What Is Pretexting?

What is pretexting in cybersecurity? Pretexting is a tactic attackers use and involves creating scenarios that increase the success rate of a future social engineering attack will be successful. Social engineering refers to when a hacker impersonates someone the victim knows—such as a coworker, delivery person, or government organization—to access information or sensitive systems. In many cases, pretexting may involve interacting with people either in person or via a fraudulent email address as they launch the first phase of a future attempt to infiltrate a network or steal data using email. 

In a pretexting attack, the attacker convincingly presents a story using legitimate-looking message formats and images (such as government logos), tone, and wording. Note that a pretexting attack can be done online, in person, or over the phone. The goal is to put the attacker in a better position to launch a successful future attack. 

Pretexting also enables hackers to get around security technologies, such as Domain-based Message Authentication Reporting and Conformance (DMARC), which is supposed to stop hackers from faking email addresses. 

The primary difference between pretexting and phishing is that pretexting sets up a future attack, while phishing can be the attack itself. In fact, many phishing attempts are built around pretexting scenarios.

For example, an attacker can email a customer account representative, sending them malware disguised as a spreadsheet containing customer information. A high-level executive can be misled into thinking they are speaking with someone else within the firm or at a partner company as part of a spear-phishing attack. However, according to the pretexting meaning, these are not pretexting attacks. Pretexting is confined to actions that make a future social engineering attack more successful.

For instance, by dressing up as someone from a third-party vendor, an attacker can pretend to have an appointment with someone in your organization’s building. To make the pretext more believable, they may wear a badge around their neck with the vendor’s logo. The disguise is a key element of the pretext. Also, because of pretexting, this attacker can easily send believable phishing emails to anyone they form a rapport with.

Phishing can be used as part of a pretexting attack as well. Although pretexting is designed to make future attacks more successful, phishing involves impersonating someone using email messages or texts.

At the organizational level, a pretexting attacker may go the extra mile to impersonate a trusted manager, coworker, or even a customer. They may also create a fake identity using a fraudulent email address, website, or social media account.

In some cases, the attacker may even initiate an in-person interaction with the target. For example, a hacker pretending to be a vendor representative needing access to sensitive customer information may set up a face-to-face meeting with someone who can provide access to a confidential database. During this meeting, the attacker's objective is to come across as believable and establish a rapport with the target. In this way, when the hacker asks for sensitive information, the victim is more likely to think the request is legitimate.

Here are the seven most common types of pretexting attacks:

An impersonator mimics the actions of someone else, typically a person the victim trusts, such as a friend or coworker. This entails establishing credibility, usually through phone numbers or email addresses of fictitious organizations or people.

Threat actors can physically enter facilities using tailgating, which is another kind of  social engineering. Tailgating refers to sneakily entering a facility after someone who is authorized to do so but without them noticing. Before the door is fully closed and latched, the threat actor may swiftly insert their hand, foot, or any other object inside the entryway.

Piggybacking involves an authorized person giving a threat actor permission to use their credentials. For instance, an unauthorized individual shows up at a facility's entrance, approaches an employee who is about to enter the building, and requests assistance, saying they have forgotten their access pass, key fob, or badge. Depending on how believable the act is, the employee may choose to help the attacker enter the premises.

A baiting attack lures a target into a trap to steal sensitive information or spread malware. This may involve giving them flash drives with malware on them. The bait frequently has an authentic-looking element to it, such as a recognizable company logo.

Phishing is the practice of pretending to be someone reliable through text messages or emails. Like most social engineering attacks, the goal is to steal private data, such as passwords or credit card numbers. Pretexting and phishing are two different things but can be combined because phishing attempts frequently require a pretexting scenario.

By tricking a target into thinking they are speaking to an employer or contractor, for instance, pretexting improves the likelihood that the phishing attempt will be successful. Compromised employee accounts can be used to launch additional spear-phishing campaigns that target specific people.

Vishing, often known as voice phishing, is a tactic used in many social engineering attacks, including pretexting. This attack technique involves using phone calls to coerce victims into divulging private information or giving attackers access to the victim's computer.

For instance, the attacker may phone the victim and pose as an IRS representative. Vishing attackers typically use threats or other tactics to intimidate targets into providing money or personal information. IRS fraud schemes often target senior citizens, but anyone can fall for a vishing scam.

Scareware overwhelms targets with messages of fake dangers. For example, a scareware attack may fool a target into thinking malware has been installed on their computer. The victim is then asked to install "security" software, which is really malware.