What Is Pretexting?
Pretexting is a social engineering tactic used by threat actors to gain trust, data, or access to accounts using a fabricated story, or pretext. Threat actors will often assume the role of a person in authority, or a person the victim knows, to lend their story legitimacy.
How Does Pretexting Work?
Pretexting takes skill. And not the typical coding skills you might think of when you hear “cybercriminal.” Pretexting is about inhabiting a character and lying so convincingly that a victim gives up whatever the threat actor is asking for freely.
The key component of a pretexting attack is the conversation the threat actor has with the victim. During this conversation, the attacker will try to gather sensitive information through a series of lies.
This type of social engineering is often effective because the social engineer will have crafted a convincing story; done research on you, your role, and your organisation; and will know what they’re going to say, the questions they will ask you, and how to answer and react to any of your questions — all in a way that maintains their credibility. By manipulating emotions and creating a sense of urgency they get you to silence the critical part of your brain and act fast before you can catch on to their ruse.
Major Types of Pretexting Attacks
Pretexting attacks can take place online, over email, on the phone, through text messages, or even in person. Here are a few of the most common attack vectors in which pretexting is conducted:
Phishing involves fraudulent communication with the intent of stealing sensitive data (such as login credentials or credit card information), deploying malware into a computer system, committing financial fraud, or practically any other nefarious endeavor you might imagine.
From its origins at the start of the new millennium to today, phishing has turned our email inboxes into a danger zone. Simply opening an email and clicking on a link can have dire consequences.
Due to the prevalence of phishing, every business, regardless of its size or industry, is at risk. And since this type of attack relies on human error and has a high degree of success, phishing will remain a favorite tool of threat actors for the foreseeable future.
Scareware attacks use pop-up ads to frighten a user into thinking their system is infected with a computer virus, and that they need to purchase the offered anti-virus software to protect themselves. Instead, the software itself is malicious, infecting the user’s system with the very viruses they were trying to prevent.
Baiting uses a false promise — an online ad for a free game or deeply discounted software, or even a thumb drive mailed to you or left on the ground in the company parking lot — to trick the victim into revealing sensitive personal and financial information, or to get them to click on a malicious link or open a malicious file to infect their system with malware or ransomware.
Also known as voice phishing, vishing employs the telephone or VoIP (voice over internet protocol) technology. This type of attack is most commonly used against the elderly. Attackers may, for instance, claim to be a family member who needs an immediate money transfer to get themselves out of trouble. They might also pose as a charity, especially after a natural disaster, to solicit money.
Tailgating is an attempt to gain unauthorised physical access to secure spaces on company premises through coercion or deception. Organisations should be particularly sensitive to the possibility of recently terminated employees returning to the office using a key card that is still active, for example.
Common Pretexting Techniques?
Social engineers have, over time, developed, practiced, and perfected several pretexting techniques that they employ in specific situations, against specific targets.
This is the most common pretexting technique. In it, the threat actor does extensive research, pulling as much information as possible from publicly available resources and records such as social media and company reports and filings. Then the threat actor assumes a role.
Most often it’s a person in a position of power in your company. It could be your “CEO” asking you to purchase ten $100 gift cards. It could be a “third-party vendor” advising you to send payments to this new address. It could even be your “nephew,” whose car has broken down and needs money wired ASAP. Whatever the lie, social engineers count on their research, their skill, and your emotional response to an emergency to get you to take the action they want.
Impersonation is common in business email compromise (BEC) attacks, which often begin with pretexting.
It’s like catfishing, but more costly. In a romance pretext, the threat actor tricks you into believing they’re an attractive, available, potential partner, and that they have fallen for you. By leveraging the good feelings and trust this emotional state puts victims in, they then convince the love-struck target to send money, data, or credentials.
A relatively new pretext technique, this is the modern equivalent of the “Nigerian Prince” scam. If you’ve had email in the past three decades, you’re no doubt familiar with that particular phishing email, where a deposed Nigerian prince (or other person of means, royalty, or fame) needs your help moving a fortune out of their country.
If you agree to help, they promise to pay you a portion of the funds. But there is no prince, there is no fortune, and it’s all a scam designed to access your bank accounts and drain them.
The cryptocurrency pretext is largely the same scam, though reskinned in more modern get-rich-quick clothing. Here the threat actor promises an “incredible investment opportunity” in the emerging market of cryptocurrency, something few truly understand but nearly all are aware of.
Leveraging the power of the stories that have been circulating about how some of those who got in early have turned small investments into small fortunes, threat actors in this pretext promise that same sizable return. As soon as you send the money, the threat actor vanishes with it.
Preventing Pretext Attacks
Social engineers find success with pretexting because they know that employees are often overworked and under-trained. The key to stopping these attacks in their tracks is a robust security awareness training program, one that empowers employees to recognise and neutralise social engineering attacks like the ones above.
Arctic Wolf Managed Security Awareness® delivers high-quality, updated content to employees in small, manageable chunks at a greater frequency, improving reaction time, boosting engagement and increasing retention by up to 200%.