What is pretexting? Recognize pretexts and protect data

Pretexting refers to scammers’ pursuit to steal personal data or funds under false pretenses. Essentially, such scams invent made-up scenarios or pretexts and impersonate representatives of official services.

Usually, alleged problem resolutions involve victims revealing personal information, like banking account details. In other cases, pretexting scams might require payments to put the fake issue to bed.

Other pretexts can involve requirements for remote access or buying gift cards and sending their pictures to the culprits. Let’s see how to recognize pretexting and not become a victim of deception.

Understanding pretexting: pretext definition and its goals

Pretexting tries to persuade targets to perform the required action. The scheme relies on making the victims believe their stories. The latter is a pretext, a false scenario reported by scammers.

The pretext will likely consist of made-up issues that victims must resolve as soon as possible. However, it can involve fake lottery winnings, surveys, or gift card giveaways.

So, pretexting is a form of social engineering, and it likely aims to gain confidential and sensitive information. Scammers could demand the following data during phone calls or phishing emails:

• Credit card information.
• Social security numbers.
• Phone numbers.
• Email addresses.
• Home addresses.
• PINs and passwords.
• Medical insurance account numbers.

How does the pretexting attack work?

Like most social engineering techniques, pretexting combines deception, a sense of urgency, and manipulation. The first task of any scammer is to gain the victims’ trust through any means available.

For instance, scammers might mention some victims’ information to make their claims more realistic. However, various personal insights can come from social media or previous data breaches. Furthermore, some information might be available through public records.

So, here are the common steps of pretexting scams:

1. A scammer initiates communication with targets, likely through phone calls, text messages, or emails. It could be a live conversation through phone or a robocall.
2. The rehearsed story likely informs targets of issues or other made-up scenarios. Scammers pretend to be from trusted and well-known authorities, like banks or government facilities.
3. Once fraudsters introduce the pretext, they ask for users’ personal information.
4. If victims hand sensitive information over to them, the culprits could take over accounts or make unauthorized transactions.

Types of pretexting

Phishing and pretexting share many characteristics, including the most popular techniques for tricking users.

• Vishing is a social engineering attack through voice communication. Scammers pursue it through deceptive phone calls. Some take advantage of caller ID spoofing. Such manipulation lets scammers imitate phone numbers of respectable individuals or facilities. Thus, this trick can make made-up scenarios more believable.
• Smishing is when you receive fraudulent text messages. They usually include links, likely shortened ones. Thus, you cannot know their exact destination before clicking. Text messages might alert you of recent winnings in a lottery or suggest that you should check on parcel delivery.
• Impersonation is present in most phishing attempts. Scammers play a role, and they typically choose to pose as employees of respectable companies. That might include Amazon, Microsoft, Steam, YouTube, etc. Some pretexting attempts might be more local, like focusing on shops or pharmacies in your area.
• Tailgating could involve scammers hoping to figure out their targets’ physical locations. In other cases, it might include outsiders following employees and attempting to enter corporate buildings without authorization.
• Scareware means that the chosen pretexting scenario is alarming to the target. It can claim issues with payments, taxes, orders, or bank accounts.
• Baiting aims to lure victims with joyous declarations of winning lotteries or being eligible for gift cards. It is the opposite of scareware.

In most countries, pretexting and obtaining personal information under false pretenses is illegal.

Examples of pretexting

Pretexting is essentially a phishing attack when the culprit pretends to be someone familiar or well-known to the victim. Then, the manipulation tries to coerce targets into revealing personal data, such as financial details.

Under that definition, scams like Amazon unauthorized purchase could belong to the pretexting category.

Many romance scams are also a type of social engineering and pretexting. Scammers build completely different identities on dating apps. Then, they contact and even nurture relationships with their victims.

After establishing trust, fraudsters introduce other pretexts, like financial or medical issues. In 2021, Americans lost nearly $350 million to such romance scams.

According to our research, 45% of scams exploit well-known brand names to gain victims’ trust. Therefore, pretexting can happen in almost any social engineering attack involving impersonation and attempts to steal users’ data.

Prevent pretexting and avoid falling victim to scams

Pretexting is highly dangerous. Scammers can use various techniques, like caller ID spoofing or convincing yet fake websites, to trick victims.

Thus, you need to double or triple-check whether phone calls, messages, or emails truly originate from trustworthy sources.

If someone contacts you under urgent matters, be it alarming or exciting, follow these tips to recognize pretexting:

• If the claims or offers seem suspicious, contact the associated service directly. You can do this via phone numbers listed on their websites, live chat, or email.
• Do not panic or fall for attempts to urge you to make a decision immediately. Staying level-headed is the most important thing during any form of misleading communication.
• Use techniques for stopping spam from reaching your inboxes. Take the time to report suspicious emails and block repetitive senders.
• Never click on unknown links, especially shortened ones. Scammers might use tools like Bitly to conceal the actual destination of URLs.
• Official company representatives should never ask for confidential information. Banks, tax authorities, or e-commerce businesses emphasize that employees should never require PINs or passwords.
• Be aware of pretexting and be on the lookout for scams. Consider social engineering possible whenever you receive unsolicited texts, calls, or emails.