Who can you trust? The IT technician who just called you asking for access to a company account? The courier you held the door for as you walked into the office? It’s easy to trust people who seem confident and convincing, but that’s what pretexting scammers depend on. So what is pretexting, how does it work, and could you be its next victim?
Pretexting and social engineering
While scams like phishing rely on creating a false sense of urgency and pushing a victim into action, pretexting is a little more subtle. As the name suggests, this method involves creating a convincing pretext.
It’s all about trust and building a rapport with someone so they feel comfortable giving away information that the perpetrator wants. In a pretexting operation, the attacker tries to put the victim at ease by impersonating someone else.
Pretexting is a classic form of social engineering that poses a unique risk to companies and business networks.
How does pretexting work?
There are different tactics and approaches that a pretexting attack can involve. Primarily, they fall into two categories:
Face to face
Remote pretexting is the easiest method. In this scenario, the attacker reaches out to the target, usually by calling or emailing them. Once they’ve made contact, they can pretend to be someone the victim will naturally trust. If the pretext is convincing enough, the attacker can extract useful information about either the target or the company they work for.
Face to face is a high-risk approach for the attacker, but it’s not unheard of. Unlike the remote version, a face-to-face pretext is built in person, using a persuasive disguise and cover story. A malicious actor can get into an office or a household by wearing a fake uniform and convincing people of their authenticity in person. Posing as a repairman or a courier, the attacker can bypass security restrictions without raising too many eyebrows.
Businesses are particularly vulnerable to these attacks. If the pretexting is successful, the perpetrator can coax login details for company accounts or emails out of an employee. Then, they can launch further operations using these compromised accounts.
Cyber threats related to pretexting
All social engineering attacks are quite similar. They leverage trust to fool the potential victim into giving up valuable information to fraudsters. However, all of such attacks differ. Here are some examples of social engineering attacks akin to pretexting.
Tailgating is a type of social engineering attack when fraudsters pose as someone else to gain physical access to restricted areas where they can obtain valuable information. These types of attacks can be extremely devastating for businesses. For instance, bad actors might impersonate food delivery personnel to bypass regular security.
Phishing is one of the most common types of social engineering attacks. The idea behind phishing is to leverage the name of a well-known entity to get someone to reveal their sensitive information, such as passwords and usernames. Usually, phishing attacks are carried out over email, when hackers craft fake email messages that resemble a famous brand to fool unsuspecting users.
Vishing and smishing
Vishing, which means voice phishing, is a social engineering attack that uses phone services to trick people into giving up valuable information. A classic example would be a fraudster calling up their victim and pretending to be a bank representative to gain access to their account.
Smishing is a form of phishing but carried out over SMS messages. Essentially, smishing follows the same approach and techniques as phishing attacks. The medium over which the attack is carried out is the only major difference.
Scareware is the type of software that — just as the name hints — is designed to intimidate and scare the victim. Scareware is designed to flood the user with a variety of false warnings and error messages. In most instances, messages prompted by scareware include download links and falsely claim that the user needs a specific piece of software to clean up their device. Unfortunately, those download links usually lead to malware, often designed to steal private data.
A whaling attack, also referred to as CEO fraud, is very similar in its approach to a phishing attack. It employs all the same ideas, but it targets bigger fish, usually in the corporate sea. The targets are usually high-ranking employees within a company who receive emails supposedly from a CEO or someone equally senior. The goal is to lure out sensitive information.
All of these cyberattacks that include pretexting have one thing in common: the exploitation of users’ trust. In most cases, that is done through impersonation tactics, which can be quite hard to spot for an untrained eye.
How to prevent pretexting
Check the pretext
The biggest weakness of pretexting is the fact that attackers usually have to rely on a recognizable company name. This means that an employee can contact the business the perpetrator claims to work for and check their legitimacy. As part of best practice, employees should always attempt to double-check the pretext.
Always ask for ID in a face-to-face situation
If someone is attempting to enter an office or gain information face to face, always ask for an ID. A uniform or courier’s outfit can be faked, but an ID is often harder to fake. Combined with the checking step, this should help weed out any malicious actors and keep your office space secure.
Raise awareness among employees
A company’s employees will always be the first line of defense when combating security threats. Teach your employees about security protocols and best practices, and you’ll make it more likely that the company as a whole stays safe. Foster an environment of individual responsibility. Ensure that your employees feel comfortable double-checking when in doubt. All these measures will go a long way to repelling pretexting attacks.