Pretexting: A Social Engineering Scam

Pretexting, the art of creating fake stories to lure victims into divulging sensitive information, has more than doubled in 2023. This social engineering scam typically involves you getting an email, text, or social media message from someone claiming to be your client, boss, or even family. The scammer then uses psychological techniques to compel you into taking an action i.e. clicking on a malware-laden link or sharing your password.

Why is pretexting so dangerous?

It targets the weakest link in any organization: the workforce. It can be you, your boss, or any of the people you work with.

It’s not all doom and gloom though. And there are remedies to address this alarming cyber threat from penetrating your company’s defenses.

Explaining Pretexting: Know thy enemy

What is pretexting and how does it work?

A pretexting attack usually involves three main components:

Security engineer Gavin Watson describes pretexting in his book Social Engineering Penetration Testing as:

“"The key part ... [is] the creation of a scenario, which is the pretext used to engage the victim. The pretext sets the scene for the attack along with the characters and the plot. It is the foundation on which many other techniques are performed to achieve the overall objectives."

Watson outlines two main elements that are part of these social engineering attacks:

A character played by the scammer.
A plausible scenario laid out for the target to give up their information.

We're going to outline two examples that involve both the scammer's character as well as a plausible scenario used to trick people into leaving their guard down.

How it happens in real life:

How it happens online:

At a glance:

1. Pretexting Attack Types

2. Pretexting scams continue to grow sophisticated

3. Have any pretext-based phishing attacks occurred recently?

4. Is Pretexting illegal?

5. Preventing pretexting

6. Conclusion

7. Resources to combat pretexting scams

Pretexting Attack Types

These techniques exploit human psychology, trust, and vulnerabilities to manipulate individuals into divulging information or performing actions that benefit the attackers.

Awareness and skepticism are crucial in mitigating the risks associated with pretexting attacks.

Pretexting can take various forms, and scammers employ different tactics to deceive individuals into revealing sensitive information or performing certain actions. Most pretexting attacks can be categorized into:

Impersonation: Attackers assume false identities, such as pretending to be a trusted individual or a representative of a legitimate organization. They deceive victims into revealing sensitive information or performing actions they normally wouldn't.
Piggybacking: The attacker requests entry to a secured area by convincing an authorized individual to let them in. They exploit the person's kindness or lack of suspicion.
Baiting: Attackers lure victims with enticing offers like free downloads or giveaways. They trick their targets into clicking on malicious links or downloading malware-infected files. The result: compromising their devices or stealing their information.
Phishing: This technique involves sending fraudulent emails or messages that appear to be from reputable sources, such as banks or service providers. It tricks recipients into revealing personal information, login credentials, or initiating financial transactions.
Vishing: Vishing, or voice phishing, occurs when attackers use phone calls to impersonate legitimate entities, such as banks or government agencies. It deceives victims into revealing sensitive information or performing actions over the phone.
Smishing: Smishing refers to phishing attacks conducted through SMS or text messages. Attackers send text messages that appear to be from legitimate sources. This attack tricks recipients into clicking on malicious links or divulging sensitive information.
Scareware: Scareware displays false security alerts or pop-ups on victims' devices, typically claiming their system is infected with malware. The intention is to scare them into purchasing fake security software or providing personal information to resolve the issue.

Pretexting scams continue to grow sophisticated

Here are some common ways scammers can trick you:

Have any pretext-based phishing attacks occurred recently?

Quite a lot of them.

Hackers have succeeded in impersonating people who might call you up out of the blue and demand the most sensitive information.

Just last year, these pretexting scams made headlines:

Uber suffered a breach after an employee sent their credentials to a fraudster who tricked them into believing he was from their IT department.
Twilio employees received emails and texts telling them that their passwords had expired. Hackers who sent those emails got access to the employees' old passwords through malicious websites.

Is Pretexting illegal?

In the United States, pretexting is generally illegal. The Gramm-Leach-Billey Act of 1999 (GLBA) makes it “illegal for any individual to attempt to obtain, actually obtain, or cause an employee to disclose customer information by deception or false pretenses.”

Another piece of legislation, the Telephone Records and Privacy Protection Act of 2006, requires that telecom companies keep records to protect against pretexting scams.

Preventing pretexting

Organizations should follow these guidelines to stay one step ahead of social engineering attempts:

Be skeptical and verify: Always question requests for personal information or actions that seem suspicious. Independently verify the identity of individuals or organizations through trusted channels before sharing sensitive data.
Strengthen privacy settings: Regularly review and update privacy settings on social media platforms to limit the amount of personal information available to potential attackers. Be cautious about sharing sensitive details online.
Educate yourself and your team: Stay informed about common pretexting tactics and warning signs. Provide comprehensive training to employees on identifying and responding to social engineering attempts.
Implement strong security measures: Utilize strong passwords, enable two-factor authentication (2FA) whenever possible, and ensure that your devices and software are up to date with the latest security patches.
Conduct security assessments: Regularly assess and evaluate the security measures in place within your organization. Engage professionals to conduct security audits and penetration testing to identify and address vulnerabilities proactively.
Foster a culture of cybersecurity awareness: Encourage a culture of vigilance and open communication regarding potential threats. Promote reporting suspicious activities or attempts to relevant authorities or your organization's security team.

Conclusion

We've learned how pretexting is a cunning and manipulative social engineering scam that relies on the power of deception and impersonation. This technique involves crafting false scenarios or identities to access sensitive information or resources. Whether in person, over the phone, or online, pretexting can be used to exploit human trust and empathy for malicious purposes. But with a cybersecurity awareness training program, you can minimize the risk it poses to you and your workplace.

Resources to combat pretexting scams

Most pretexting attempts can be nipped in the bud by following a few rules:

A checklist of things to do to avoid pretexting scams

Samir Yawar / Content Lead

Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir

A comic strip explaining why its important to report phishing attacks

Defence

FAQsFrequently Asked Questions

What is pretexting?

Pretexting is a social engineering technique where attackers deceive individuals by assuming false identities or scenarios to manipulate them into revealing sensitive information or granting unauthorized access.

How does pretexting work?

Pretexters gather information about their targets, build trust through persuasive techniques, and create plausible scenarios to trick victims into sharing confidential data or performing actions that benefit the attacker.

What are some common signs of a pretexting attempt?

Look out for unusual requests for personal information, unexpected urgency, inconsistencies in the story or identity of the person contacting you, or requests for bypassing standard security measures.

How can I protect myself from pretexting attacks?

Stay vigilant by verifying the identity of individuals before sharing personal information or performing requested actions. Regularly update privacy settings on social media, be cautious about what you share online, and educate yourself about common pretexting tactics.

What should I do if I suspect I've fallen victim to pretexting?

If you believe you've been targeted or have unknowingly shared sensitive information, immediately change passwords, notify relevant authorities or your organization's security team, and closely monitor your accounts for any suspicious activity.

Pretexting: Why You Need to Avoid this Social Engineering Scam