Skip to main content
Learning Center
Social EngineeringPretexting

How attackers construct believable personas and scenarios across any channel

Pretexting

The Auditor's Call

Monday, 11:20 AM. Mia Torres works in HR at a mid-sized software company in Dallas. Her phone rings. Caller ID shows "TaxShield LLP."

"Good morning, Mia. This is Daniel Brooks from TaxShield. I'm handling the external audit for project TS-844Q, the state payroll tax reconciliation. I'll need copies of all employee W-2s from the past fiscal year."

Mia doesn't recognize the project code, but it sounds official. Daniel continues before she can ask questions.

"I spoke with Thomas about this last week. He said you'd be the right person to help. We're on a tight deadline for the state filing. If you could bundle those into a ZIP and upload them to our secure portal, I'll send you the link right now."

Thomas is the CFO. Mia has never met anyone named Daniel Brooks, but he knows Thomas's first name and speaks with the casual confidence of someone who belongs. A follow-up email arrives moments later: TaxShield letterhead, NDA attached, secure upload link.

By noon, 420 W-2 PDFs sit on an attacker's server. Three days later, employees across the company receive IRS notices. Someone has already filed tax returns in their names.

This story is fictional, but the patterns are real.

Why This Matters

The Attack Channels article explained the technical mechanics of email, voice, and SMS attacks. But technical capability is just half the equation. An attacker with perfect caller ID spoofing still needs Mia to cooperate. The phishing page only works if someone clicks the link.

Pretexting is what makes someone click. It's the art of constructing a believable story that gives the target a reason to comply. The pretext provides context: who the attacker claims to be, why they're making contact, and why the request is legitimate.

Every successful social engineering attack relies on pretexting, whether the attacker says so explicitly or not. Understanding how pretexts are built helps you recognize the patterns, even when the specific details change.

Anatomy of a Pretext

A pretext has four components: identity, context, justification, and urgency. Daniel Brooks's attack on Mia included all four.

Identity

Who is the attacker pretending to be? Daniel claimed to be an external auditor from TaxShield LLP. This identity carried weight because:

  • External auditors legitimately request sensitive documents
  • Audit relationships often span multiple years
  • Auditors typically contact operational staff directly
  • The role explains why Mia wouldn't recognize him personally

Strong identities share these traits: they have legitimate reasons to make contact, they explain unfamiliarity, and they carry inherent authority.

Common pretexted identities include:

  • IT support or security teams
  • External auditors or compliance officers
  • Vendors or partners referenced in public announcements
  • Government agency representatives
  • Executive assistants acting on behalf of leadership

Context

Why is this contact happening now? Daniel referenced project TS-844Q and a state payroll tax reconciliation. This context made the request feel routine rather than unusual.

Attackers build context through reconnaissance:

  • LinkedIn reveals organizational structure and recent hires
  • Press releases mention projects, partnerships, and executives
  • SEC filings contain financial details and audit relationships
  • Social media exposes personal connections and informal language

Daniel's mention of project TS-844Q was likely invented, but his casual reference to "Thomas" (the real CFO) grounded the story in verifiable reality. If Mia checked whether the company had a CFO named Thomas, she'd confirm it. That confirmation bleeds credibility into the rest of the story.

Justification

Why should the target comply? Daniel explained that he needed W-2s for a state payroll tax reconciliation. This justification worked because:

  • It's a real type of audit that actually happens
  • W-2s are exactly what such an audit would require
  • HR is the department that would handle this request
  • The request matched Mia's actual job responsibilities

Bad justifications ask for things that don't fit the identity or context. A "Microsoft support technician" asking for wire transfers triggers suspicion because technicians don't handle payments. Daniel's justification aligned perfectly with his claimed role.

Urgency

Why must the target act now? Daniel mentioned a "tight deadline for the state filing." This urgency served two purposes:

  • It explained why he couldn't go through normal channels
  • It pressured Mia to act before carefully thinking

Urgency doesn't have to be dramatic. "Deadline today" works better than "building is on fire." The goal is to make delay feel risky or difficult, not to create panic that triggers suspicion.

Building the Persona

A pretext isn't just a story. It's a character the attacker inhabits. The most effective pretexts feel natural because the attacker has practiced being Daniel Brooks, not just claiming to be him.

Voice and Register

Daniel spoke with casual confidence. He used first names ("Thomas") instead of titles ("the CFO"). He said "I'll need" rather than "could I possibly request." This register communicated that he belonged.

Attackers study how insiders communicate:

  • How formal or informal is the typical email?
  • Do people use first names or titles?
  • What jargon or abbreviations are common?
  • How direct are requests versus how much hedging happens?

Matching the target's communication style reduces friction. A stiff, formal tone at a casual startup feels wrong. Excessive friendliness at a buttoned-up law firm raises flags.

Anticipating Questions

Skilled pretexters prepare for resistance. If Mia had asked:

"Can you give me the project code again?" "TS-844Q. It should be in your system, but if not, Thomas can confirm."

"I should verify this with my manager." "Of course. Just let me know by end of day so we don't miss the filing window."

"Can I call you back at this number?" "You can, but I'll be in meetings. The email has everything you need."

Each response acknowledges the concern while steering back toward compliance. The attacker never refuses verification outright. That would be suspicious. Instead, they make verification feel unnecessary or offer alternatives they control.

Documentation as Credibility

Daniel's follow-up email included TaxShield letterhead and an NDA. These documents served no legitimate purpose. The NDA wasn't binding on Mia, and the letterhead proved nothing. But they felt official.

Attackers create supporting materials:

  • Letterhead downloaded or recreated from public sources
  • PDFs with official-looking formatting
  • Email signatures with real-seeming phone numbers
  • Reference documents that appear to confirm the request

The documents don't need to survive scrutiny. They just need to lower the perceived risk of compliance. If Mia wondered whether Daniel was legitimate, the email with attachments provided reassurance. She could see evidence.

Common Pretext Patterns

Certain pretexts appear repeatedly because they work reliably.

The Authority Figure

Impersonating someone with power over the target: an executive, a regulator, or a client. Authority figures can make unusual requests because questioning them feels risky.

"This is the CFO's office. He needs these contracts reviewed before his 4 PM meeting."

The target hesitates to push back because challenging authority could have consequences. Even if the request seems odd, complying feels safer than asking too many questions.

The Helpful Insider

Pretending to be someone offering assistance: IT support fixing a problem, HR resolving a benefits issue, security responding to a breach.

"We're seeing some unusual activity on your account. I can help you secure it, but I'll need you to verify your identity first."

The target engages because they think they're receiving help, not providing it. By the time they realize they're giving more than they're getting, the information is already shared.

The Vendor or Partner

Impersonating a third party the organization works with: an accounting firm, a software provider, a logistics company.

"This is FedEx. Your package is being held at customs. We need the commercial invoice to release it."

Vendor relationships involve legitimate information exchanges. The target can't easily verify every vendor contact, especially if the company uses dozens of service providers.

The Researcher or Journalist

Claiming to seek information for a legitimate purpose: an academic study, a news article, competitive research.

"I'm writing about trends in fintech security. Could you tell me about the authentication systems your team uses?"

The target may share more than they should because the request seems harmless. They're not giving access. They're just talking about their work. But the information collected becomes reconnaissance for later attacks.

Pretext Across Channels

The same pretext adapts to different channels. Daniel used voice for initial contact and email for documentation. Other combinations work too.

Email to voice. An email arrives warning about a security issue. Minutes later, a "follow-up call" offers to help resolve it. The email creates context; the call provides pressure.

Voice to SMS. A phone call references a verification code that will arrive shortly. "Read me the code so I can confirm it's really you." The call provides justification; the SMS delivers the payload.

SMS to web. A text warns about a package delay or payment failure. The link leads to a credential harvesting page. The SMS creates urgency; the website captures data.

Each channel plays to its strengths. Email delivers official-looking documents. Voice provides real-time pressure. SMS creates urgency through notification anxiety. Web pages collect information at scale.

The Reconnaissance Foundation

Pretexts work because they're built on real information. Daniel knew:

  • The CFO's first name (Thomas)
  • That the company might have state tax obligations
  • That W-2s are kept by HR
  • That Mia worked in HR

None of this required hacking. Most came from:

LinkedIn. Job titles, reporting structures, tenure dates, and company announcements. Daniel could find Thomas's name and Mia's role in minutes.

Company website. Press releases, leadership bios, partner announcements, and job postings. Any mention of audits, compliance, or regulatory filings provides pretext material.

SEC filings. For public companies, annual reports and proxy statements contain detailed financial information, auditor relationships, and executive compensation.

Social media. Personal accounts reveal travel schedules, hobbies, and relationships. Professional posts show projects and frustrations.

News articles. Coverage of deals, lawsuits, or expansions provides context for time-sensitive requests.

This open-source intelligence (OSINT) costs nothing to collect. The more an organization shares publicly, the more material attackers have to construct believable pretexts.

Key Takeaways

  • Pretexts have four components: identity, context, justification, and urgency. Each element supports the others. A missing or weak component makes the whole story less convincing.
  • Attackers inhabit characters, not just claim them. Voice, register, and communication style matter as much as the story itself. A pretext that sounds scripted fails even if the content is plausible.
  • Documentation creates false credibility. Letterhead, NDAs, and official-looking PDFs reassure targets that requests are legitimate. These materials don't need to survive careful scrutiny, just lower the perceived risk of compliance.
  • Reconnaissance makes pretexts personal. The specific details that make a pretext believable come from publicly available information. LinkedIn profiles, press releases, and social media posts become attack ammunition.
  • The same pretext adapts across channels. A story that works over the phone works in email with minor adjustments. Multi-channel attacks use each medium for what it does best.

What's next: The AI Threats article explores how voice cloning and video deepfakes are transforming what's possible in social engineering.

Key Terms

  • Pretext: A fabricated scenario designed to justify a request and establish the attacker's credibility.
  • OSINT (Open-Source Intelligence): Information gathered from publicly available sources like social media, websites, news articles, and government filings.
  • Authority bias: The tendency to comply with requests from perceived authority figures without careful verification.
  • Register: The level of formality in speech or writing. Matching the target's register makes impersonation more convincing.
  • Social proof: The psychological tendency to view actions as more appropriate when others seem to approve of them.

For additional terms, see the Account Takeover Glossary.

Generated with AI assistance. Reviewed by humans for accuracy.

Test Your Knowledge

Ready to test what you've learned? Take the quiz to reinforce your understanding.

    Pretexting - Social Engineering