Social engineering attacks and scams are on the rise, especially fueled by a practice known as pretexting. In fact, pretexting scams are becoming more convincing as scammers are taking advantage of new technology and products to create believable stories and mimic finer details. The rise of virtual and remote work has also helped attackers in their bid to get access to important information.
Pretexting is one of the most common tactics used by cybercriminals, but it is also often not as well known as other social engineering techniques. This article will cover what pretexting is, how it works, the techniques used by threat actors, and how to protect against pretexting attacks.
What is Pretexting? Pretext Definition
Pretexting is a form of social engineering technique that involves scammers creating scenarios to convince individuals to provide valuable details needed to gain access to protected information. This involves trying to get a user's password, account number, or even name, to then later be used for an attack.
It typically starts when cybercriminals impersonate somebody a victim knows, such as a relative, organization, or government body. The attacker will take on a legitimate tone, messaging format and storyline with the goal of putting the attacker in the best position for a future/secondary attack. They most commonly do this through interacting with victims on fraudulent email addresses, but pretexting can also be done in person, over the phone, or a combination of all.
Pretexting Examples
One of the most common examples of a pretexting attack is when a cybercriminal pretends to be someone powerful in an organization, such as the CEO, part of the IT team or from HR. The attacker will then create a scenario to convince the victim to give up sensitive or personal information. Impersonation is the pretext used to engage the victim.
By masquerading as employees in powerful positions, attackers are able to target other employees with extensive privileges.
Are Pretexting and Phishing the Same?
Although similar, pretexting and phishing are not the same. Phishing tends to rely on more urgent or fear-related messaging to induce victims to act immediately — essentially the attack itself. Whereas pretexting sets up a future attack by exploiting and building up a victim’s trust. Many phishing scams are built around pretexting scenarios.
The definition of pretexting is confined to the actions undertaken by an attacker to make a future attack more successful. For example, an attacker might dress up and disguise themselves as someone else, making the pretext more believable. As they have already built a rapport, this also makes any phishing emails they send after more believable. Learn more about phishing or spear phishing.
Pretexting Attack Techniques to Look Out For
Pretexting attackers use a variety of different techniques to take advantage of their victims' trust and convince them to hand over sensitive information. Here are seven techniques for a pretexting attack below:
1. Impersonations
An impersonator mimics or imitates the behaviors and actions of another person, usually someone that the victim trusts. Impersonation techniques involve establishing and maintaining credibility. This is done by phone numbers or email addresses of impersonated organizations or individuals.
One example of an impersonation pretexting attack is through a SIM swap scam. Where an attacker will impersonate a victim, pretending to have lost their phone, persuading a mobile operator to switch the phone number to the attacker’s SIM. Thus, passwords or authenticators may be forwarded to the attacker's number.
2. Tailgating
Tailgating is a technique that involves the attacker getting access to a facility by following closely behind authorized personnel without being noticed. After nearing the entrance, the attacker may quickly stop the door from closing and locking by using an object or their foot.
3. Piggybacking
Whereas tailgating involves employees or victims being unaware they are followed, piggybacking is when the authorized individual is aware of and allows the attacker to “piggyback” off of their credentials. For instance, the attacker approaches the employee and makes up a scenario where they forget their card or badge and needs help.
4. Baiting
A baiting attack involves the attacker luring a victim into a trap, usually to steal sensitive information or spread malware. The technique typically involves giving victims an authentic-looking USB or flash drive that contains malware. The victim would then potentially use it in a personal or work device, thus deploying the malware. This technique has also been known to be used through malicious websites or malware-infected applications.
5. Phishing
Pretexting usually increases the chances of a phishing attempt being successful. Phishing usually involves an attacker impersonating a trusted entity through communications (via email or text message) to get sensitive information like passwords and card details. Phishing and pretexting are often confused together, but they are two different things that can be used as a combined strategy.
6. Vishing
Vishing is known as voice phishing. It is a technique where the attacker uses phone calls to get victims to give up private information or give attackers access to the victim's computer remotely. A common example is when victims get a phone call from an attacker impersonating a government representative, like tax fraud schemes.
7. Scareware
Scareware uses scare tactics to fool victims to download malware. It works by bombarding victims with fictitious threats and false alarms to make it look like the victim’s system is infected with malware already. It then prompts victims to install security software, which is really hidden malware, onto their devices.
How to protect against a Pretexting Attack?
Pretexting attacks are constantly evolving, but fortunately, there are methods that users can take to prevent pretexting or protect themselves from becoming victims of one. Below are some common ways to protect against a pretexting attack.
- Be aware of the context and details. Users should always be extra vigilant when receiving unsolicited communications. For example, checking the brand name is spelled correctly, the correct email address, etc. Users can even get in touch with the company through other channels to double-check and inquire about the attacker’s credibility.
- Demand to see and check official identification. Individuals should always request ID from any person trying to enter a workplace or speak with you in person. An ID is always more difficult to fake than a uniform and should help identify actors to help maintain security.
- Technology and AI assistance. There are now several applications and technologies to assist users in identifying fraudulent behaviors. Deploying these can help individuals find anomalies in email addresses, traffic, display names or domains. Language AI processors can also help examine the languages used to catch common phrases and words used in pretexting and warn users.
- Training staff to spot techniques. Typically, employees are the first line of defense against an attack. It is vital to educate your users so they can identify pretexting techniques and how to best handle them. It is also important to teach them about the latest security practices and how to check credentials properly, especially in a remote work environment. By doing so, it often limits the rate of a successful attack. Organizations should also establish proper security practices to be followed, including rules about financial transactions or validating credit card requests to limit doubts.
The Bottom Line
Security awareness training and education are critical, especially when it comes to pretexting attacks. This is because pretexting attacks are designed to manipulate human emotions, trust and vulnerabilities. But even with increased awareness and training, it's not a foolproof solution. Cybercriminals are only getting smarter and exploiting technology to their best advantage. As such, organizations should also be using technology to the best of their advantage. The use of cutting-edge cyber security systems and applications provides an unmatched added value.
Protect from Pretexting attacks with support from Sangfor
Although pretexting does not get as much attention as phishing when talking about social engineering scams, it is just as important to know. In fact, learning and protecting against pretexting can help organizations and users save themselves from becoming victims of future scams. The main takeaway is to always stay alert about any communications you may be receiving and not give up any sensitive information. Pretexting needs to be part of cyber security education and a crucial part when developing your organization’s cyber security policies. If you are interested in learning more about spotting pretexting and defense techniques, please do not hesitate to get in touch with our team.