What is pretexting?

Pretexting is a form of social engineering attack where the attacker creates a curated identity or a situation for a victim to draw gain sensitive information, confidential data or lure them into taking actions that they would not perform.

Unlike phishing attacks that often rely on fear-induced actions, pretexting usually involves with sense of assurance and building trust with the victim through carefully crafted narratives that seems legitimate. The attacker portrays a story using formats and images (such as logos), style and tone, and near perfect English. Note that it can be done online, over the phone or in person. When the attacker gains trust and starts to believe that the presented situation is authentic, victim lowers its defences.

To carry out a successful attack, attackers do a thorough background check, gather information on an organization, its employees, their roles and responsibilities, and keep track of already available information. After making sure that the attacker has sufficient knowledge of the potential victim, attacker narrates the victim a plausible story like pretending to be particular someone and luring them into revealing passwords, financial details, personal information, sensitive data, etc.

Another advantage of pretexting is that it allows hackers to bypass the security technologies such as Domain-based Message Authentication Reporting and Conformance (DMARC), that stops these hackers from faking email addresses.

Pretexting vs. Phishing: Key Differences

Pretexting and phishing both are social engineering tactics designed to deceive victims into revealing sensitive information, yet they hold their differences, which is rather psychological. Phishing can also serve as a component of a pretexting attack. Although pretexting focuses on crafting a credible backstory to increase the likelihood of future success, phishing entails posing as someone else through emails or text messages.

Phishing: Phishing is a deceptive practice where cybercriminals use fraudulent communications skills, generally emails, to trick victims into revealing personal information like usernames, passwords, and credit card details by creating a sense of urgency and through fear mongering methods. Phishing attacks are usually not personalized because attackers rely on the law of averages, expecting that even if a small number of target victims respond, it will still help with knowing valuable data and access to it

Pretexting: Pretexting employs a more precise tactic, where attackers spend considerable time creating detailed backstories and scenarios tailored to their specific victim(s). In contrast to phishing, which depends on provoking quick emotional responses with urgent messages, pretexting aims to establish trust over time with the target through complex narratives that justify the request for confidential information.

Top Seven Pretexting Attack Methods

Here are the seven most common types of pretexting attacks

1. Impersonation:  An impersonator mimics the actions of another individual, often a trusted person such as a colleague or friend. This requires establishing a sense of authenticity, frequently by spoofing the phone numbers or email addresses of the impersonated entities or individuals.

A notable example of impersonation is the SIM swap scam, which exploits weaknesses in two-step verification processes like SMS or phone verification to seize control of target accounts. In this scam, the attacker pretends to be the victim, claiming their phone has been lost, and convinces the mobile carrier to transfer the phone number to the attacker’s SIM card. As a result, one-time passwords are sent to the attacker instead of the victim.

2. Tailgating: Tailgating attacks take advantage of people’s tendency to be polite without questioning details. An attacker waits near an entrance and follows closely behind an employee using their access card, slipping in before the door closes. This allows the attacker to enter undetected.

Once inside, tailgaters can explore the premises, searching for vulnerabilities or sensitive assets. They often wear stolen uniforms or fake lanyards to blend in. If questioned, they provide convincing explanations to avoid suspicion. Over time, the intruder gathers information on security systems and weaknesses to share with their criminal network.

3. Piggybacking: Piggybacking involves tricking people into granting access, rather than simply sneaking in. Attackers approach employees at entrances, claiming they have lost their ID badges or key cards, and appeal to their sympathy. This leads staff to hold doors open for them, a habit that can be exploited by malicious individuals posing as distressed co-workers.

To combat this, regular security awareness training is essential. Organizations should enforce policies that mandate proper badging and restrict access to unrecognized individuals. Technical safeguards, such as fast-closing doors, turnstile gates, staffed checkpoints, and video surveillance reviews, further strengthen security. Protecting facilities requires addressing both human behaviour and physical security measures.

4. Baiting: A baiting attack entices victims with an appealing promise designed to ensnare them. Typically, the attacker’s goal is to deploy malware or steal sensitive information.

Baiting attacks often involve physical devices like malware-infected USB drives disguised with authentic labels. These baits are strategically placed in high-traffic areas such as lobbies, bus stations, or restrooms, where victims are likely to encounter them and be tempted to connect them to personal or work devices. Once connected, the bait triggers the installation of malicious software on the device.

Online baiting schemes also exist. They may lure victims through enticing advertisements to malicious websites or prompt them to download applications infected with malware.

5. Phishing: Phishing involves masquerading as a trusted entity, such as in emails or text messages, to deceive individuals into sharing sensitive information like payment card details and passwords. While phishing and pretexting are distinct methods, they are often intertwined—phishing attacks frequently exploit pretexting scenarios.

Pretexting enhances the effectiveness of phishing attacks by creating believable scenarios. For example, if employees think they are communicating with a genuine contractor or employer, they may unknowingly disclose confidential information. Compromised employee accounts can also be used to launch further pretexting attacks, targeting individuals through spear phishing campaigns.

6. Vishing and Smishing: Vishing exploits phone calls to give credibility to social engineering scams. Attackers impersonate trusted entities like government agencies or banks, using spoofed caller IDs to lower victims’ defences. They craft elaborate stories, often claiming to need personal data or access to fix supposed issues. During these calls, skilled vishers coax victims into revealing login credentials, installing malware for remote access, or convincing them to send money overseas. By exploiting perceived authority, they breach systems to steal valuable data or assets.

Smishing operates similarly but uses text messages instead of calls. Attackers impersonate legitimate contacts through spoofed sender IDs, urging recipients to disclose sensitive information or click malicious links.

Both methods rely on initial credibility. Users should be cautious of unsolicited messages, verify sender identities through other means before sharing information, and avoid clicking links or downloading attachments without validation.

7. Scareware: Scareware bombards users with false alerts about imminent threats to their devices. Fake popup messages and websites mimic antivirus software, urging visitors to download bogus security programs that actually contain malware like Trojans and spyware.

Once installed, this malware can compromise systems by stealing sensitive files or locking devices until victims pay ransom. These scams rely on deception and fear to manipulate users into making hasty decisions.

Educating users to recognize fake alerts and remain calm during security incidents is crucial. Regular backups and reliable security measures also safeguard against real threats.

How to Protect Against Pretexting Attacks

Training and Awareness

A highly effective defence against pretexting involves ensuring that employees are well informed and alert. Organizations should regularly provide training sessions to educate staff on the tactics used in pretexting scams, how to recognize signs of deceitful requests, and the critical importance of being cautious in any situation involving sensitive information.

Limit Access to Sensitive Information

Adopting the Principle of Least Privilege (PoLP) involves giving each person in your organization access only to the essential information for his or her job. This limits potential damage in case someone is deceived by attackers, as access to sensitive data and systems is strictly controlled based on job roles.

DMARC  

DMARC stops exact domain spoofing but does not display name spoofing or cousin domains spoofing, which are far more prevalent in spear-phishing attacks. Attackers have adopted these more sophisticated techniques mainly due to the effectiveness of DMARC.

Multifactor Authentication (MFA)

Implementing multifactor authentication (MFA) across all systems enhances security by requiring an extra verification step, which reduces the risk of compromised passwords. MFA provides added protection for accessing sensitive information and critical infrastructure.

AI-Based Email Analysis

To thwart pretexting, businesses should adopt AI-driven anti-spear phishing technology. This advanced approach analyses user behaviour, detects email anomalies like display name spoofing and cousin domains, and uses Natural Language Processing to spot suspicious language patterns.