Pretexting Examples: Real-World Scams Explained

Pretexting is the fabricated story that convinces a person to hand over money, credentials, or access. It sits underneath nearly every successful social engineering attack. Security tools inspect attachments, links, and login attempts; pretexting supplies the invented context that makes a request feel legitimate.

One convincing phone call, now often aided by a cloned voice and anAI-written script, moves large sums before anyone verifies it. Reported cybercrime losses hit $16.6 billion in 2024, with business email compromise and impersonation scams among the costliest categories. Security teams disrupt pretexting by identifying the invented identity, the researched context, and the urgency before the payload lands.

Key Takeaways

• Pretexting is the fabricated scenario and identity that makes a social engineering request feel legitimate, and it sits beneath nearly every successful phishing, vishing, smishing, and in-person attack.
• Attackers build every convincing pretext from four components: researched context about the target, a credible borrowed identity, a plausible reason that aligns with the target's normal workflow, and manufactured urgency that compresses the window for verification.
• Attackers reuse a small set of high-trust identities, including executives, IT help desk staff, vendors, recruiters, and government authorities, because each one maps onto a context the target already trusts and a workflow they already follow.
• Pretexting slips past email gateways, annual security awareness training, and single-channel SIEM coverage because the request itself looks clean. Stopping it requires dismantling the impersonation infrastructure across every channel before the story reaches the target.

What Is Pretexting?

Pretexting is the social engineering technique of inventing a false scenario and identity to manipulate a target into acting. It is the staging layer beneath phishing, vishing, smishing, and in-person attacks: the reason the target believes the request is real.

Pretexting Is the Invented Story That Earns a Target's Trust

Every pretext starts with a story that the target has no immediate reason to question. An attacker posing as a CFO referencing a confidential acquisition, or an IT technician citing a system outage that the target has already noticed, is constructing a reality the target steps into voluntarily. The story earns trust; the trust earns compliance.

Pretexting Sets Up Phishing, Vishing, Smishing, and In-Person Attacks

The delivery channel changes. The trust-building function stays the same. A phishing email referencing a real vendor and invoice number, a vishing call from someone claiming to be IT support, an SMS referencing a missed delivery: each carries the same pretexting mechanic across a different channel.

Without the pretext, a phishing email is a mass-distributed lure. With it, the same email becomes a targeted attack. Attackers choose the channel that fits the story.

Convincing Pretexts Share Four Building Blocks

Attackers assemble every effective pretext from four building blocks: researched context, a credible identity, a plausible reason, and manufactured urgency. These map onto the early stages of the social engineering attack chain, where reconnaissance gathers the context, weaponization builds the identity, and persuasion supplies the reason and the urgency.

Attackers Research the Target to Make the Story Specific and Credible

Research is what separates a pretext the target acts on from one they delete. Attackers pull job postings, LinkedIn profiles, earnings call transcripts, and org charts to build a target profile that makes the pretext feel personal. A message referencing a real project, a real colleague, and a real deadline is far harder to dismiss than a generic request.

A Borrowed or Spoofed Identity Gives the Request Authority

A borrowed identity supplies the authority that the target is conditioned to obey. Attackers construct whole identities with spoofed email domains, cloned phone numbers, fabricated LinkedIn profiles, and AI-generated voices, so the person behind the request looks like someone the target already trusts.

A Plausible Reason Aligns the Ask With the Target's Normal Workflow

The strongest pretexts ask targets to do something they already do. A finance director who processes wire transfers every week, or a help desk analyst who resets MFA tokens daily, is more likely to comply with a request that fits an existing workflow than one that introduces a new process.

Manufactured Urgency Pushes the Target to Act Before Verifying

Urgency compresses the window for skepticism. Attackers invoke compliance deadlines, traveling executives, system outages, or regulatory consequences to force action before the target can check through an independent channel.

Real-World Pretexting Examples

The most damaging pretexting scams reuse a handful of reliable identities: executives, IT support, vendors, recruiters, and government authorities. Attackers tune each identity to a context the target already trusts.

Executive Impersonation Turns CEO Authority Into a Fraudulent Wire Transfer

The pretext is consistent across the highest-dollar BEC cases: an attacker posing as a CEO or CFO directs a finance team member to execute an urgent, confidential wire transfer. Attackers have used emailed instructions from a spoofed executive identity to push acquisition-themed transfer requests, and they have also exploited periods of leadership transition when a newly installed executive has no established behavioral baseline, as documented in FBI business email compromise cases.

Fake IT Help Desk Calls Harvest Passwords and MFA Codes

A help desk pretext can turn a single support call into domain-wide access. In a widely reported 2023 campaign, Scattered Spider operators called the internal IT help desk of a major hospitality company, impersonated an employee using details scraped from social media, and persuaded staff to reset MFA credentials.

The intrusion drove major financial losses, forced an extended operational shutdown, and exposed customer data. The same operators reached a second hospitality operator through an outsourced IT support vendor whose weaker identity-verification protocols offered a path around the enterprise's own controls, and the resulting credential resets led to a ransom payment.

Vendor and Invoice Impersonation Reroutes Real Payments to Attacker Accounts

Vendor impersonation hijacks a trusted supplier relationship to redirect a legitimate payment. Attackers insert themselves into an existing invoice thread or send a banking-detail change that matches the vendor's normal cadence, so the request reads as routine accounts-payable activity rather than fraud.

Recruiter and Job-Offer Pretexts Extract Personal Data and Plant Malware

The Lazarus Group has operated fake recruitment campaigns through LinkedIn messages and fabricated interviews to deliver malware to targets in defense, aerospace, and cryptocurrency sectors. In a campaign tracked as "Contagious Interview", attackers posed as recruiters and invited software developers to participate in a fictitious interview process designed to infect their systems with malware.

The campaign's objectives include cryptocurrency theft and using compromised developer environments as staging infrastructure. These campaigns remain active: in a recent Lazarus operation, the group targeted Web3 developers through fake recruiter profiles and code review requests on LinkedIn.

Government and Law-Enforcement Impersonation Uses Fear of Penalties to Force Payment

Government and law enforcement impersonation runs on fear of authority. Attackers pose as a tax agency, a court, or the police and tell the target that a missed jury summons, an unpaid fine, or a criminal investigation demands immediate payment.

The tactic is brazen enough that criminals have impersonated the FBI's own Internet Crime Complaint Center, the agency that fields cybercrime reports. Fear of government authority replaces trust as the psychological lever.

Why Pretexting Slips Past Traditional Security Controls

Pretexting targets human judgment through legitimate-looking channels. Controls built to flag malicious code, bad links, or unrecognized logins often miss pretexting because the request itself can look legitimate.

A Clean Message With No Link or Attachment Gives Filters Nothing to Flag

A message reading "This is Mark from IT; can you confirm your employee ID so I can reset your VPN token?" reads exactly like a legitimate help desk request. Email gateways built on signature matching, URL reputation, and attachment sandboxing produce zero alerts.

A human element shows up in 60% of breaches, and a clean message with nothing for a filter to catch is exactly how attackers reach it.

Security Awareness Training Lags the Pretexts Attackers Run This Week

Annual training covers email scrutiny. A voice call from someone who sounds exactly like the CFO, a Teams message from an apparent colleague during an active system outage, or a multi-day relationship-building sequence from a fabricated third-party lawyer falls outside every standardized scenario.

Attackers save their most customized pretexts for privileged users, whose access is worth the effort, and yearly training never rehearses those cases.

Single-Channel Tools Miss Pretexts That Move Across Voice, Email, and Chat

Pretexting campaigns routinely span channels. Attackers can flood a target's inbox with email bombing, follow with a voice call from someone offering to fix the problem, then deliver the payload through Microsoft Teams. A SIEM ingesting email logs but not voice call records, Teams metadata, or SMS activity cannot reconstruct the sequence.

The attack is visible only in aggregate across channels, and no single deployed tool has that view by default.

How Doppel Disrupts Pretexting Across Every Channel

Doppel is the AI-native Social Engineering Defense (SED) platform that unifies Digital Risk Protection and Human Risk Management, and pretexting campaigns are precisely the threat Doppel built the platform to disrupt.

Disruption starts earlier than the staged infrastructure. Pretexting depends on what attackers can learn before they pick up the phone, and Executive Protection continuously removes exposed PII from data broker sites, monitors the dark web for leaked credentials, and tracks impersonation accounts targeting named executives and the family members attackers routinely use as a stepping stone.

Thinning that raw material disrupts the reconnaissance stage before attackers build any infrastructure. Leaked phone numbers, dormant lookalike accounts, and the personal details that pad out a convincing story all become harder for attackers to assemble.

Once attackers do begin staging, the Doppel Threat Graph correlates the signals they leave behind: spoofed domains, fake social profiles, cloned phone numbers, and fabricated identities. It stitches those signals across domains, social media, paid ads, telco, messaging apps, and the dark web. Isolated indicators collapse into campaign-level views.

When attackers connect a spoofed executive profile on LinkedIn to a lookalike domain and a cloned phone number, the platform dismantles the connected campaign across channels in a single action, including the telco leg that legacy takedown workflows routinely leave standing. The platform routes only novel or escalated cases to analysts.

On the human side, Dynamic Simulation converts live-detected threats into multi-channel employee simulations with one click. If attackers are running a fake IT help desk pretext against the organization today, the same pretext can train employees across voice, email, and SMS tomorrow.

Dismantle the Pretext Before It Becomes a Breach

Every fabricated identity, every spoofed domain, every cloned voice profile is a staging infrastructure that exists before attackers place the first call or send the first email. Doppel detects that infrastructure, dismantles it before the story reaches the target, and trains employees against the exact tactics running in the wild. The result: attackers find the brand too costly to attack.

Request a Demo to see Doppel disrupt pretexting campaigns across every channel.