Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Generative AI text and video significantly increase the risk of cyber threats, making bringing your cybersecurity A-game more important than ever. Phishing emails have increased by a staggering 1,250% in just two years, and deepfakes in North America have gone up by over 1,700%, posing significant challenges for businesses to detect fraudulent activity effectively. These attacks rely on a cunning technique called pretexting. To protect your company, you need to know what pretexting is in cybersecurity and how to respond.
By definition, pretexting involves creating a false narrative, story, or scenario to trick victims. Sometimes, the story aims to gain the person’s trust. Other times, fear and manipulation are the objective. With a convincing performance, bad actors can persuade victims to take harmful actions, such as:
Pretexting uses the power of email, text messages, voice chat, mobile devices, and websites to make the deception harder to detect.
Pretexting and phishing are closely related and often overlap in the same attacks. Phishing describes the attack vectors (e.g., email or phone calls). Pretexting describes the method of attack (i.e., fabricating a story).
Both of these attacks involve social engineering. Unlike brute-force hacks, social engineering attacks target the human element.
Put simply, it’s easier to trick employees into opening a door instead of using a crowbar to break in. If hackers can capture an executive’s passwords, they can steal company secrets practically undetected.
It’s easier to understand what pretexting is in cybersecurity — and how to defend against it — with specific examples. The following scenarios are happening to companies of every size, in every industry, around the country.
In BEC attacks, the scammer pretends to be a manager, executive, or business owner. Employees often follow instructions from higher-ups without questioning them, fearing repercussions if they delay.
Next comes the pretext, usually an urgent need or emergency:
Sometimes, cybercriminals spoof your company’s email address. Other times, they use a real email account using stolen credentials from a careless employee. The end result is the same — it looks like the email came from within your organization.
In this pretexting attack, the scammer impersonates an official organization, such as the IRS or a bank.
The email or text message goes something like this: “We have detected a potentially fraudulent purchase on your account. Home Depot in St. Louis, MO. Total purchase $2,500. Item H439 – Toro Riding Lawn Mower. If this was you, disregard this alert. For more details, go to “http://www.bankexample.co/myaccount/login/.”
When victims click the link, they end up on a fake website. By “logging in,” they’re actually giving away their password, MFA cookies, and credit/debit card details. The criminals then log into the person’s account and steal funds.
For this pretext attack, scammers pretend to be one of your suppliers. They email a legitimate-looking invoice with bogus charges, often threatening to report you to a credit agency for nonpayment.
The goal isn’t to convince you to make the payment. It’s to get you to click on the link or call the phone number on the invoice to dispute the charge. The person on the phone claims to need to “verify” your account info, such as credit card info or login details.
It’s impossible to stop pretexting emails or calls, but you can make sure your employees and network are ready for them.
These days, it’s easy for cybercriminals to create websites and forms that seem completely real, with logos, content, friendly videos, and more. Instead of taking invoices or alerts at face value, verify the source of emails and reach out directly.
Make employees feel comfortable asking for more info. Encourage reaching out to verify instructions.
Look for telltale signs of pretexting:
Above all, slow down. Don’t give in to pressure. Verify requests with a second source or consult with a supervisor to ensure authenticity before acting.
Create clear policies around password resets, credit card usage, money transfers, and invoice approval. Before the scams arrive, know exactly how to respond to them.
Pretexting isn’t theory. It’s behind major cyberattacks and data breaches. For example, one global brand lost over $25 million when an employee fell for a pretexting attack. The company’s “chief financial officer” ordered the employee to transfer money. Scammers set up a conference call using deepfake video and audio of the CFO and other coworkers.
Another real attack sent bulk SMS messages to a company’s employees asking them to contact HR about a payroll issue via a form. Not all fell for it, but it only takes one victim’s credentials to make a network vulnerable.
Employee training is one of the pillars of cybersecurity frameworks like SOC 2. Go beyond videos and schedule practice sessions. Knowing what pretexting is in cybersecurity can help your team avoid costly data breaches. Learn more about SOC 2 compliance and how Compyl can help.
