Pretexting
Creating a fabricated scenario or false identity to manipulate a target into revealing sensitive information or performing an action they otherwise would not.
Also known as: social engineering pretext, false-pretext attack, identity pretexting
Last reviewed: 1 June 2026
Pretexting is the social-engineering practice of inventing a convincing backstory or persona to gain a target's trust before extracting information or access. Unlike phishing, which relies on mass delivery and urgency, pretexting typically involves more research and personalisation — the attacker crafts a plausible reason for the interaction tailored to the target.
Common pretexts include posing as an IT support technician who needs account credentials to fix a reported problem, a new employee needing guidance on accessing systems, a vendor requiring confirmation of payment details, or a journalist or researcher asking for company information. The attacker may conduct background research — through LinkedIn, company websites, and social media — to make the scenario credible.
Pretexting is a foundational technique in many larger attacks: it may be the initial step in an account takeover, business email compromise, or corporate espionage campaign. It can occur over phone, email, in person, or via messaging apps. Defence relies on strict verification procedures, security awareness training, and a culture where employees feel comfortable challenging unusual requests regardless of apparent authority.
Examples
- An attacker calls a company's reception desk posing as an IT contractor and asks for the name of the IT manager and their email format to send a 'required update form'.
- A fraudster contacts a bank's customer service pretending to be a recently widowed account holder in order to redirect account access.