Phishing: Push-based attacks

Phishing attacks human nature as opposed to technical security weaknesses. Attackers use emails, SMS (smishing), social media messages, and other mass communication, often sending thousands of identical or slightly personalized emails, hoping for even the smallest click rate. One-touch interactions are the order of the day: click here, enter credentials there, download this. Done.

Classic phishing examples include:

• Fake password reset emails from "IT" 

• Bogus shipping notifications with malicious tracking links

• Urgent suspended account messages

• Invoice emails with malware-laden attachments

Attackers don't need to know much about you. Generic social pressure tactics work fine when targeting thousands. One fake Microsoft login page can collect 100+ credentials in a couple of hours, if worded right, with no need for roleplay, pretext, or other emotional manipulation.

Pretexting: Pulling you into a back-and-forth interaction

For a detailed look at pretexting fundamentals, check out our guide: What is Pretexting in Cybersecurity.

Pretexting requires a strong narrative (“pretext”) and specific roles to deceive victims. Attackers research their targets, companies, and organizational structures to craft believable scenarios that coax victims into parting with credentials, wire transfer information, and sensitive data. 

These attacks are overwhelmingly financially motivated, 95% according to Verizon, with pretexting/BEC accounting for 24–25% of financially motivated incidents over the past two years. Pretexting almost always involves multiple interactions:

Day 1: Call from someone claiming to represent a benefits provider, referencing your department or manager.

Day 2: Follow-up email asks you to confirm your employee ID.

Day 3: Callback requests your system login to “link accounts.”

Compare this to phishing: One email. One malicious link. One credential harvesting page. The entire attack lifecycle happens in under five minutes. In fact, the median time to fall for phishing is less than 60 seconds, with 21 seconds to click and 28 seconds to enter credentials. Pretexting takes days and multiple touchpoints, each building on the last.  

Multi-touch vs. one-touch: How the attacks differ

Phishing attacks

• Generic greetings ("Customer") vs your name

• Suspicious sender addresses (amaz0n.com, not amazon.com)

• Urgent language to push you past thinking

• Unexpected attachments or links

• Grammar errors and awkward phrasing (though AI is making these less common)

Pretexting attacks

• Out-of-band requests (IT asking for your password on the phone)

• Unusual timing (calls about "urgent" issues after hours)

• "Can't share details in email" disclaimers

• Resistance to standard verification procedures

• Knowledge of internal company details to build credibility

• Requests that sidestep normal approval processes

Callback verification

If you receive a phone call from someone claiming to be from IT, your bank, or any other company, hang up and call back using a verified number, not the one they give you.

Dual approval processes

Critical functions like wire transfers, password resets, or access changes require dual approval. This protects against both pretexting and phishing.

Scenario-based training

Employees need to recognize both the instant phishing email red flags and the slow-burn manipulation tactics of pretexting. Regular, scenario-based training helps internalize a "pause and verify" mindset. This matters because humans contribute to 68% of breaches.

High-profile phishing attacks

In July 2020, attackers successfully phished Twitter employees to gain access to internal systems, then hijacked high-profile accounts, including Barack Obama, Elon Musk, Joe Biden, and Apple Inc.'s company account. They posted Bitcoin scam messages to millions of followers, though they only collected about $117,000.

Devastating pretexting incidents

MGM Resorts (2023): The Scattered Spider group called MGM's IT help desk, impersonated an employee using information from LinkedIn, and convinced staff to reset credentials. The 10-day attack cost MGM $100 million in lost revenue as slot machines went offline, digital room keys stopped working, and hotel operations reverted to pen and paper. No malicious email. No attachment. Just one very convincing phone call.

Some call pretexting “pretexing,” “social engineering through impersonation,” or a modern “confidence trick.” Some in the industry also refer to it as "pretext calling" if it's done over the phone. With AI voice cloning and deepfakes, pretexters now have tools that make impersonation a lot more convincing and harder to detect.

Curious about the other types of phishing? We’ve got you covered in our guide.

Pretexting-heavy scams:

• Tech support scams (fake IT staff)

• IRS/Government impersonation (threats of arrest) 

• Romance scams (fake relationships before money requests)

• Job offer scams (fake recruitment fees for "background checks" or "training materials")

• Grandparent scams (elderly exploitation)

Phishing-dominant scams:

• Account update scams (fake bank messages)

• Business email compromise (combines both tactics)

• Cryptocurrency scams (fake investment opportunities)

Both tactics are illegal under federal law. The Gramm-Leach-Bliley Act (1999) makes it a federal crime to use pretexting to obtain personal financial information under false pretenses. Congress passed the Telephone Records and Privacy Protection Act (2006) in response to the Hewlett-Packard pretexting scandal, which criminalizes obtaining telephone records through deception.

Regulators may penalize organizations that lack proper security controls, while attackers face criminal charges, including wire fraud, identity theft, and computer fraud, with penalties ranging from substantial fines to decades in prison. 

What’s different between phishing and pharming? Pharming is the technical sibling to phishing and pretexting in the social engineering family. DNS hijacking or host file poisoning redirects users from legitimate websites to attacker-controlled ones, even if users type in the correct URL. It requires more technical skill than pretexting or phishing, but less emotional manipulation.

Understanding the difference between pretexting vs phishing is step one. Step two? Having identity-focused detection when credentials are compromised.

Humans have bad days, and attackers improve. When that happens, you need Huntress Managed ITDR (Identity Threat Detection and Response). Combined with Managed Security Awareness Training (SAT), Huntress brings layered defense to the identity gap. Our training prevents credential theft, and our Managed ITDR detects when attackers try to use those stolen credentials. Book a demo to learn how Huntress protects organizations from both fast phishing attacks and the slow-burning pretext.