Who can you trust? The IT technician who just called you asking for access to a company account? The courier you held the door for as you walked into the office? It’s easy to trust people who seem confident and convincing, but that’s what pretexting scammers depend on. So what is pretexting, how does it work, and could you be its next victim?
Pretexting and social engineering
While scams like phishing rely on creating a false sense of urgency and pushing a victim into action, pretexting is a little more subtle. As the name suggests, this method involves creating a convincing pretext.
It’s all about trust and building a rapport with someone, so they feel comfortable giving away information that the perpetrator wants. In a pretexting operation, the attacker tries to put the victim at ease by impersonating someone else.
Pretexting is a classic form of social engineering, and one that poses a unique risk to companies and business networks.
How does pretexting work?
There are different tactics and approaches that a pretexting attack can involve. Primarily, they fall into two categories:
Remote pretexting is the easiest method. In this scenario, the attacker reaches out to the target, usually by calling or emailing them. Once they’ve made contact, they can pretend to be someone the victim will naturally trust. If the pretext is convincing enough, the attacker can extract useful information about either the target or the company they work for.
Face-to-face is a high-risk approach for the attacker, but it’s not unheard of. Unlike the remote approach, a face-to-face pretext is built in person, using a convincing disguise and cover story. A malicious actor can get into an office or a household by wearing a fake uniform and convincing people of their authenticity in person. Posing as a repairman or a courier, the attacker can bypass security restrictions without raising too many eyebrows.
Businesses are particularly vulnerable to these attacks. If the pretexting is successful, the perpetrator can coax login details for company accounts or emails out of an employee Then, they can launch further operations using these compromised accounts.
How to prevent pretexting?
Check the pretext
The biggest weakness of pretexting is the fact that attackers usually have to rely on a recognizable company name. This means that an employee can contact the business the perpetrator claims to work for and check their legitimacy. As part of best practice, employees should always attempt to double-check the pretext.
Always ask for ID in a face-to-face situation
If someone is attempting to enter an office or gain information face-to-face, always ask for ID. A uniform or courier’s outfit can be faked, but an ID is often harder to fake. Combined with the checking step, this should help screen out any malicious actors and keep your office space secure.
Raise awareness among employees
A company’s employees will always be the first line of defense when combating security threats. Teach your employees about security protocols and best practices, and you’ll make it more likely that the company as a whole stays safe. Foster an environment of individual responsibility. Ensure that your employees feel comfortable double-checking when in doubt. All these measures will go a long way to repelling pretexting attacks.