In plain English
Pretexting is the art of constructing a convincing false story. An attacker might pose as an IT helpdesk worker needing your password to fix an urgent issue, a new supplier requesting updated payment details, or a government official conducting an audit. The scenario is designed to make the request seem legitimate and time-sensitive.
Full definition
The pretext is the story. An attacker calls your accounts team claiming to be from your bank's fraud department, says there is suspicious activity, and needs to verify account details to prevent a freeze. The urgency is manufactured. The caller ID is spoofed. The details they already know, perhaps your ABN and the bank's name, come from public sources or a previous breach. Your staff member is not being foolish; they are responding to what looks like a legitimate, time-sensitive request.
often layers pretexting on top of a compromised email account. The attacker reads several weeks of email to understand tone, relationships, and current projects before sending a payment redirection request in the CEO's voice. Australian businesses lost over $79 million to BEC in the 2022-23 financial year according to the 's annual cyber threat report. The plausibility of the pretext is what makes these attacks succeed where generic fails.
Defending against pretexting is mostly procedural. Verify payment detail changes through a separate channel, calling a number you already have on file rather than one provided in the request. Apply the same principle to any request for credentials, access grants, or sensitive data. Staff should be able to say 'I need to call you back on our recorded number' without fearing they will be seen as obstructive. That framing needs to come from management: verification is normal and expected, not a sign of distrust.
