Published: July 8, 2026 | Last updated: July 8, 2026
TL;DR
- Pretexting is a social engineering attack where criminals create a fabricated story (pretext) to manipulate victims into revealing sensitive information or performing actions that compromise security (Fortinet, 2026).
- Most pretexting attacks rely on two core elements: a convincing character (the false identity) and a plausible situation (the fabricated scenario) (IBM, 2024; Abnormal, 2026).
- Unlike phishing, which uses mass, urgent messaging (one email, one link), pretexting is highly personalized and involves multiple interactions over days or even weeks to build trust (Huntress, 2026).
- Baiting is a related social engineering tactic that uses an enticing offer — like free software, a USB drive labeled “Salary Data,” or a tempting download — to lure victims into a trap (Imperva, 2024; PhishingBox, 2026).
- The 2026 Verizon DBIR found that pretexting accounts for 6% of breaches and is increasingly used as an initial attack vector for ransomware and extortion (Delinea, 2026).
What Is Pretexting in Social Engineering?
Pretexting is a sophisticated social engineering technique where attackers create fabricated scenarios and false identities to manipulate victims into divulging sensitive information, making fraudulent payments, or granting unauthorized access (Abnormal, 2026). The attacker builds a believable story — the “pretext” — to gain the victim’s trust and extract confidential data such as login credentials, Social Security numbers, bank account details, or internal company information (Kyoceracyber, 2026).
Unlike phishing attacks that rely on urgency or fear to prompt immediate action, pretexting is more strategic and deceptive. It often involves detailed background research and psychological manipulation (Kyoceracyber, 2026). Attackers may spend days or weeks researching their target through social media, company websites, and press releases to craft a convincing backstory — a process known as open-source intelligence (OSINT) (Huntress, 2025). The attacker then impersonates a trusted individual or authority figure — such as an IT technician, HR representative, bank official, or colleague — and reaches out via phone, email, text, or even in person (Kyoceracyber, 2026).
The goal of pretexting is to put the attacker in a better position to launch a successful future attack. According to Fortinet, pretexting is “confined to actions that make a future social engineering attack more successful” (Fortinet, 2026). For example, an attacker might dress up as someone from a third-party vendor, wear a badge with the vendor’s logo, and pretend to have an appointment in your building. This disguise makes it easier to send believable phishing emails to anyone they form a rapport with (Fortinet, 2026).
How Pretexting Attacks Work: A Step-by-Step Breakdown
Pretexting attacks follow a structured progression that typically involves multiple stages (Trend Micro, 2026; Huntress, 2025):
1. Researching the Target. Attackers start by gathering information about their target. They comb through social media, company websites, press releases, and platforms like LinkedIn to build a convincing backstory. According to IBM, hackers can craft a convincing story based on information from social media feeds and other public resources after just 100 minutes of online search (IBM, 2024).
2. Crafting the Pretext. Based on their findings, attackers create a plausible scenario — for example, posing as an IT support agent claiming to fix a system issue, or as a CFO requesting a wire transfer (Huntress, 2025).
3. Establishing Trust. The attacker reaches out via email, phone, or even in person. They build rapport with the victim by sounding professional, referencing insider information, or using authority to pressure them (Huntress, 2025).
4. Requesting Information or Actions. Once trust is established, the attacker asks for sensitive data (e.g., credentials, financial details) or persuades the victim to perform an action (e.g., opening a malicious file or transferring money) (Huntress, 2025).
5. Executing the Attack. With the obtained information, the attacker exploits it for personal gain, often escalating their access or launching further cyberattacks (Huntress, 2025).
Which Two Elements Do Most Pretexting Attacks Rely On?
According to IBM, most pretexts are composed of two primary elements: a character and a situation (IBM, 2024). Abnormal, a cybersecurity firm, echoes this: pretexting attacks succeed by combining a convincing character and a plausible situation that creates urgency for victim cooperation (Abnormal, 2026). Similarly, Arctic Wolf identifies two major components: the character (the false identity the attacker assumes) and the situation (the plot or false narrative used to get the target to take a desired action) (Arctic Wolf, 2024).
The Character: This is the role that the scammer plays in the story. To build credibility with the potential victim, the scammer often impersonates someone with authority over the victim, such as a boss or executive, or someone the victim is inclined to trust. This (fake) character might be a coworker, IT staffer, service provider, or even a friend or loved one (IBM, 2024).
The Situation: This is the plot of the scammer’s fake story — the reason why the character (scammer) is asking the victim to take some action. Situations might be generic (“You need to update your account information”) or specific, especially if the scammer is targeting a particular victim (“I need your help, grandma”) (IBM, 2024).
Common Pretexting Examples in Cybersecurity
IT Support Scam
An attacker pretends to be from the IT department and asks an employee to verify their login credentials to “fix a system issue.” The attacker may reference actual system names or recent deployments discovered through reconnaissance to make the story more convincing (Kyoceracyber, 2026; Abnormal, 2026).
CEO Fraud / Business Email Compromise (BEC)
The attacker poses as a company executive — often the CEO or CFO — and instructs an employee to transfer funds or share sensitive documents. The message is well-written, consistent with previous communications, and carries clear executive authority (Kyoceracyber, 2026; Zoho, 2026).
Bank Fraud
A scammer impersonates a bank representative and requests account verification details under the guise of detecting suspicious activity. They may ask for Social Security numbers, passwords, or other personal details (Kyoceracyber, 2026).
Vendor Impersonation
A fake vendor contacts the finance department to change payment details for an upcoming invoice. They send a legitimate-looking invoice and ask the recipient to update payment details to a new account (Kyoceracyber, 2026; Zoho, 2026).
Deepfake / AI Voice and Video Impersonation
Attackers use AI-generated audio or video to convincingly impersonate executives, colleagues, or trusted figures. In February 2024, Arup, a multinational engineering firm, fell victim to a $25 million deepfake pretexting attack. Senior executives on a video call were digital fabrications, and the instructions to transfer funds were clear, urgent, and confidently delivered. The attackers never breached the network — they bypassed it by exploiting trust (Zoho, 2026).
Vishing (Voice Phishing)
Vishing is a type of social engineering attack where attackers use telephone calls or voice-based communication to trick someone into disclosing sensitive information, such as bank account details, login credentials, or personal identification information (Trend Micro, 2026).
Pretexting vs. Phishing: What’s the Difference?
The primary difference between pretexting and phishing is that pretexting sets up a future attack, while phishing can be the attack itself (Fortinet, 2026). In fact, many phishing attempts are built around pretexting scenarios.
| Feature | Phishing | Pretexting |
|---|---|---|
| Interaction | One-touch | Multi-touch (Huntress, 2026) |
| Timing | Seconds | Days or weeks (Huntress, 2026) |
| Personalization | Low | High (Huntress, 2026) |
| Goal | Credentials, clicks | Credentials, payments, system access (Huntress, 2026) |
Phishing attacks human nature through mass communication, often sending thousands of identical or slightly personalized emails hoping for even the smallest click rate (Huntress, 2026). The median time to fall for phishing is less than 60 seconds, with 21 seconds to click and 28 seconds to enter credentials (Huntress, 2026).
Pretexting requires a strong narrative and specific roles to deceive victims. Attackers research their targets, companies, and organizational structures to craft believable scenarios (Huntress, 2026). These attacks are overwhelmingly financially motivated, with 95% according to Verizon, and pretexting/BEC accounting for 24–25% of financially motivated incidents over the past two years (Huntress, 2026).
Pretexting vs. Baiting: Understanding the Difference
Baiting is another form of social engineering that is often confused with pretexting. While both are deceptive tactics, they operate differently.
Baiting is a social engineering tactic that uses something tempting to make a person take a risky action (PhishingBox, 2026). Attackers lure victims with an enticing offer — free software, a gift, a tempting download — and then trick them into downloading malware onto their systems or giving away their private information (Threatcop, 2025). Baiting promises an item, commodity, or reward to attract victims, infect their systems with malware, and steal sensitive information (Security Boulevard, 2025).
Common baiting examples include:
- A USB flash drive infected with malware and labeled “My private pics” left on a victim’s doorstep (ENISA, 2016)
- Free music or movie downloads that require the victim to share personal information such as login data and passwords (ARCyber, 2022)
- A malicious USB labeled “Salary Data” left in a common area (Huntress, 2025)
The key difference: pretexting builds a false scenario and identity to manipulate trust, while baiting uses an enticing offer to lure victims into a trap. Pretexting is personalized and often involves multiple interactions; baiting is more opportunistic and relies on curiosity or greed.
How to Prevent Pretexting Attacks
Organizations can protect themselves from pretexting attacks through a combination of policies, training, and technology (Huntress, 2025; Fortinet, 2026).
1. Employee Security Awareness Training. Train employees to recognize and respond to pretexting attempts. They should be skeptical of unsolicited requests for sensitive information, even if the requester sounds authoritative or references internal details (Huntress, 2025).
2. Verify Requests for Sensitive Information. Always verify requests for sensitive information or financial transactions through a separate channel. For example, if you receive a call from “IT support” asking for your password, call the IT department directly using a known number (Trend Micro, 2026).
3. Establish Strict Verification Procedures. Create verification protocols for password resets, wire transfers, and other sensitive actions. Require multiple approvals for large financial transactions.
4. Use Multi-Factor Authentication (MFA). Implement MFA to reduce the impact of stolen credentials. Even if an attacker obtains a password through pretexting, MFA can prevent unauthorized access.
5. Limit Publicly Available Information. Reduce the amount of sensitive information available on public websites, social media, and LinkedIn that attackers can use for reconnaissance.
6. Monitor for Anomalous Activity. Implement monitoring for unusual patterns, such as out-of-band requests (IT asking for passwords on the phone), calls after hours, or requests that sidestep normal approval processes (Huntress, 2026).
7. Develop Incident Response Procedures. Have clear procedures for reporting and responding to suspected pretexting attempts. Quick reporting can prevent successful attacks.
Comparison of Social Engineering Attacks
| Attack Type | Description | Method | Prevention |
|---|---|---|---|
| Pretexting | Fabricated scenario to manipulate trust (Fortinet, 2026) | Personalized deception, multiple interactions (Huntress, 2025) | Verify identity, train employees, establish verification procedures |
| Phishing | Mass, urgent messaging to trick victims (Fortinet, 2026) | One-touch, email or text with malicious links (Huntress, 2026) | Email filters, awareness training, MFA |
| Baiting | Enticing offer to lure victims (PhishingBox, 2026) | Tempting download, USB, or reward (Imperva, 2024) | Security awareness, restricted USB access |
| Tailgating | Following someone into a secure area (Imperva, 2024) | Physical access | Don’t hold doors, challenge strangers |
| Vishing | Voice-based pretexting via phone (Trend Micro, 2026) | Phone call impersonation | Verify caller identity, don’t share info over unsolicited calls |
Frequently Asked Questions
What is pretexting in cybersecurity?
Pretexting is a social engineering attack where cybercriminals create a fabricated scenario, or “pretext,” to manipulate victims into revealing sensitive information or performing actions that compromise security (Fortinet, 2026). The attacker assumes a false identity — such as an IT support agent, bank representative, or executive — and uses a believable story to gain the victim’s trust (IBM, 2024).
What is an example of pretexting in cyber security?
Common examples include IT support scams (an attacker pretends to be from IT and asks for login credentials), CEO fraud (an attacker poses as an executive requesting a wire transfer), bank impersonation (a scammer pretends to be a bank representative requesting account verification), and vendor impersonation (a fake vendor requests payment details to be changed) (Kyoceracyber, 2026; Zoho, 2026).
Which two elements do most pretexting attacks rely on?
Most pretexting attacks rely on two primary elements: a character (the false identity the attacker assumes) and a situation (the fabricated scenario that justifies the request). The character is often someone with authority or trust, such as a boss or IT staffer. The situation provides the reason for the victim to take action (IBM, 2024; Abnormal, 2026).
What is the difference between pretexting and phishing?
The primary difference is that pretexting sets up a future attack, while phishing can be the attack itself (Fortinet, 2026). Phishing uses urgent, mass messaging (one email, one link) and happens in seconds. Pretexting is highly personalized, involves multiple interactions over days or weeks, and builds trust before requesting sensitive information (Huntress, 2026).
What is baiting in cyber security?
Baiting is a social engineering tactic that uses an enticing offer — like free software, a USB drive, or a tempting download — to lure victims into a trap. Attackers bait victims with a reward and then trick them into downloading malware or giving away private information (PhishingBox, 2026; Imperva, 2024).
How can organizations prevent pretexting attacks?
Organizations can prevent pretexting through employee security awareness training, verifying requests for sensitive information through separate channels, establishing strict verification procedures, implementing multi-factor authentication, limiting publicly available information, and monitoring for anomalous activity (Huntress, 2025; Fortinet, 2026).
Why is pretexting dangerous?
Pretexting is particularly dangerous because it exploits human trust rather than technical vulnerabilities (Kyoceracyber, 2026). It can bypass even the most advanced firewalls and antivirus systems because the attack vector is psychological manipulation. Once trust is established, victims are more likely to comply with requests they would otherwise question (Kyoceracyber, 2026). The 2026 Verizon DBIR found that pretexting is increasingly used as an initial attack vector for ransomware and extortion (Delinea, 2026).
Key Takeaways
- Pretexting is a social engineering attack where criminals create a fabricated story (pretext) to manipulate victims into revealing sensitive information or performing actions that compromise security (Fortinet, 2026).
- Most pretexting attacks rely on two core elements: a convincing character (the false identity) and a plausible situation (the fabricated scenario) (IBM, 2024; Abnormal, 2026).
- Unlike phishing, which uses mass, urgent messaging (one email, one link), pretexting is highly personalized and involves multiple interactions over days or even weeks to build trust (Huntress, 2026).
- Baiting is a related social engineering tactic that uses an enticing offer — like free software, a USB drive labeled “Salary Data,” or a tempting download — to lure victims into a trap (Imperva, 2024; PhishingBox, 2026).
- The 2026 Verizon DBIR found that pretexting accounts for 6% of breaches and is increasingly used as an initial attack vector for ransomware and extortion (Delinea, 2026).
- Organizations can prevent pretexting through employee training, verification procedures, multi-factor authentication, and monitoring for anomalous activity (Huntress, 2025).