Pretexting is a social engineering technique used in cybersecurity to trick individuals into divulging sensitive information or performing actions that they wouldn’t normally do. The attacker typically creates a false pretext, or a fabricated story, in order to gain the trust of the victim and convince them to take the desired action.
Pretexting attacks can take many forms, such as posing as a trusted authority figure (like a bank representative), a technical support agent, or a vendor needing sensitive information to complete an order. The attacker may use various tactics to persuade the victim, such as feigning urgency, creating a sense of importance, or impersonating someone the victim knows or trusts.
Once the victim has been persuaded, they may disclose sensitive information, such as passwords or account numbers, or perform actions such as downloading and installing malware on their computer, opening a malicious email attachment, or visiting a phishing website.
Over 71 million people fall victim to cybercrime every year.~Comparitech.
Pretexting attacks can be difficult to detect because they often exploit human vulnerabilities, such as trust and social norms, rather than technical vulnerabilities in software or hardware. As such, it is important for individuals and organizations to be vigilant and cautious when sharing sensitive information or performing actions in response to unexpected requests or unusual circumstances.
Pretexting in Cybersecurity -Definitions and Overview
Pretexting is a type of fraud involving using pretexts to gain access to someone else’s personal information. Pretexting may also be called impersonation, identity theft or identity fraud.
Attackers will employ pretexting, social engineering, to get what they want from you by convincing you that they have a legitimate reason to believe them.
Criminals that engage in pretexting sometimes combine various forms of social engineering, such as impersonation or phishing, with their signature tactic, a plausible-sounding pretext or invented story.
Pretexting is a tactic used by attackers to either acquire access to sensitive information or get you to give money to them. Any electronic or verbal communication, including but not limited to text messages, emails, telephone calls, and in-person meetings, can be used for pretexting.
The pretexting attacker must craft a convincing story that makes you think the message is from someone you can trust.
Pretexting Attack Techniques
Pretexting is commonly used by hackers when they’re trying to obtain financial or personal information from you. They use the following tricks:
Phishing is a method of fraud that uses email to lure victims into revealing personal information, such as passwords and credit card details. The emails are designed to look like a legitimate company, such as a bank, or online shop, has sent them. The aim is to make the victim click on links within the email, which then takes them to a fake website set up by the scammer.
Related Read Phishing vs Spam
Tailgating is a social engineering attack where the attacker uses someone else’s credentials to gain unauthorized access to a building or facility. To do this, the attacker follows closely behind someone with legitimate access and then uses that person’s identification badge to gain entry through the same door.
Piggybacking is a social engineering attack where an unauthorized person gains access to a secure facility by riding on top of another authorized person (or vehicle). Piggybacking can be carried out with or without the individual’s consent. For example, an attacker could ride on top of another person’s car and enter a secure facility as if they were authorized to enter it.
Scareware is malicious software (malware) that displays false messages and warnings to convince users that their computers have been infected with viruses or spyware. These messages often require users to purchase antivirus software or pay for support services before they regain access to their systems.
Impersonation is when someone pretends to be someone else to gain access to confidential information or trust from others. Impersonators may use social engineering tactics such as creating fake profiles on social media sites or email spoofing to gain access to sensitive information.
This technique involves using information about people or organizations to obtain sensitive data from them via email or phone calls; for example, posing as a company executive requesting personal information from employees who think they’re helping their boss out with something important but not realizing they’re exposing their data.
Vishing and Smishing
Vishing (Voice phishing) and smishing (SMS phishing) are other forms of pretexting that involve making phone calls or sending text messages to the target. Vishing uses voice-over-Internet protocols (VOIP) technology to make it appear that the caller is calling from a legitimate business when they are located elsewhere in the world.
In smishing, text content is spammed through short message service (SMS) messages sent to cell phones. These messages often contain links to malicious websites or attachments that can be used to install malware on victims’ computers.
Related Read: Types of Social Engineering
Protect Your Organization Against a Pretexting Attack
If you suspect that your organization has been the target of a pretexting attack, here are some steps you can take to protect yourself:
Pretexting often involves impersonation. Therefore a fake email that seems legitimate is essential. Therefore, spoofing is an essential tool for communicating via electronic mail. The most widely used method of defence against email spoofing, Domain-based Message Authentication, Reporting, and Conformance (DMARC), is restricted since it necessitates constant and complex maintenance.
Furthermore, DMARC prevents precise domain spoofing but does not display name spoofing or spoofing using cousin domains, which are significantly more common in spear-phishing assaults. Because DMARC works so well, attackers have started using more advanced methods.
Because many people need to understand how pretexting works, they may only realize that their organization has been targeted once it is too late. Educate yourself and your employees, so they know what prompting looks like and how to respond if they suspect it is happening.
Always See Identification
When someone comes into your office asking for information about an employee, always ask to see identification before providing any information. Have someone else verify the identity of the person requesting the information.
Examine the Pretext Carefully
Before you act on any request or instruction, consider whether it makes sense. For example, if someone asks you to send sensitive data via email or text, be wary — this could be a ploy designed to steal your information. Don’t automatically trust that what you’re being asked to do is legitimate or safe just because it looks like something your boss would do. Instead, verify with them directly before completing any task that involves sensitive data or money.
Monitor the Environment for Malicious Activity
Use security software that monitors all activity on your network and alerts you when suspicious activity occurs. Monitor activity in real-time so you have time to react if an attack begins.
Pretexting is a great strategy to have up your sleeve when needed, but it can also backfire if you’re not careful. Just make sure you plan to follow through with what you start, and you give others the benefit of the doubt until they prove otherwise.