Pretexting is the use of a fabricated story, or pretext, to gain a victim’s trust and trick or manipulate them into sharing sensitive information, downloading malware, sending money to criminals, or otherwise harming themselves or the organization they work for.
Understanding pretexting
Pretexting is a social engineering technique that exploits human vulnerability to extract confidential information from unsuspecting victims. Threat actors create a false narrative or pretext to deceive individuals into sharing personal data. These pretexts often involve impersonation, where the attacker assumes the identity of a trusted person or institution.
Pretexting attacks typically involve the attacker posing as someone who needs to verify the victim's identity. They may request sensitive information such as passwords, social security numbers, or financial details under the guise of legitimate reasons. Once the attacker obtains this information, it can be used for secondary attacks or identity theft.
Read more: What is social engineering and why healthcare is vulnerable
Pretexting attack techniques
Pretexting attacks employ various tactics to gain victims' trust and extract valuable information. Here are some common techniques used by threat actors:
Impersonation
Impersonation is a prevalent pretexting technique where the attacker masquerades as a trusted individual or institution. By spoofing phone numbers or email addresses, the attacker creates an illusion of credibility.
One example of impersonation is the SIM swap scam, which exploits vulnerabilities in two-step verification processes. Attackers impersonate victims and convince mobile operators to switch their phone numbers to their own SIM cards. This allows them to intercept one-time passwords and gain unauthorized access to accounts.
Tailgating
Tailgating is a physical social engineering technique that enables threat actors to gain unauthorized access to facilities. The attacker closely follows an authorized person into a building without being noticed. They may quickly stick their foot or an object into the door before it locks, allowing them to enter undetected.
Piggybacking
Piggybacking is similar to tailgating but involves the authorized individual knowingly assisting the attacker. For example, the attacker approaches an authorized person at the entrance of a facility and claims to have forgotten their access badge. The authorized person allows the attacker to enter with them out of goodwill or naivety.
Baiting
Baiting is a pretexting technique that entices victims with promises or rewards to trick them into performing certain actions. Attackers may use physical bait, such as malware-infected flash drives disguised as legitimate devices, or online bait, such as enticing ads that lead victims to malicious websites or infected applications.
Phishing
Phishing involves impersonating a trusted entity, typically through emails or text messages, to trick victims into revealing sensitive information. While phishing and pretexting are distinct techniques, they are often combined to increase the success rate of attacks. For example, phishing emails may leverage pretexting scenarios to deceive victims into believing they are interacting with a legitimate entity.
Vishing and smishing
Vishing (voice phishing) and smishing (SMS phishing) are social engineering techniques that exploit phone calls and text messages to deceive victims. Attackers may impersonate officials or institutions and use threats or scare tactics to coerce victims into disclosing confidential information or granting remote access to their devices.
Scareware
Scareware involves bombarding victims with false alarms and fictitious threats to trick them into installing malware or purchasing fraudulent software. Attackers create pop-up banners or send spam emails that claim the victim's system is infected with malware. They then offer fake solutions or direct victims to malicious websites.
Go deeper:
Laws of pretexting
Pretexting is generally illegal in the United States, especially for financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA). The GLBA prohibits individuals from obtaining customer information through deception or false pretenses. Financial institutions must educate their employees to identify and prevent pretexting attempts.
In 2006, Congress passed the Telephone Records and Privacy Protection Act, which extends protection to telecom companies' records. However, the legality of pretexting in other industries remains unclear, and prosecutors must determine which laws apply to file charges in specific cases.
Preventing pretexting attacks
Businesses can implement several measures to protect themselves against pretexting attacks:
DMARC
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a widely used email authentication protocol that helps prevent email spoofing, a common tactic in pretexting attacks. DMARC verifies the authenticity of incoming emails and reduces the risk of falling victim to impersonation-based attacks.
AI-based email analysis
To effectively combat pretexting, businesses require advanced detection methods beyond DMARC. Next-generation anti-spear phishing technology uses artificial intelligence (AI) to analyze user behavior, detect pretexting indicators, and identify anomalies in email addresses and traffic. Natural Language Processing (NLP) can decipher phrases and words commonly used in pretexting and spear-phishing attacks.
User education
To prevent attacks, businesses must educate employees about pretexting techniques. Sharing real-life examples of pretexting instances can raise awareness. Training should cover identifying email spoofing, studying email addresses for signs of spoofing, and validating requests involving financial transactions.
Related: What is DMARC and why you need it
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
