In 2020, a teenager convinced a Twitter employee he was a co-worker from the IT department. That single phone call led to the compromise of 130 high-profile accounts — including Barack Obama, Elon Musk, and Apple — and a Bitcoin scam that netted over $100,000 in hours. The attack wasn't a sophisticated zero-day exploit. It was a pretexting attack, one of the oldest social engineering tricks in the book.
If you're searching for pretexting attack examples, you're already asking the right question. Understanding how these attacks actually play out — with real scenarios, real consequences, and real dollar amounts — is the single best way to protect your organization. I've spent years watching these attacks evolve, and they're getting harder to spot. Let me walk you through the ones that matter most right now.
What Is a Pretexting Attack, Exactly?
Pretexting is a form of social engineering where a threat actor fabricates a scenario — a pretext — to manipulate someone into handing over information, access, or money. Unlike a generic phishing email blasted to thousands, pretexting is targeted and personal. The attacker does homework first.
They might impersonate your CEO, a vendor, a bank representative, or an IT technician. The key ingredient is a believable story. According to the 2021 Verizon Data Breach Investigations Report (DBIR), pretexting accounted for a significant share of social engineering incidents, and it's the primary tactic behind business email compromise (BEC) attacks — the costliest cybercrime category the FBI tracks.
The reason pretexting works so well? It exploits trust, authority, and urgency. Your employees aren't failing because they're careless. They're failing because the attacker has crafted a story specifically designed to bypass their critical thinking.
Pretexting Attack Examples That Cost Organizations Millions
Let's get specific. These aren't hypothetical. These are real-world pretexting attack examples that should be part of every security awareness conversation in your organization.
1. The Twitter Hack of 2020: "I'm From IT"
I already mentioned this one, but the details are worth examining. The attackers called Twitter employees and posed as members of Twitter's internal IT team. They told employees they needed to verify credentials for a new internal tool. Several employees complied.
The attackers gained access to Twitter's internal admin panel. From there, they hijacked 130 accounts, tweeted cryptocurrency scams from 45 of them, and accessed the DMs of 36 accounts. The pretext was simple: "I'm from IT, and I need your help with a system issue." That's it. No malware. No exploit kit. Just a convincing story.
2. Ubiquiti Networks: $46.7 Million Wire Fraud
In 2015, Ubiquiti Networks disclosed that attackers impersonated company executives and targeted the finance department through email. The pretext? Urgent wire transfers were needed for a confidential acquisition. The attackers used spoofed email addresses and a fabricated narrative about time-sensitive business deals.
The company lost $46.7 million. They recovered about $15 million. This is a textbook BEC pretexting attack — the threat actor creates a story involving authority (the CEO), urgency (close the deal now), and secrecy (don't discuss this with anyone).
3. The RSA SecurID Breach of 2011
This one still gets referenced in security circles because the pretext was so elegant. Attackers sent targeted phishing emails to small groups of RSA employees. The subject line? "2011 Recruitment Plan." The email contained an Excel spreadsheet with a zero-day exploit, but the entry point was pure pretexting — a believable email about something HR-related that employees would naturally open.
The breach compromised RSA's SecurID two-factor authentication tokens, which were used by defense contractors and government agencies. The downstream impact was enormous. It all started with a fake story about recruitment plans.
4. The HP Pretexting Scandal
In 2006, Hewlett-Packard's board of directors hired private investigators to find the source of boardroom leaks. Those investigators used pretexting — they called phone companies impersonating HP board members to obtain their personal call records. This scandal led to congressional hearings and the resignation of HP's chairwoman.
This example matters because it shows pretexting isn't limited to faceless hackers in hoodies. It's a technique used by insiders, corporate investigators, and anyone willing to fabricate a story to get access to information they shouldn't have.
5. The IRS Phone Scam: Pretexting at Scale
While most pretexting attacks target specific individuals, the IRS impersonation scam showed it can work at massive scale. Callers claimed to be IRS agents, told victims they owed back taxes, and threatened arrest if immediate payment wasn't made. The pretext leveraged fear and authority — two of the most powerful psychological triggers.
The Treasury Inspector General for Tax Administration reported that by 2018, these scams had stolen over $63 million from thousands of victims. The FBI's Internet Crime Complaint Center (IC3) consistently ranks government impersonation among the top reported fraud types.
The Anatomy of Every Pretexting Attack
After reviewing dozens of these incidents, I can tell you they all follow the same basic playbook. Recognizing the pattern is your best defense.
Step 1: Research
The attacker gathers information about the target. LinkedIn profiles, company websites, press releases, social media — it's all raw material. They learn names, titles, reporting structures, vendors, and current projects. The more they know, the more believable the pretext becomes.
Step 2: Build the Story
The attacker constructs a scenario that gives them a plausible reason to request information or access. Common pretexts include:
- "I'm from IT — we need to verify your credentials after a system update."
- "This is the CEO — I need a wire transfer processed immediately and quietly."
- "I'm calling from your bank's fraud department — we've detected suspicious activity."
- "I'm a vendor — we need to update our payment information on file."
- "This is HR — please review the attached benefits enrollment document."
Step 3: Establish Trust and Urgency
The attacker uses authority, familiarity, or fear to short-circuit the target's normal verification process. Urgency is almost always present. "This needs to happen now" is the phrase that bypasses critical thinking.
Step 4: Extract and Exploit
Once the target complies — sharing a password, wiring funds, opening an attachment, or granting system access — the attacker moves fast. Credential theft leads to lateral movement. Wire transfers get rerouted through multiple accounts. Data gets exfiltrated before anyone notices.
Why Traditional Security Tools Miss Pretexting
Here's what frustrates me about how most organizations approach this problem. They invest heavily in firewalls, endpoint detection, and email filters — and those tools are important. But pretexting attacks target the human layer. No firewall blocks a convincing phone call. No spam filter catches every carefully crafted BEC email.
The 2021 Verizon DBIR found that 85% of breaches involved a human element. Pretexting and phishing were the dominant social engineering techniques. Multi-factor authentication helps. Zero trust architecture helps. But the attacker only needs one employee to believe the story.
This is why cybersecurity awareness training that covers real social engineering tactics isn't optional — it's a core security control. Your people need to see these pretexting attack examples before they encounter them in the wild.
How to Defend Against Pretexting Attacks
I'm not going to tell you there's a magic solution. There isn't. But I've seen these specific measures dramatically reduce the success rate of pretexting attacks in organizations that implement them seriously.
Train With Realistic Scenarios
Generic "don't click suspicious links" training doesn't prepare your team for a well-researched pretexting phone call. You need scenario-based training that walks employees through actual pretexting attack examples — like the ones I described above. Role-playing exercises where someone calls the accounting department pretending to be the CFO are far more effective than slide decks.
If you want structured content for your team, the phishing awareness training program at phishing.computersecurity.us covers social engineering tactics including pretexting, phishing simulation, and credential theft scenarios designed to build real recognition skills.
Implement Verification Procedures
Every request for money, credentials, or sensitive data should require out-of-band verification. If someone emails asking for a wire transfer, call them at a known phone number — not the one in the email. If someone calls claiming to be from IT, hang up and call the IT help desk directly.
This sounds simple. In practice, most organizations don't enforce it consistently. The Ubiquiti breach happened because nobody picked up the phone to confirm a $46.7 million transfer with the actual executive.
Limit Publicly Available Information
Every detail on your website and social media accounts is potential ammunition for a pretexting attack. Organizational charts, employee directories with titles, detailed vendor relationships, and project announcements all help attackers craft believable stories. Review what's public and ask whether it needs to be.
Deploy Multi-Factor Authentication Everywhere
Even when an attacker successfully obtains credentials through pretexting, MFA adds a second barrier. It won't stop every attack — SIM-swapping and MFA fatigue attacks are real — but it blocks the majority of credential theft attempts. CISA's guidance on multi-factor authentication is a solid starting point for implementation.
Build a Culture Where Verification Is Expected
The biggest barrier to stopping pretexting? Employees feel awkward questioning someone who claims to be their boss. You need a culture where verifying identity is not just acceptable — it's expected and rewarded. The CEO should be the first person to say, "Always verify before you act on my requests."
Can You Spot a Pretexting Attack? A Quick Self-Test
Ask yourself if you'd catch these red flags in real time:
- A caller says they're from IT but can't provide their employee ID or ticket number.
- An email from your "CEO" comes from a slightly different domain — like @company-corp.com instead of @company.com.
- Someone asks you to bypass normal procedures because of an "emergency."
- A vendor emails new bank account details for future payments.
- An unfamiliar person requests sensitive data and says, "Don't mention this to anyone yet."
If even one of these would give you pause, good. If not, your organization needs structured security awareness training — today, not next quarter.
Pretexting Is Getting Worse. Here's the Data.
The FBI's IC3 2021 Internet Crime Report recorded nearly $2.4 billion in losses from BEC/EAC schemes — the category most heavily reliant on pretexting. That number has climbed every single year. Ransomware grabs the headlines, but pretexting-driven BEC is the quiet, consistent money machine for threat actors.
Deepfake audio is making things worse. In 2019, criminals used AI-generated voice technology to impersonate a CEO and convince a subordinate to wire $243,000. As these tools become more accessible, the pretext becomes even more convincing. The story doesn't just come in an email anymore — it comes in the boss's voice.
Your Next Step
Knowing these pretexting attack examples puts you ahead of most organizations. But knowledge without action is just trivia. Take what you've read here and do three things this week:
- Share at least two of these real-world examples with your team in your next meeting.
- Review your organization's verification procedures for financial transactions and credential requests.
- Enroll your team in a structured cybersecurity awareness training program that includes social engineering scenarios — not just checkbox compliance.
Pretexting works because it targets human nature. You can't patch human nature. But you can train your people to recognize the story before they become part of it.