Pretexting doubled in 2025 — what changed and what to do
Pretexting now represents about half of all social engineering attacks in the DBIR dataset. Patient, contextual attacks are the new baseline — and click-rate metrics are missing them.
One of the more consequential — and underreported — findings in the 2025 Verizon DBIR is that pretexting attacks have doubled and now account for roughly half of all social-engineering activity in the dataset. If you run an awareness program built around traditional phishing simulations, this is the trend that should reshape how you think about content for the next 12 months.
What pretexting actually is
Pretexting is patient social engineering. Instead of a single email with a hostile link, a pretexting attack establishes a believable scenario — a backstory, a relationship, a context — and then makes the ask. Common shapes:
- Fake invoice / vendor change — attacker poses as a known vendor with an updated bank account; CFO finance team approves the change because the conversation has been "ongoing" (in the attacker's head) for weeks.
- Executive impersonation — attacker emails a finance lead with a multi-message thread referencing real internal context, building toward a wire instruction.
- Multi-channel fraud — initial email establishes the pretext, follow-up phone call ("I'm in a meeting, can you push that through?") closes it.
- HR / recruiting traps — fake recruiter develops a relationship with an employee, eventually asks for a "screening sample" or a token from a corporate system.
The defining feature is that no single message looks malicious in isolation. Click-rate metrics, which were designed for one-shot phishing, miss most of this entirely.
Why it works
Three things changed in the past 18 months that made pretexting cheaper for attackers:
- LLMs lowered the cost of context. Generating a believable, contextually coherent message that references your CRM stage, your industry vocabulary, and your recent press is essentially free now. Crude grammar errors that used to flag a phish are gone.
- Public business data is richer. LinkedIn, press releases, podcast appearances, and SEC filings give attackers enough raw material to build a credible pretext for any target above a certain seniority level.
- Attack ROI is higher. A single successful pretext that ends in a wire fraud or credential handoff returns far more than a thousand stolen Netflix passwords. Attacker economics have shifted toward patient, high-yield work.
What awareness programs miss
A typical phishing simulation:
- Sends one email
- Measures who clicks
- Sometimes measures who reports
- Calls it done
That program is solving for a single-message attack. It does almost nothing for an attacker who's been emailing your CFO for two weeks. Worse, the click-rate metric looks like it's working — your number drops year over year — even as your real exposure to pretexting attacks may be growing.
What to actually do
A few things move the needle on pretexting specifically:
1. Test with multi-message scenarios. Single-template campaigns don't reflect the threat. Modern testing platforms support multi-touch sequences — one email establishes the pretext, the next adds urgency, the third asks for the action. The metric that matters is whether a learner sees the pattern, not whether they avoided the first message.
2. Add voice and SMS to the rotation. Many pretexting campaigns are multi-channel. A program that only tests email leaves a huge gap. Voice phishing (vishing) and SMS phishing (smishing) simulations are worth the investment.
3. Train on "what to verify" — not just "what to spot." Pretexting works because the cues are subtle. Training that focuses on red flags often misses them. Training that focuses on process — "what do we do when an executive emails us a payment change" — is more reliable. The right answer is almost always: verify out-of-band, through a channel established before this conversation started.
4. Measure report rate as a leading indicator. Click-through is a lagging metric for pretexting because the click might come on message three. Report rate is a leading metric: if your team is reporting more suspicious messages over time, you're catching pretexts early. If report rate is flat, your program isn't moving the needle on this category.
5. Reward escalation, not perfection. The right cultural goal is "people escalate weird stuff." If a finance lead pauses a wire transfer and pings IT before approving — that's a win, even if the pretext was real and the wire was legitimate. Programs that punish over-caution train people to comply faster, which is exactly what attackers want.
The bigger picture
Pretexting doubling doesn't mean phishing simulations are useless. It means the threat profile has matured past what most simulation programs are designed for. The organizations that will look like outliers a year from now are the ones updating their content, expanding their channels, and changing what they measure now — not the ones still iterating on better single-email subject lines.
The 2025 DBIR was the wake-up call. The 2026 report will tell us who listened.
Source: Verizon 2025 Data Breach Investigations Report — Executive Summary.