The goal of pretexting is to gather information that can be used to access systems, steal identities, or commit fraud. This information can include passwords, social security numbers, bank account details, or other personal data.

For example, when you get a fake call from the CRA saying you need to pay a fee, the scammer may say the last few digits of your SIN number. The scammer pretending to be a CRA agent, having your phone number, SIN, and any other information is “pretexting”. They hope that by creating a believable story, you’ll give them information they can sell on the black market or use to access your financial accounts. 

Applications of pretexting

When will you see the term “pretexting”?

As a non-security professional you’ll rarely see the term pretexting. It may come up in your security awareness training, but most importantly knowing what pretexting is can help you identify when pretexting is happening to you. 

When will pretexting be used against you?

Pretexting will be used by a cyber criminal in any social engineering scenario. When you receive a phone call, see someone you don’t recognize at the office, or get texts from a brand you could be experiencing pretexting. 

How to spot pretexting

Now that you understand what pretexting is, let’s learn how to spot it before the cyber criminal can get to your personal information. Here are some key red flags that could mean something is pretexting:

1. They contact you. The CRA, Amazon, or Secret Services will rarely call you first. If you think the call is legit, tell the caller you are going to hang up and call back. Their reaction should be a great tell. If they are a scammer, they will try to convince you to stay on the line. If they are a real customer service agent, they should understand and allow you to hang up, find the real number by doing your own research, and call them back. 
2. Unexpected asks. Stay on guard for calls, in-person requests, or texts requesting information that you weren’t expecting. Ask yourself if you have spoken to this person before and have verified your trustworthiness. Did you know this person would be calling and asking you for this information?
3. Pressure tactics. Beware of any company representative who pressures you to give information or stay on the call. They will likely use fear, urgency, and uncertainty as emotions to trick you into getting information. 
4. Verification failure. Verify the caller yourself. While the caller is speaking, ask for their name and search on LinkedIn or the company’s website to see if they are a real person. Beware though, scammers are learning of this verification technique and are starting to make fake LinkedIn profiles. Use this along with the other listed red flags to spot pretexting. 

Real life case

One of the most famous cases that serves as an example of pretexting is the MGM attack from 2023. The cyber attack led to week-long issues for room keys and virtual gambling machines, completely disrupting the operations of the entertainment giant. 

The attack was claimed to have begun after a cyber criminal found information about an employee on LinkedIn and called the Help Desk using the found information to impersonate the employee. The attacker gave enough information and built enough trust (pretexting) to convince the IT Desk employee to give them access to an account. They used this access to detonate ransomware and demand ransom. 

Other terms 

• Social engineering: Manipulating or deceiving a victim to trick them into giving information or access to a network
• Phishing: An attempt to steal information by using emails or text messages that pretend to be a reputable source 
• Security awareness: The knowledge and attitude members of an organization have towards their cyber security 
• Baiting: Enticing victims with a promise of something they want, such as free software or a gift, to get them to provide information or download malware.

Pretexting is a sophisticated and manipulative tactic used by cybercriminals to gain access to sensitive information. By understanding what pretexting is, where it is likely to occur, and how to recognize the signs, you can better protect yourself and your organization from falling victim to these deceptive schemes. Stay informed about related terms and always practice caution when dealing with unsolicited requests for information. Awareness and vigilance are your best defences against pretexting and other forms of social engineering attacks.