Pretexting

Pretexting is the fabrication of a believable scenario that gives a target a reason to comply with a request. A pretext has four parts: an identity the attacker assumes, a context that explains the contact, a justification for the specific request, and an urgency that limits the target's time to verify. This article breaks down each component and shows how publicly available information makes pretexts personal.

The Auditor's Call

Nadia was reviewing the call logs from the breach. Mid-sized software company in Dallas. 420 employees' W-2s exfiltrated through a single phone call.

The caller had reached Mia, an HR specialist, at 11:20 AM on a Monday. Caller ID showed "TaxShield LLP." He'd introduced himself as Daniel Brooks, handling the external audit for project TS-844Q, the state payroll tax reconciliation.

Nadia listened to the recording. "I spoke with Thomas about this last week. He said you'd be the right person to help. We're on a tight deadline for the state filing."

Thomas was the CFO. Mia had never met anyone named Daniel Brooks, but he knew the CFO's first name and spoke with the casual confidence of someone who belonged. He'd sent a follow-up email moments later. TaxShield letterhead. NDA attached. Secure upload link.

By noon, 420 W-2 PDFs sat on a server the attacker controlled.

Three days later, employees across the company received IRS notices. Someone had already filed tax returns in their names.

Nadia checked: TaxShield LLP didn't exist. The project code was made up. The caller ID was spoofed. But the pretext was solid. External auditors legitimately request sensitive documents. They have deadlines. They name-drop executives. The only thing that felt off was how smoothly it went.

This story is fictional, but the patterns are real.

The IRS classifies this exact pattern (emails or calls impersonating executives to extract employee W-2s from HR or payroll) as a form of business email compromise, and publishes guidance for businesses on prevention and reporting.^[1]

Why This Matters

The Attack Channels article explained the technical mechanics of email, voice, and SMS attacks. But technical capability is just half the equation. An attacker with perfect caller ID spoofing still needs Mia to cooperate. The phishing page only works if someone clicks the link.

Pretexting is what makes someone click. It's the art of constructing a believable story that gives the target a reason to comply. The pretext provides context: who the attacker claims to be, why they're making contact, and why the request is legitimate.

Every successful social engineering attack relies on pretexting, whether the attacker says so explicitly or not. Verizon's 2025 DBIR found that 16% of breaches start with phishing as the initial access vector, and credential abuse (almost always set up by a pretext) was the single largest entry point at 22%.^[2] Understanding how pretexts are built helps you recognize the patterns, even when the specific details change.

What are the four components of a pretext?

A pretext has four components: identity, context, justification, and urgency. Daniel Brooks's attack on Mia included all four. These map cleanly onto the principles of influence Robert Cialdini documented in Influence: The Psychology of Persuasion: authority, consistency, and scarcity show up here as identity, justification, and urgency respectively.^[3]

Identity

Who is the attacker pretending to be? Daniel claimed to be an external auditor from TaxShield LLP. This identity carried weight because:

• External auditors legitimately request sensitive documents
• Audit relationships often span multiple years
• Auditors typically contact operational staff directly
• The role explains why Mia wouldn't recognize him personally

Strong identities share these traits: they have legitimate reasons to make contact, they explain unfamiliarity, and they carry inherent authority.

Common pretexted identities include:

• IT support or security teams
• External auditors or compliance officers
• Vendors or partners referenced in public announcements
• Government agency representatives
• Executive assistants acting on behalf of leadership

Context

Why is this contact happening now? Daniel referenced project TS-844Q and a state payroll tax reconciliation. This context made the request feel routine rather than unusual.

Attackers build context through reconnaissance:

• LinkedIn reveals organizational structure and recent hires
• Press releases mention projects, partnerships, and executives
• SEC filings contain financial details and audit relationships
• Social media exposes personal connections and informal language

Daniel's mention of project TS-844Q was likely invented, but his casual reference to "Thomas" (the real CFO) grounded the story in verifiable reality. If Mia checked whether the company had a CFO named Thomas, she'd confirm it. That confirmation bleeds credibility into the rest of the story.

Justification

Why should the target comply? Daniel explained that he needed W-2s for a state payroll tax reconciliation. This justification worked because:

• It's a real type of audit that actually happens
• W-2s are exactly what such an audit would require
• HR is the department that would handle this request
• The request matched Mia's actual job responsibilities

Bad justifications ask for things that don't fit the identity or context. A "Microsoft support technician" asking for wire transfers triggers suspicion because technicians don't handle payments. Daniel's justification aligned perfectly with his claimed role.

Urgency

Why must the target act now? Daniel mentioned a "tight deadline for the state filing." This urgency served two purposes:

• It explained why he couldn't go through normal channels
• It pressured Mia to act before carefully thinking

Urgency doesn't have to be dramatic. "Deadline today" works better than "building is on fire." The goal is to make delay feel risky or difficult, not to create panic that triggers suspicion.

How do attackers build a believable persona?

A pretext isn't just a story. It's a character the attacker inhabits. The most effective pretexts feel natural because the attacker has practiced being Daniel Brooks, not just claiming to be him.

Voice and Register

Daniel spoke with casual confidence. He used first names ("Thomas") instead of titles ("the CFO"). He said "I'll need" rather than "could I possibly request." This register communicated that he belonged.

Attackers study how insiders communicate:

• How formal or informal is the typical email?
• Do people use first names or titles?
• What jargon or abbreviations are common?
• How direct are requests versus how much hedging happens?

Matching the target's communication style reduces friction. A stiff, formal tone at a casual startup feels wrong. Excessive friendliness at a buttoned-up law firm raises flags.

Anticipating Questions

Skilled pretexters prepare for resistance. If Mia had asked:

"Can you give me the project code again?" "TS-844Q. It should be in your system, but if not, Thomas can confirm."

"I should verify this with my manager." "Of course. Just let me know by end of day so we don't miss the filing window."

"Can I call you back at this number?" "You can, but I'll be in meetings. The email has everything you need."

Each response acknowledges the concern while steering back toward compliance. The attacker never refuses verification outright. That would be suspicious. Instead, they make verification feel unnecessary or offer alternatives they control.

Documentation as Credibility

Daniel's follow-up email included TaxShield letterhead and an NDA. These documents served no legitimate purpose. The NDA wasn't binding on Mia, and the letterhead proved nothing. But they felt official.

Attackers create supporting materials:

• Letterhead downloaded or recreated from public sources
• PDFs with official-looking formatting
• Email signatures with real-seeming phone numbers
• Reference documents that appear to confirm the request

The documents don't need to survive scrutiny. They just need to lower the perceived risk of compliance. If Mia wondered whether Daniel was legitimate, the email with attachments provided reassurance. She could see evidence.

Common Pretext Patterns

Certain pretexts appear repeatedly because they work reliably.

The Authority Figure

Impersonating someone with power over the target: an executive, a regulator, or a client. Authority figures can make unusual requests because questioning them feels risky.

"This is the CFO's office. He needs these contracts reviewed before his 4 PM meeting."

The target hesitates to push back because challenging authority could have consequences. Even if the request seems odd, complying feels safer than asking too many questions. CEO and executive impersonation is one of the major sub-patterns inside the 21,442 BEC complaints and ~$2.77 billion in adjusted losses the FBI's IC3 logged in 2024, alongside vendor/supplier and legal-representative impersonation.^[4] A worked example of how this plays out end-to-end is in the BEC wire walkthrough.

The Helpful Insider

Pretending to be someone offering assistance: IT support fixing a problem, HR resolving a benefits issue, security responding to a breach.

"We're seeing some unusual activity on your account. I can help you secure it, but I'll need you to verify your identity first."

The target engages because they think they're receiving help, not providing it. By the time they realize they're giving more than they're getting, the information is already shared. The same persona drives SIM-swap pretexting against mobile carriers; see attack methods in the Account Takeover module for how this becomes full account compromise.

The Vendor or Partner

Impersonating a third party the organization works with: an accounting firm, a software provider, a logistics company.

"This is FedEx. Your package is being held at customs. We need the commercial invoice to release it."

Vendor relationships involve legitimate information exchanges. The target can't easily verify every vendor contact, especially if the company uses dozens of service providers. Spear-phishing emails built on vendor pretexts are dissected in the phishing campaign walkthrough.

The Researcher or Journalist

Claiming to seek information for a legitimate purpose: an academic study, a news article, competitive research.

"I'm writing about trends in fintech security. Could you tell me about the authentication systems your team uses?"

The target may share more than they should because the request seems harmless. They're not giving access. They're just talking about their work. But the information collected becomes reconnaissance for later attacks.

How does a pretext adapt across channels?

The same pretext adapts to different channels. Daniel used voice for initial contact and email for documentation. Other combinations work too.

Email to voice. An email arrives warning about a security issue. Minutes later, a "follow-up call" offers to help resolve it. The email creates context; the call provides pressure.

Voice to SMS. A phone call references a verification code that will arrive shortly. "Read me the code so I can confirm it's really you." The call provides justification; the SMS delivers the payload.

SMS to web. A text warns about a package delay or payment failure. The link leads to a credential harvesting page. The SMS creates urgency; the website captures data.

Where do attackers gather pretext material?

Pretexts work because they're built on real information. Daniel knew:

• The CFO's first name (Thomas)
• That the company might have state tax obligations
• That W-2s are kept by HR
• That Mia worked in HR

None of this required hacking. Most came from:

LinkedIn. Job titles, reporting structures, tenure dates, and company announcements. Daniel could find Thomas's name and Mia's role in minutes.

Company website. Press releases, leadership bios, partner announcements, and job postings. Any mention of audits, compliance, or regulatory filings provides pretext material.

SEC filings. For public companies, annual reports and proxy statements contain detailed financial information, auditor relationships, and executive compensation.

Social media. Personal accounts reveal travel schedules, hobbies, and relationships. Professional posts show projects and frustrations.

News articles. Coverage of deals, lawsuits, or expansions provides context for time-sensitive requests.

This open-source intelligence (OSINT) costs nothing to collect. The more an organization shares publicly, the more material attackers have to construct believable pretexts.

Key Takeaways

• Pretexts have four components: identity, context, justification, and urgency. Each element supports the others. A missing or weak component makes the whole story less convincing.
• Attackers inhabit characters, not just claim them. Voice, register, and communication style matter as much as the story itself. A pretext that sounds scripted fails even if the content is plausible.
• Documentation creates false credibility. Letterhead, NDAs, and official-looking PDFs reassure targets that requests are legitimate. These materials don't need to survive careful scrutiny, just lower the perceived risk of compliance.
• Reconnaissance makes pretexts personal. The specific details that make a pretext believable come from publicly available information. LinkedIn profiles, press releases, and social media posts become attack ammunition.
• The same pretext adapts across channels. A story that works over the phone works in email with minor adjustments. Multi-channel attacks use each medium for what it does best.

What's next: The AI-enhanced attacks section of Attack Channels covers how voice cloning and video deepfakes are transforming what's possible in social engineering, including the Arup deepfake case where a finance worker authorized $25 million in transfers after a video call with an AI-generated CFO.

Key Terms

• Pretext: A fabricated scenario designed to justify a request and establish the attacker's credibility.
• OSINT (Open-Source Intelligence): Information gathered from publicly available sources like social media, websites, news articles, and government filings.
• Authority bias: The tendency to comply with requests from perceived authority figures without careful verification.
• Register: The level of formality in speech or writing. Matching the target's register makes impersonation more convincing.
• Social proof: The psychological tendency to view actions as more appropriate when others seem to approve of them.

For additional terms, see the Account Takeover Glossary.

References

1. IRS — Form W-2/SSN data theft: Information for businesses and payroll service providers↗ (Official IRS guidance classifying W-2 phishing as a form of business email compromise; reporting addresses for affected employers)

2. Verizon 2025 Data Breach Investigations Report↗ (22% of breaches start with credential abuse; 16% begin with phishing as the initial access vector)

3. Cialdini, R. B. (1984/2021). Influence: The Psychology of Persuasion. Harper Business. The six principles: reciprocity, commitment/consistency, social proof, authority, liking, and scarcity.

4. FBI IC3 2024 Internet Crime Report↗ (21,442 BEC complaints with ~$2.77 billion in adjusted losses in 2024)