A threat actor sends an email to a user at an organization claiming to be from the IT department. They need a password to a critical application, and the email is convincing – it mentions aspects of the application that would only be known to the user, it brings up a recent update email that was sent out company wide, and it even closes with a friendly, “Hope to see at next week’s happy hour!” in the sign-off. These little details used throughout the email build trust between the user and the threat actor and increase the odds that the threat actor’s ruse will succeed.
This is called pretexting, and it’s at the crux of many social engineering attacks, including business email compromise (BEC) and phishing, that are plaguing organizations around the globe.
What is Pretexting?
The definition of pretexting is a false narrative or scenario, created by a threat actor to trick a user into handing over information, granting access, or performing another action.
Pretexting plays a major role in social engineering attacks, as threat actors often use pretexting to build trust and convince an unsuspecting user to complete a desired action for financial gain or for initial access during a larger attack.
When a social engineering attack occurs, be it phishing, BEC, or another type of attack, the made-up story the threat actor uses to launch the attack is the pretext. In the MGM data breach of 2023, where a member of a ransomware group posed as a member of IT support during a vishing attack, that false identity was the pretext that allowed the cybercriminal to gain trust and make the user believe that the request they were receiving was legitimate.
How Does a Pretexting Scam Work?
A pretexting scam involves two major components, both created by the threat actor: the character, the false identity the bad actor is assuming, and the situation, the plot or false narrative that the threat actor is using to get their target to take a desired action.
The situation a threat actor presents while in character can be fictionalized, but at the very least, it needs to be believable. In the MGM scenario, the threat actor assumed the character of “IT support person,” and the situation was presented as “needing access to an application.”
To the victim, it was plausible that someone in IT would be reaching out about an application, which is why, at least in this instance, the employee was tricked into providing unauthorized access to their company-issued account. BEC is another attack type that frequently involves pretexting. After a threat actor has taken over an account, they pose as a known contact or play into a real-life scenario as they direct funds to a specific vendor. Pretexting attacks can also use spoofing techniques, such as the use of a legitimate (or near legitimate minus a misspelled word) email address with BEC and phishing attacks.
Pretexting attacks may impersonate a known contact or business by using email addresses, names, titles, phone numbers, or other details and may include real information harvested from public sources to appear more legitimate.
A pretexting scam’s details will vary depending on the attack, but will follow a few basic steps:
1. The threat actor prepares for their attack by researching their target user(s) and organization to ensure their pretext is believable. This step will commonly involve searching LinkedIn and other social media sites for company and employee updates, the company’s website, industry news sites, and other sources easily accessible through Google.
2. The threat actor contacts the user through email, text message, or another medium.
3. The threat actor may use spoofing techniques and, maybe, a bit of creativity, to take on a character likely trusted by the user – perhaps a supervisor, someone from the C-suite, or an internal IT staff member.
4. The threat actor creates a believable scenario that draws on psychology (urgency, empathy, motivation) to trick the user into taking a desired action, such as providing access, data, credentials, or even money.
5. The threat actor either ends the attack or utilizes what they were given to launch a more sophisticated attack into the organization.
If the above steps sound like the same steps followed during a phishing attack, it’s because the two terms are closely related.
Pretexting is not the same as phishing but is a technique that can be utilized during a phishing attack. Pretexting is the method, and phishing is the medium. As we’ll discuss below, pretexting is used more often in spear phishing than in broad phishing. This is because spear phishing, unlike the mass “pray and spray” method used by standard phishing attacks, targets individual users and relies on highly personalized, tailored communication, in other words, more comprehensive pretexting, for the attack to succeed. Still, it’s hardly a niche form of attack. According to the 2024 Verizon Data Breach Investigations Report, pretexting accounts for over 40% of social engineering attacks, surpassing phishing (30%).
Pretexting and Business Email Compromise
Pretexting plays a major role in BEC attacks. So much so that, according to the same Verizon report, the “majority” of pretexting attacks had BEC as the outcome. That’s due to the fact that, with BEC, the character is already fleshed out – it’s an executive or other high-ranking employee at the organization. Once a threat actor takes over an email account, they are able to request funds, access, or other vital information, often with ease.
However, BEC is just one type of attack that utilizes pretexting for success.
Types of Pretext Attacks
Because pretexting is more of a technique than a specific kind of attack vector, it can take a number of forms.
Common types of pretexting attacks include:
- Spear phishing attacks: In this email-based attack, a threat actor targets a specific, a single user, within an organization to exfiltrate data, credentials, or funds. Phishing attacks often involve the threat actor pretending to be someone known to the user, often using a fake email address that is meant to look like a familiar one, such as a bank or an organization the user does business with.
- Business email compromise (BEC) attacks: During BEC attacks, the threat actor will use pretexting to pretend to be an executive or high-level business partner, a mid-level financial employee, or even HR and, after gaining access to an internal email account, uses that account to try to scam money out of the organization or third parties.
- Cryptocurrency scams: In this form of attack, the threat actor pretends to be an investor and asks the user for funds to invest in a cryptocurrency opportunity.
- Romance scams: Specifically targeted toward individuals, this attack sees threat actors making fraudulent dating profiles to extort information or money from victims.
- Invoice scams: In this scam, the threat actor pretends to be a third party and sends an invoice which requests funds or has malware installed in the file. Invoice scams are often used during BEC attacks.
How To Stop a Pretexting Attack
Pretexting can be difficult to stop by its very nature, which is to appear to victims as believable and legitimate. This is where security awareness training can make a difference.
Designed to help users spot and stop social engineering attacks like pretexting, comprehensive security awareness training will use microlearning, current threat trends, and engaging content to reduce an organization’s human risk and help individuals spot pretexting messages.
But strong cybersecurity should offer protection against multiple parts of the attack surface. Email security tools are designed to help organizations spot these threats in real-time, remove malicious emails from inboxes, block access to malicious links, and more. These tools add a barrier of protection to the security awareness training, helping reduce the number of emails sent by threat actors that reach users’ inboxes.
Learn how Arctic Wolf® Managed Security Awareness® prepares employees to spot and neutralize social engineering attacks and explore how Arctic Wolf’s Mimecast integration better secures email accounts against pretexting attacks.
Better understand what threats your organization is facing with the Arctic Wolf 2024 Security Operations Report.
