What is pretexting?

Key takeaways

• Pretexting is the engine underneath nearly every social engineering attack. The channel changes; the pretext is the work.
• A good pretext is built on public reconnaissance and matches the target's normal workflow, so the request feels routine.
• Pretexts apply across all channels: email, voice, SMS, and physical (a person at the gate, in the lobby, in a maintenance uniform).
• Training does not stop pretexting; workflow controls and adaptive simulation do.
• For mid-market manufacturers, the highest-impact pretexts target IT help desks, AP, executive assistants, reception, and gate security.

What is a pretext, and how do attackers construct one?

A pretext has three components: who the attacker is pretending to be, why they are contacting the target right now, and what they need the target to do. A well-constructed pretext is the product of reconnaissance plus operational discipline.

Constructing the pretext is the actual work of a social engineering attack. The five inputs:

1. Target context. The target's role, tenure, manager, recent projects, communication style, and the channel they normally use for the kind of action being requested.
2. Organizational rhythm. Payment cycles, shift schedules, vendor visit windows, audit periods, executive travel, hiring waves, M&A activity. The pretext fits a moment when the action being requested is plausible.
3. Authority surface. Who can credibly make the request. A CEO impersonation works for a wire approval but not for a badge issuance; a fire marshal impersonation works for a facility tour but not for a wire.
4. Verification habit. What the target normally does to verify a request. The pretext is designed to either fit the verification step (a fake callback number) or to skip it (urgency, channel switching, social cost of refusal).
5. Channel choice. Email, voice, SMS, physical, or a combination. Multi-channel pretexts (a spear phish followed by a confirming vishing call) have higher success rates than single-channel.

Public reconnaissance supplies most of the inputs. See What is OSINT (open-source intelligence)? for the underlying mechanics.

Pretexting vs phishing vs impersonation

These terms overlap. The distinctions matter operationally.

• Pretexting. The technique of constructing the false identity and scenario. Channel-agnostic.
• Phishing (and spear phishing). Pretexting delivered via email. The pretext is the message content; the channel is email.
• Vishing. Pretexting delivered via phone.
• Smishing. Pretexting delivered via SMS.
• Impersonation. Pretexting where the false identity is a specific named person (a real executive, a real vendor representative). Pretexting in general can use either a specific real person or a fabricated role ("IT support technician", "auditor", "delivery driver").
• Pretext entry (physical pretexting). Pretexting delivered in person, typically at a facility entrance or inside a workspace.

The defense against any of these starts with treating the pretext, not the channel, as the primary unit of attack. Stopping email-only pretexts leaves the voice, SMS, and physical surfaces open.

Common pretexts used against manufacturing employees

Mid-market manufacturers have a recurring set of pretexts. The same five appear in nearly every engagement.

1. Vendor or contractor. "I am the field-service technician from [vendor], here for the scheduled inspection / repair / install." Targets reception, gate security, or maintenance staff. The pretext exploits visible vendor relationships and the operational reality that vendors arrive regularly.

2. Auditor or inspector. OSHA, fire marshal, regulatory inspector, internal auditor, insurance inspector. Targets reception, plant management, and facility security. The pretext exploits the workplace expectation of compliance with authority.

3. IT help desk. "I am calling about the ticket you opened" or "We are doing the security patch on your laptop". Targets any employee. Exploits the help-desk relationship pattern (IT calls users about issues the user did not know they had).

4. Executive in transit. "I am [executive name], I am at [conference], I need you to [wire / reset / send / authorize] before [time]". Targets finance, AP, executive assistants, IT help desk. Exploits the visible travel calendar and the perceived social cost of saying no to an executive.

5. Delivery driver or trade contractor. "I have a delivery for [department], where can I drop this?" or "I am the electrician for the panel work in [area]". Targets gate, reception, shipping and receiving. Exploits the operational reality that deliveries and trade work happen constantly.

Each pretext is a workflow signature. Defending against pretexting means tightening the workflow at the point of each signature, not training people to recognize every possible variant.

Examples of pretexting in physical and digital attacks

What this looks like in practice during ARG engagements:

• Vendor technician at the gate, during morning rush. A pretexted contractor in branded apparel arrives during the 7 a.m. delivery window. The pretext references a known recurring vendor (visible from public case-study material). Reaches the engineering network closet within twelve minutes. See What is physical penetration testing?.
• "OSHA inspector" requesting facility walkthrough. A pretexted inspector arrives unannounced with a clipboard, a credible-looking ID, and a request to walk through specific areas. Reception authorizes the walkthrough; the inspector photographs network closets, badge readers, and control rooms.
• IT help desk callback to an employee. A vishing call to a user, claiming to be IT, "calling about the security alert on your machine". The user is walked through running a remote-access tool and disabling EDR. The "issue" is "fixed" once the attacker has working remote access.
• Executive wire approval call to AP, during a known industry event. An executive voice-cloned vishing call to the AP lead during a known industry conference week. The pretext references the event by name; the AP lead routes the wire that day.
• Delivery-driver pretext at shipping and receiving. A pretexted "driver" arrives without paperwork, asks the shipping clerk to "scan in" a package, and uses the resulting badge-access moment to enter the building behind the clerk. See What is tailgating (piggybacking)?.
• Auditor pretext during a known compliance window. During a publicly visible certification audit period, a pretexted "external auditor" calls IT to "verify the access controls" by walking through current admin accounts and recent password resets.

The pattern: a pretext that fits the visible business context, delivered to a workflow tuned for responsiveness.

How to train employees to surface a suspicious pretext

Training works when it produces a small set of reflexive behaviors, not when it produces awareness in general. For pretexting, four behaviors matter:

1. Verify by callback to a directory-sourced contact. For any request that involves money, access, credentials, or sensitive information, the recipient ends the interaction and verifies through a separate channel using a number or address sourced from the system of record. Numbers and addresses supplied during the interaction do not count.
2. Refer to the documented workflow. "I follow the process" is the line. The process exists because pretexts do not follow the process; calling the request back into the process surfaces the pretext.
3. Treat urgency as a signal. Time pressure that prevents verification is the most common pretext tool. Trained behavior: when urgency is the reason to skip verification, do not skip verification.
4. Escalate without social cost. The organization commits in writing that no employee is penalized for refusing to act on an unverified request, regardless of the apparent authority of the requester. The commitment removes the social-engineering lever.

The training program reinforces these behaviors continuously through adaptive simulation, not annually through a video-and-quiz module.

Best practices for verification workflows that defeat pretexting

1. Two-person, out-of-band approval for high-loss actions. Wire transfers, vendor information changes, password resets, badge issuance. The approver is different from the requester and uses a different channel from the request.
2. Directory-sourced contact information. Vendor master records, employee directory, executive contact list. Updates are controlled changes. Email signatures and PDF attachments are not authoritative.
3. Visitor management. Pre-registered visitors only, escorted at all times, badges that expire by end of day, callback verification of any unscheduled visitor to the hosting employee at a directory-sourced number. Pre-registration is the choke point; pretexts cannot pre-register themselves.
4. IT help-desk identity verification that survives pretext. Reset and unlock workflows require verification through a channel the user controls (corporate device, video call with corporate ID) plus a second-technician sign-off for sensitive accounts.
5. OSHA, fire-marshal, and inspector verification. Pre-published process for unannounced inspections: who is called, what verification is run, what areas are accessible without escort. The process exists in writing; reception and security have it on hand.
6. Continuous, multi-channel adaptive simulation. Pretext rotation across email, voice, SMS, and (during on-site engagements) physical entries. The workforce experiences a moving threat surface, which is the only condition under which the reflexive behaviors stay sharp.
7. Documented escalation, not punishment. When a pretext is surfaced, the response is informational: log the attempt, learn from it, share the pattern across the team. When a pretext succeeds, the response is workflow change, not blame.

Pretexting FAQs

Is pretexting illegal?

Yes, when used to obtain information or access from a target without authorization. The FTC's Telemarketing Sales Rule and the Gramm-Leach-Bliley Act explicitly prohibit pretexting to obtain consumer financial information. Pretexting under signed authorization, conducted as part of an authorized security engagement, is legal and is the standard testing method for social engineering resilience.

What is the difference between pretexting and social engineering?

Social engineering is the broader category: any attack that manipulates people rather than technology. Pretexting is the specific technique of constructing a false identity and scenario; it is the engine underneath nearly every social engineering attack, including phishing, vishing, and physical pretext entry.

How do attackers research pretexts?

Public sources: LinkedIn for org structure and roles, the company website for vendor case studies and customer logos, SEC filings for material business events, conference speakers and podcast appearances for executive context, job postings for tooling and infrastructure, and employee personal social media for travel and operational rhythm. The reconnaissance is cheap and almost entirely passive. See What is OSINT (open-source intelligence)?.

Can security awareness training alone stop pretexting?

No. Training raises baseline awareness, but pretexts are designed to fit normal workflow and exploit social patterns that training does not override. Effective defense layers training with workflow controls (callback verification, two-person approval, identity verification protocols) and continuous adaptive simulation that maintains the reflexive behavior over time.

How ARG uses pretexting across physical, voice, and email simulations

Pretexting is the connective tissue between every ARG simulation channel. The same pretext arrives over email, then voice, then in person, rotated and adapted across rounds, so the workforce experiences the threat as it actually presents in the real world.

During on-site engagement weeks, David Ashby executes physical pretexting on the facility: vendor technician at the gate, auditor at reception, delivery driver at shipping and receiving, "fire marshal" walkthrough. The on-site pretexts are calibrated to the specific facility (gate layout, vendor traffic patterns, shift schedules) and the visible business context that week.

Between on-site weeks, James Wall operates the continuous pretexting program through email and voice channels. Pretext family, role impersonated, channel, and timing rotate per target per round. AP sees vendor-impersonation pretexts at payment-cycle moments; IT help desk sees executive-in-transit pretexts during known travel; reception and gate security receive simulated vendor and inspector pretexts during typical visit windows.

Findings consolidate into one operational view: which pretext families landed, which were surfaced and how quickly, what the workflow caught, what would have to change for the next round to fail. The packet shows trend over time; the quarterly review tracks measurable improvement in pretext-surfacing rate and verification-call adherence.

For founding clients, integrated pretexting simulation is part of the monthly retainer and the on-site engagement weeks.

Apply as a founding client or see how the engagement works for the full delivery cycle.