What Is Pretexting and How Do Attackers Build False Scenarios?
A widely reported case involved a finance employee who transferred a large sum of money after joining a video call with what appeared to be the CFO and several colleagues. Every person on that call was a deepfake. The attacker had spent time gathering publicly available information about the organisation, its staff, and its financial processes before constructing a scenario plausible enough to bypass every professional instinct the target had. That is pretexting at its most sophisticated -- and it is not limited to large corporations or foreign intelligence operations.
Pretexting is the construction of a false identity or scenario to manipulate a target into taking an action they would not otherwise take. It is distinct from phishing in that it typically involves direct, often personalised interaction rather than mass distribution. The attacker invests time upfront to make the interaction feel legitimate. That investment pays off because the target's guard is lowered by familiarity and social context rather than raised by an obviously suspicious email.
How Attackers Build a Pretext
The construction of a convincing pretext starts with open source intelligence. Professional networking sites, company websites, job ads, annual reports, social media, and news articles tell an attacker a great deal about an organisation's structure, its key personnel, its suppliers, its projects, and its internal language. An attacker posing as a new IT vendor does not need inside access to know what software your organisation runs if that information is visible in job advertisements or public posts from your technical staff.
Once the scenario is constructed, the attacker establishes context before making any request. A phone call that begins "Hi, I'm calling from the support team at your document management provider -- we've flagged a sync issue on your account and I need to verify a few details" is not immediately alarming. The caller has identified a plausible reason for contact, established a service relationship, and created a context where the target's cooperation is expected. The request that follows -- for an account number, a login, or access to a file -- arrives inside a frame that makes compliance feel normal.
The Roles Attackers Prefer to Impersonate
Pretexting attacks tend to target specific roles within an organisation because certain positions carry authority, handle sensitive information, or are expected to be responsive. Finance staff who process payments, executive assistants who have access to executive calendars and communications, IT helpdesk staff who are trained to assist users with access problems, and new employees who are not yet familiar with internal processes are all common targets.
The attacker often impersonates a role with plausible authority over the target: a senior manager, an external auditor, a regulator, a legal counsel, or a supplier the organisation already works with. In organisations with distributed structures -- like council networks with multiple departments, or not-for-profits with field staff across locations -- the attacker can also pose as a colleague in a part of the organisation the target would not normally interact with.
What Effective Pretexting Training Covers
Training people to recognise pretexting is harder than training them to recognise phishing emails, because the indicators are social rather than technical. There is no malicious link to hover over and no sender domain to inspect. The tell-tale signs are in the pattern of the interaction rather than in any single element of it.
Useful awareness content on pretexting focuses on:
- The combination of urgency and authority: legitimate requests from genuine contacts rarely need to bypass normal processes because of time pressure
- The verification habit: a separate channel check -- calling the person's published number rather than the number they gave you -- breaks most pretexts
- Flattery and rapport-building as a warning signal rather than a green light
- The value of slowing down: attackers rely on the target not pausing to question the scenario
- What to do when something feels wrong even if it is hard to articulate why: organisational permission to pause, verify, and escalate without fear of embarrassment
Live deepfake demonstrations are one of the most effective ways to build genuine awareness of how convincing these attacks have become. When staff see in real time that an AI-generated video call can replicate a voice and face they trust, the abstract risk becomes concrete. That is qualitatively different from reading about it in a training module.
The Organisational Practices That Reduce Pretexting Risk
Awareness training reduces individual susceptibility, but process design reduces organisational exposure. Payment processes that require out-of-band verification for amounts above a threshold, change-of-bank-details workflows that mandate a phone confirmation to a known number, and clear escalation paths for "something feels off" situations all reduce the blast radius of a successful pretext. Training and process work together. Training without process leaves the burden entirely on individual staff. Process without training leaves staff unable to recognise when a process is being circumvented.
We include pretexting scenarios in our awareness programmes and use live deepfake demonstrations to make the stakes tangible. If your organisation has not addressed pretexting specifically -- as distinct from email phishing -- it is worth doing so. Contact us at info@cyberlinx.com.au to discuss what that looks like in practice.
Related Articles







