What Is Pretexting?
What is pretexting in cybersecurity? Pretexting is a tactic attackers use and involves creating scenarios that increase the success rate of a future social engineering attack will be successful. Social engineering refers to when a hacker impersonates someone the victim knows—such as a coworker, delivery person, or government organization—to access information or sensitive systems. In many cases, pretexting may involve interacting with people either in person or via a fraudulent email address as they launch the first phase of a future attempt to infiltrate a network or steal data using email.
In a pretexting attack, the attacker convincingly presents a story using legitimate-looking message formats and images (such as government logos), tone, and wording. Note that a pretexting attack can be done online, in person, or over the phone. The goal is to put the attacker in a better position to launch a successful future attack.
Pretexting also enables hackers to get around security technologies, such as Domain-based Message Authentication Reporting and Conformance (DMARC), which is supposed to stop hackers from faking email addresses.
What Is the Difference Between Pretexting and Phishing?
The primary difference between pretexting and phishing is that pretexting sets up a future attack, while phishing can be the attack itself. In fact, many phishing attempts are built around pretexting scenarios.
For example, an attacker can email a customer account representative, sending them malware disguised as a spreadsheet containing customer information. A high-level executive can be misled into thinking they are speaking with someone else within the firm or at a partner company as part of a spear-phishing attack. However, according to the pretexting meaning, these are not pretexting attacks. Pretexting is confined to actions that make a future social engineering attack more successful.
For instance, by dressing up as someone from a third-party vendor, an attacker can pretend to have an appointment with someone in your organization’s building. To make the pretext more believable, they may wear a badge around their neck with the vendor’s logo. The disguise is a key element of the pretext. Also, because of pretexting, this attacker can easily send believable phishing emails to anyone they form a rapport with.
Phishing can be used as part of a pretexting attack as well. Although pretexting is designed to make future attacks more successful, phishing involves impersonating someone using email messages or texts.
How Do Cybercriminals Use Pretexting at the Organizational Level?
At the organizational level, a pretexting attacker may go the extra mile to impersonate a trusted manager, coworker, or even a customer. They may also create a fake identity using a fraudulent email address, website, or social media account.
In some cases, the attacker may even initiate an in-person interaction with the target. For example, a hacker pretending to be a vendor representative needing access to sensitive customer information may set up a face-to-face meeting with someone who can provide access to a confidential database. During this meeting, the attacker's objective is to come across as believable and establish a rapport with the target. In this way, when the hacker asks for sensitive information, the victim is more likely to think the request is legitimate.
Real-World Pretexting Examples and How To Recognize Them
Here are some real-life examples of pretexting social engineering attacks and ways to spot them:
- Hewlett-Packard employed private detectives in 2006 to check whether board members were leaking information to the media. To do this, the private investigators impersonated board members and obtained call logs from phone carriers.
- In 2015, Ubiquiti Networks transferred over $40 million to attackers impersonating senior executives.
- In 2017, MacEwan University sent almost $9 million to a scammer posing as a contractor. The attacker asked staff to update their payment information through email.
In each of these situations, the pretext attacker pretended to be someone they were not. Therefore, the easiest way to not fall for a pretexting attack is to double-check the identity of everyone you do business with, including people referred to you by coworkers and other professionals.
Top Seven Pretexting Attack Techniques
Here are the seven most common types of pretexting attacks:
An impersonator mimics the actions of someone else, typically a person the victim trusts, such as a friend or coworker. This entails establishing credibility, usually through phone numbers or email addresses of fictitious organizations or people.
Threat actors can physically enter facilities using tailgating, which is another kind of social engineering. Tailgating refers to sneakily entering a facility after someone who is authorized to do so but without them noticing. Before the door is fully closed and latched, the threat actor may swiftly insert their hand, foot, or any other object inside the entryway.
Piggybacking involves an authorized person giving a threat actor permission to use their credentials. For instance, an unauthorized individual shows up at a facility's entrance, approaches an employee who is about to enter the building, and requests assistance, saying they have forgotten their access pass, key fob, or badge. Depending on how believable the act is, the employee may choose to help the attacker enter the premises.
A baiting attack lures a target into a trap to steal sensitive information or spread malware. This may involve giving them flash drives with malware on them. The bait frequently has an authentic-looking element to it, such as a recognizable company logo.
Phishing is the practice of pretending to be someone reliable through text messages or emails. Like most social engineering attacks, the goal is to steal private data, such as passwords or credit card numbers. Pretexting and phishing are two different things but can be combined because phishing attempts frequently require a pretexting scenario.
By tricking a target into thinking they are speaking to an employer or contractor, for instance, pretexting improves the likelihood that the phishing attempt will be successful. Compromised employee accounts can be used to launch additional spear-phishing campaigns that target specific people.
Vishing, often known as voice phishing, is a tactic used in many social engineering attacks, including pretexting. This attack technique involves using phone calls to coerce victims into divulging private information or giving attackers access to the victim's computer.
For instance, the attacker may phone the victim and pose as an IRS representative. Vishing attackers typically use threats or other tactics to intimidate targets into providing money or personal information. IRS fraud schemes often target senior citizens, but anyone can fall for a vishing scam.
Scareware overwhelms targets with messages of fake dangers. For example, a scareware attack may fool a target into thinking malware has been installed on their computer. The victim is then asked to install "security" software, which is really malware.
How to Protect Your Organization Against a Pretexting Attack
Here are some of the ways to protect your company from pretexting:
Examine the Pretext Carefully
Pretexting's major flaw is that pretexters frequently use a well-known brand name. This means that a potential victim can get in touch with the company the criminal claims to work for and inquire about the attacker’s credibility. Employees should always make an effort to confirm the pretext as part of your organization’s standard operating procedures.
Always Demand to See Identification
Always request an ID from anyone trying to enter your workplace or speak with you in person. An ID is often more difficult to fake than a uniform. This should help weed out any hostile actors and help maintain the security of your business.
Educate Your Staff
Employees are the first line of defense against attacks. Teach them about security best practices, including how to prevent pretexting attacks. Staff members should be comfortable double-checking credentials, especially if they have a reason to doubt them