Pretexting (aka “blagging”) is when an attacker invents a believable story and impersonates someone you’d normally trust, police, a supplier, “head office,” a colleague, to trick staff into revealing data or triggering payments, usually by phone or email.

It’s not niche: Verizon’s Data Breach Investigations Reports show pretexting/BEC almost doubled year-on-year in the 2023 dataset and has stayed elevated since, making up around a quarter of financially-motivated attacks in the 2024 data.

In the UK, the wider fraud picture is also worsening, with a 12% rise in cases in 2024, the backdrop in which these impersonation plays thrive.

Raine v JD Wetherspoon plc [2025] EWHC

A convincing caller pretended to be a police officer. Staff checked a record and handed over a phone number. The High Court said that’s

(a) misuse of private information

(b) breach of confidence, and

(c) GDPR processing because the data came from a recorded system before it was spoken.

Policies existed. They weren’t followed. Damages were awarded.

The case in plain English

• Ex-employee. Emergency contact number in a personnel file.

• Abusive ex rings the pub, claims to be police, asks for the number.

• Staff look in the file and read it out.

• Harassment follows.

• Court says: that disclosure engages misuse of private information and breach of confidence; and because the number was lifted from a record, saying it aloud still counts as GDPR “processing.”

• Damages: £4,500 for the distress caused.

The point isn’t that Wetherspoon had no policy. They did, but it wasn’t used in the moment.

Remember: training on pretexting or blagging is only useful if people use it under pressure. Courts look at practice, not just policy binders.

Consider this Approach

• “I’m not authorised to share personal information by phone. Please email from your official domain”

• “For police requests, we’ll call your force switchboard and ask for you by name/collar number.”

• Never call back on a number given by the caller. Use the published switchboard.

Logging:

• Who called, what they wanted, what you refused, who you escalated to.

• These logs are gold when you need to explain decisions later.

In Summary

Pretexting is and everyday pressure on busy staff. Raine v Wetherspoon just underlined that if you open a record and say the contents out loud, you’ve processed data, and you can be liable even if a policy exists on paper. The fix is behavioural, not theoretical: make “no disclosure on inbound calls” the norm, verify via trusted channels, escalate when in doubt, and log every attempt.