Home > CAPEC List > CAPEC-407: Pretexting (Version 2.11)  

CAPEC-407: Pretexting

Definition in a New Window Definition in a New Window
Attack Pattern ID: 407
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems.

Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on.

+ Attack Prerequisites
  • The adversary must have the means and knowledge of how to communicate with the target in some manner.

    The adversary must have knowledge of the pretext that would influence the actions of the specific target.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Social Engineering
+ Examples-Instances


The adversary dresses up like a jogger and runs in place by the entrance of a building, pretending to look for their access card. Because the hood obscures their face, it may be possible to solicit someone inside the building to let them inside.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

The adversary requires strong inter-personal and communication skills.

+ Solutions and Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
"Varies by context"
Depending on the adversary's intentions and the specific nature their actions/requests, a successful pretexting attack can result in the compromise to the confidentiality of sensitive information in a variety of contexts.
+ References
[R.407.1] [REF-30] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Methods_of_Attack, Related_Attack_Patterns, Solutions_and_Mitigations, Typical_Likelihood_of_ExploitInternal
Previous Entry Names
DatePrevious Entry Name
2017-08-04Social Information Gathering via Pretexting

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017