Pretexting: The Art of Impersonation

Patrick Putman

What is Pretexting

Pretexting is a social engineering tactic that uses deception and false motives. Simply put, pretexting crafts fictional situations to obtain personal, sensitive, or privileged information. Pretexting often involves researching the target prior to the attack. The data collected is then used to manipulate and deceive the victim. The main goal of the threat actor is to gain the target’s trust and exploit it for financial or political gain. A pretext attack can occur in person or over the phone.


Impersonation is a tactic used by pretexters to deceive the target. Playing the role of a trusted individual, they manipulate their victim into granting them access to a facility or system. For example, a pretexting method could be impersonating someone from tech support or a  coworker. Impersonators may also take on the role of a delivery person or service provider. Impersonators often use props, uniforms, and fake identities to make the scam more believable.

Impersonation requires extensive research prior to setting up the attack. A pretexter will use Open Source Intelligence (OSINT) in to gather extensive information about the target. OSINT is data collected from sources that are common public knowledge.  OSINT is just the start though. Pretexting often requires more sinister methods such as eavesdropping, cyberstalking and dumpster diving. Once the attacker has collected enough information, they use it to lull their target into a false sense of security.

Another pretexting scams commonly used is vishing. Vishing is a voice phishing scam where an attacker calls the victim, while impersonating a trusted individual. Most often they are already in possession of personal or financial information gathered during reconnaissance. Fraudulent callers pretend to be service providers, tech support, or bank personnel. In some cases, the impersonator will even spoof a trusted phone number to hide their true identity.


Numerous office buildings and complexes have restricted access entrances. Doors or gates use digital locking systems to protect against unauthorized entry. These locks require either an RFID key fob, access card, or digital code to gain entrance. Tailgating occurs when authorized personnel enter a locked doorway and the attacker immediately follows in behind them. The attacker may be lurking around a door or gate, waiting for the right opportunity. An attacker may even resort to physically stealing or duplicating the access card or key fob to gain entry.

For example, I used to have a second job delivering pizza. I would often deliver to apartments and offices with restricted entry. In many cases however, I was able to gain access by simply asking someone else to let me in or hold the door for me. Most people think nothing of a pizza delivery guy, so they let me right in. If I had been an impersonator, I would have immediately gained access to the facility and any network system contained within.


Pretexting threatens more than just your personal data. It can pose a serious threat to your office, networks and information systems. If you receive an unsolicited call, hang up and call them back. Always question and verify if a call is legitimate. Most companies do not conduct business solely over the phone or ask to verify sensitive data. Additionally, remember that pretexting is predicated on their ability to research you. This is one of the larger reasons why keeping clean cyber hygiene is so important. The less people can find about you online, the more secure you are.

Be aware of your surroundings before entering an office with restricted access. If you notice someone lurking, notify security or the authorities to investigate. While it may be innocuous, the person may actually be a social engineer waiting for the right opportunity. Verify all deliveries or requested access by individuals.

Tags: , , , , , , , ,