In 2020, a teenager and two accomplices convinced a Twitter employee they were from the company's IT department. That single phone call gave them access to internal tools, which they used to hijack 130 high-profile accounts — including those of Barack Obama, Elon Musk, and Apple — netting over $100,000 in Bitcoin in hours. The attack wasn't sophisticated malware. It was a textbook pretexting attack. If you're searching for pretexting attack examples, this is the one that should keep you up at night, because it proves that a convincing story is more dangerous than any exploit kit.

Pretexting is a form of social engineering where a threat actor fabricates a scenario — a pretext — to manipulate a target into handing over information, credentials, or access. Unlike a generic phishing email blasted to thousands, pretexting is targeted and personal. The attacker researches you, your role, your company, and then builds a lie tailored to exploit your trust.

This post breaks down real pretexting attack examples, explains why they work, and gives you concrete steps to protect your organization.

What Makes Pretexting Different from Phishing?

People often lump pretexting and phishing together. They're related, but they're not the same thing. Phishing casts a wide net — a mass email pretending to be from Microsoft, hoping someone clicks. Pretexting is the con artist who spent two weeks studying your org chart before picking up the phone.

The key difference is depth of deception. A pretexting attack always involves a fabricated identity or scenario designed for a specific target. The Verizon 2021 Data Breach Investigations Report found that pretexting was the second most common social engineering tactic, and that incidents involving pretexting have been rising steadily since 2017. You can review the full report at Verizon's DBIR page.

Phishing might be the delivery mechanism, but pretexting is the script. A well-crafted pretexting attack can use email, phone calls, text messages, or even in-person impersonation.

5 Real Pretexting Attack Examples That Caused Serious Damage

1. The Twitter Hack of 2020: IT Impersonation at Scale

I already mentioned this one, but the details matter. The attackers called Twitter employees posing as IT support staff. They told employees there was a VPN issue — plausible in July 2020, when most of the company was working remotely. Employees handed over credentials to an internal tool. Within hours, the attackers had control of accounts with millions of followers.

The pretext worked because it was contextually perfect. Remote work was new, VPN issues were common, and employees expected IT to call about problems. The attackers didn't need to bypass multi-factor authentication or crack a password. They just asked for access and got it.

2. The Ubiquiti Networks Wire Transfer Fraud

In 2015, networking company Ubiquiti Networks disclosed that attackers impersonating employees and using fraudulent requests tricked the finance department into wiring $46.7 million to overseas accounts. The pretext? The requests appeared to come from senior executives directing routine transfers.

This is a classic business email compromise (BEC) driven by pretexting. The threat actor studied the company's communication patterns, mimicked the tone of executives, and targeted finance staff who were accustomed to processing large wire transfers. The FBI's IC3 has flagged BEC as one of the costliest cybercrimes — the 2020 IC3 Annual Report attributed over $1.8 billion in losses to BEC schemes alone.

3. The RSA SecurID Breach

In 2011, attackers sent targeted phishing emails to small groups of RSA employees. The emails had a subject line — "2011 Recruitment Plan" — and an attached Excel spreadsheet containing a zero-day exploit. The pretext was simple: a routine HR document about hiring plans. Employees opened it because it looked like normal business communication.

The breach compromised RSA's SecurID two-factor authentication tokens, which were used by defense contractors and government agencies. The pretext was narrow and specific. It didn't need to fool everyone — just one person who found a recruitment spreadsheet relevant to their job.

4. The Hewlett-Packard Pretexting Scandal

This one's different because the pretexting came from inside the house. In 2006, HP's board authorized investigators to obtain phone records of board members and journalists to find the source of media leaks. The investigators used pretexting — calling phone companies while impersonating the targets — to get the records. The scandal led to congressional hearings, the resignation of HP's chairwoman, and California strengthening its pretexting laws.

This example matters because it shows pretexting isn't limited to faceless hackers overseas. It can be used by anyone — and against anyone. The phone company employees who handed over those records were victims of a pretext they had no reason to question.

5. COVID-19 Stimulus Check Scams

Throughout 2020 and into 2021, CISA documented a surge in pretexting attacks tied to pandemic relief. Attackers called and emailed individuals pretending to be IRS agents, state unemployment offices, or SBA loan processors. The pretext: "We need to verify your identity to process your stimulus payment" or "There's a problem with your unemployment claim."

These scams combined urgency, authority, and fear — the three pillars of an effective pretext. Victims handed over Social Security numbers, bank account details, and other sensitive information. CISA published detailed guidance on pandemic-related scams at cisa.gov, and the FTC reported a dramatic increase in impersonation fraud during this period.

Why Pretexting Attacks Work: The Psychology Behind the Script

Every one of those pretexting attack examples exploits the same human tendencies. Understanding these makes you harder to fool.

Authority Bias

When someone claims to be from IT, the CEO's office, or the IRS, most people default to compliance. We're trained from childhood to respect authority figures. Threat actors weaponize this by impersonating people with power over the target — bosses, auditors, law enforcement, IT administrators.

Urgency and Fear

"Your account will be locked in 30 minutes." "The CEO needs this wire transfer before end of business." "Your VPN credentials are expiring." Urgency short-circuits critical thinking. When you're panicking about losing access or angering an executive, you don't stop to verify the request.

Context and Plausibility

The best pretexts fit seamlessly into the target's normal day. An HR document during hiring season. An IT call during a remote work transition. A tax form during filing season. The attacker isn't creating something unusual — they're mimicking something ordinary.

Reciprocity and Helpfulness

Many pretexting attacks start by offering help. "I'm calling from IT, and we noticed your computer has been flagged for a security update. I can walk you through it right now." The target feels grateful and cooperates. By the time they realize something is wrong, the attacker already has what they need.

How to Defend Against Pretexting: Specific Steps That Work

Knowing pretexting attack examples is useful. Knowing how to stop them is essential. Here's what I recommend to every organization I work with.

Build a Verification Culture

Your employees need a simple, non-negotiable rule: verify any unusual request through a separate communication channel. If someone calls claiming to be from IT, hang up and call IT directly using a known number. If the CEO emails requesting a wire transfer, pick up the phone and confirm with the CEO.

This sounds basic. It is basic. And it would have prevented the Ubiquiti breach, the Twitter hack, and most BEC scams. The problem is that most organizations never formalize this as policy.

Train With Realistic Scenarios

Generic security awareness training that tells employees "don't click suspicious links" doesn't prepare them for a phone call from a convincing impersonator. You need scenario-based training that puts employees through realistic pretexting situations.

Our cybersecurity awareness training program covers social engineering tactics including pretexting, vishing, and impersonation. It's built around the kinds of scenarios real attackers actually use — not cartoon villains in hoodies.

Run Phishing Simulations — Including Voice Pretexting

Most organizations test employees with email phishing simulations. That's a start, but pretexting often happens over the phone or through a combination of channels. If you've never tested whether your help desk will reset a password based on a convincing phone call, you don't know your actual risk.

Our phishing awareness training for organizations includes simulation tools designed to test your team's ability to recognize and report social engineering across multiple channels — not just email.

Implement Technical Controls as Backstops

Training alone isn't enough. Layer in technical controls that limit the damage even if an employee falls for a pretext:

  • Multi-factor authentication (MFA) on every system. Even if an attacker gets a password through pretexting, MFA adds a barrier.
  • Zero trust architecture — never assume any user or device is trustworthy based on network location alone. Verify continuously.
  • Privileged access management — limit who can perform high-risk actions like wire transfers, password resets, and system access changes.
  • Callback verification procedures for financial transactions over a set threshold.

Monitor for Reconnaissance

Pretexting requires research. Attackers scrape LinkedIn, company websites, press releases, and social media to build their scripts. Audit what your organization exposes publicly. Does your website list every employee's name, title, and direct phone number? Does your IT team post detailed job descriptions that reveal your tech stack?

Reducing publicly available information makes the attacker's job harder. It doesn't stop pretexting entirely, but it raises the effort required.

What Is a Pretexting Attack? (Quick Reference)

A pretexting attack is a social engineering technique where an attacker creates a fabricated scenario to trick a specific target into revealing sensitive information, granting access, or performing an action that benefits the attacker. Unlike mass phishing campaigns, pretexting relies on research, impersonation, and a tailored narrative. Common pretexts include impersonating IT support, executives, vendors, auditors, or government officials. Pretexting can happen via phone, email, text, or in person.

The Pattern You Should Recognize

Look at every pretexting attack example above. The pattern is consistent:

  • The attacker claims to be someone with authority or a legitimate reason to make the request.
  • The scenario feels normal — it fits the target's daily work life.
  • There's urgency. Something needs to happen now.
  • The target is never given time or encouragement to verify.

If a request checks those four boxes, treat it as suspect until proven otherwise. That single habit — pausing to verify — defeats the majority of pretexting attempts.

Your Organization Is Already a Target

The FBI IC3 received 791,790 cybercrime complaints in 2020, with reported losses exceeding $4.2 billion. A significant portion of those incidents started with social engineering — specifically, someone believing a story they shouldn't have believed.

Pretexting attacks are getting more targeted, more polished, and harder to detect. Attackers are using data from previous breaches to make their pretexts more convincing — they already know your employee's name, role, and last four digits of their Social Security number before they ever make the call.

The organizations that survive this are the ones that treat security awareness as an ongoing operational discipline, not a once-a-year compliance checkbox. Start with real pretexting attack examples. Show your teams what these look like. Build verification into your culture. And test it constantly.

That's not a guarantee you'll never be hit. But it's the difference between an attacker spending five minutes on your organization before moving on — and spending five minutes on your organization before owning it.