Carnegie Mellon University

Man with mask on computer

February 20, 2020

Social Engineering: Pretexting and Impersonation

 Pretexting is a form of social engineering where a criminal creates a fictional backstory that is used to manipulate someone into providing private information or to influence behavior. Criminals will often impersonate a person of authority, co-worker, or trusted organization to engage in back-and-forth communication prior to launching a targeted spear phishing attack against their victim. Criminals conduct extensive research on a target in order to create a credible story to help build rapport and establish trust.

To help establish credibility, criminals will use leaked personal information from previously disclosed data breaches, as well as the Internet to learn about their potential victims. Some things criminals may use to establish credibility in a pretexting attack is the target’s job title, office location, work history, business relationships, and personal information such as home address, phone number, date of birth, last 4-digits of a social security number or credit card.

Use the following tips to ensure that you do not fall victim to a pretexting social engineering attack:

  • Limit personal information that is shared online.
  • Regularly review search results for your name on an Internet search engine. Request to have personal information removed from any public sites.
  • Use a trusted channel to verify the phone number or email address of an unusual message.
  • Always be suspicious of unsolicited "urgent" requests.
  • Never provide passwords, SSNs, personal/confidential information where you cannot be sure who you are talking to.
  • Don't click on links in email, instead navigate to a trusted webpage.
  • Don't open unexpected attachments.
  • If a company you do business with is requesting information, inform them that in order to protect yourself against identity theft, you will need to reinitiate contact with the company through a trusted channel.

Example of a Pretexting Social Engineering Attack

A message thread of a criminal using a phony CEO email to message the VIP of finance. The criminal asks how the VP of Finance's wife and kids are doing to establish credibility. He found this information using social networking sites. The criminal asks the VP of finance for an important favor. He needs the VP of Finance to process a wire transfer for $14,545 USD.