Pretexting, the art of creating fake stories to lure victims into divulging sensitive information, has more than doubled in 2023. This social engineering scam typically involves you getting an email, text, or social media message from someone claiming to be your client, boss, or even family. The scammer then uses psychological techniques to compel you into taking an action i.e. clicking on a malware-laden link or sharing your password.
Why is pretexting so dangerous?
It targets the weakest link in any organization: the workforce. It can be you, your boss, or any of the people you work with.
It’s not all doom and gloom though. And there are remedies to address this alarming cyber threat from penetrating your company’s defenses.
What is pretexting and how does it work?
A pretexting attack usually involves three main components:
Security engineer Gavin Watson describes pretexting in his book Social Engineering Penetration Testing as:
Watson outlines two main elements that are part of these social engineering attacks:
A character played by the scammer.
A plausible scenario laid out for the target to give up their information.
We're going to outline two examples that involve both the scammer's character as well as a plausible scenario used to trick people into leaving their guard down.
How it happens in real life:
How it happens online:
These techniques exploit human psychology, trust, and vulnerabilities to manipulate individuals into divulging information or performing actions that benefit the attackers.
Awareness and skepticism are crucial in mitigating the risks associated with pretexting attacks.
Pretexting can take various forms, and scammers employ different tactics to deceive individuals into revealing sensitive information or performing certain actions. Most pretexting attacks can be categorized into:
Impersonation: Attackers assume false identities, such as pretending to be a trusted individual or a representative of a legitimate organization. They deceive victims into revealing sensitive information or performing actions they normally wouldn't.
Piggybacking: The attacker requests entry to a secured area by convincing an authorized individual to let them in. They exploit the person's kindness or lack of suspicion.
Baiting: Attackers lure victims with enticing offers like free downloads or giveaways. They trick their targets into clicking on malicious links or downloading malware-infected files. The result: compromising their devices or stealing their information.
Phishing: This technique involves sending fraudulent emails or messages that appear to be from reputable sources, such as banks or service providers. It tricks recipients into revealing personal information, login credentials, or initiating financial transactions.
Vishing: Vishing, or voice phishing, occurs when attackers use phone calls to impersonate legitimate entities, such as banks or government agencies. It deceives victims into revealing sensitive information or performing actions over the phone.
Smishing: Smishing refers to phishing attacks conducted through SMS or text messages. Attackers send text messages that appear to be from legitimate sources. This attack tricks recipients into clicking on malicious links or divulging sensitive information.
Scareware: Scareware displays false security alerts or pop-ups on victims' devices, typically claiming their system is infected with malware. The intention is to scare them into purchasing fake security software or providing personal information to resolve the issue.
Here are some common ways scammers can trick you:
Quite a lot of them.
Hackers have succeeded in impersonating people who might call you up out of the blue and demand the most sensitive information.
Just last year, these pretexting scams made headlines:
Uber suffered a breach after an employee sent their credentials to a fraudster who tricked them into believing he was from their IT department.
Twilio employees received emails and texts telling them that their passwords had expired. Hackers who sent those emails got access to the employees' old passwords through malicious websites.
In the United States, pretexting is generally illegal. The Gramm-Leach-Billey Act of 1999 (GLBA) makes it “illegal for any individual to attempt to obtain, actually obtain, or cause an employee to disclose customer information by deception or false pretenses.”
Another piece of legislation, the Telephone Records and Privacy Protection Act of 2006, requires that telecom companies keep records to protect against pretexting scams.
Organizations should follow these guidelines to stay one step ahead of social engineering attempts:
Be skeptical and verify: Always question requests for personal information or actions that seem suspicious. Independently verify the identity of individuals or organizations through trusted channels before sharing sensitive data.
Strengthen privacy settings: Regularly review and update privacy settings on social media platforms to limit the amount of personal information available to potential attackers. Be cautious about sharing sensitive details online.
Educate yourself and your team: Stay informed about common pretexting tactics and warning signs. Provide comprehensive training to employees on identifying and responding to social engineering attempts.
Implement strong security measures: Utilize strong passwords, enable two-factor authentication (2FA) whenever possible, and ensure that your devices and software are up to date with the latest security patches.
Conduct security assessments: Regularly assess and evaluate the security measures in place within your organization. Engage professionals to conduct security audits and penetration testing to identify and address vulnerabilities proactively.
Foster a culture of cybersecurity awareness: Encourage a culture of vigilance and open communication regarding potential threats. Promote reporting suspicious activities or attempts to relevant authorities or your organization's security team.
We've learned how pretexting is a cunning and manipulative social engineering scam that relies on the power of deception and impersonation. This technique involves crafting false scenarios or identities to access sensitive information or resources. Whether in person, over the phone, or online, pretexting can be used to exploit human trust and empathy for malicious purposes. But with a cybersecurity awareness training program, you can minimize the risk it poses to you and your workplace.
Most pretexting attempts can be nipped in the bud by following a few rules: