: An attacker calls a target company claiming to be from a vendor they work with, asking for system access to "troubleshoot a service issue."
• Bank fraud investigator: Calling a victim to report suspicious transactions on their account, then asking them to verify account details to "stop the fraud." The caller may appear to call from the bank's legitimate number via spoofing.
• IRS or government authority: Claiming the target owes taxes or faces arrest without immediate payment or information verification. Fear and authority create urgency that bypasses critical thinking.
• New employee or executive impersonation: Impersonating a senior executive (CEO fraud or BEC — Business Email Compromise) to request urgent wire transfers from finance departments.

The Role of OSINT in Pretexting

Open Source Intelligence (OSINT) — information gathered from publicly available sources — is the foundation of effective pretexting. Before making contact, skilled pretexters spend hours or days researching their target. From LinkedIn alone, an attacker can learn an employee's role, tenure, team, manager's name, recent projects, and work history. Company websites reveal internal department structure, key personnel, and vendor relationships. Data breach databases (available on dark web forums) may provide employees' previous passwords, personal email addresses, and other information that makes a pretext more convincing.

Kevin Mitnick, one of the most famous social engineers in history, described in his 2002 book "The Art of Deception" how he routinely spent days researching targets before making contact — learning internal terminology, organizational structure, and the names of key personnel so thoroughly that his pretexts were virtually undetectable. Modern OSINT tools have made this research faster and more comprehensive than anything available in Mitnick's era.

Psychological Principles Exploited

Pretexting succeeds by exploiting predictable human psychological tendencies identified in decades of social psychology research.

• Authority: People tend to comply with requests from perceived authority figures (executives, IT staff, law enforcement, government agencies). Impersonating authority reduces resistance.
• Urgency: Creating time pressure short-circuits careful deliberation. "This must be resolved in the next 15 minutes or your account will be permanently locked."
• Social proof: "I've already spoken with John in accounting, and he confirmed this is authorized." Reference to trusted colleagues reduces suspicion.
• Reciprocity: Providing something of value first — helpful information, positive attention, solving a problem — creates a felt obligation to comply with subsequent requests.
• Likability: People comply more readily with requests from people they like. Pretexters often spend significant time building rapport before making any request.

Real-World Cases

The 2011 RSA Security breach began when employees opened a phishing email titled "2011 Recruitment Plan." The email contained a malicious Flash exploit, but the pretext — a plausible HR document — was what convinced recipients to open it. The breach ultimately compromised RSA's SecurID token database, affecting the security of millions of hardware tokens used at defense contractors and government agencies.

In 2019, cybersecurity firm Symantec reported that business email compromise (BEC) attacks — a form of pretexting targeting finance employees — caused $1.77 billion in losses to U.S. businesses in 2019 alone, representing the largest category of cybercrime losses tracked by the FBI's Internet Crime Complaint Center (IC3) that year.

Detection and Defense