What is Pretexting?
By Nick Anderson 5 minutes
The growing number of cyberattacks each year warrant special attention by every individual. It is more crucial for employees of an organization to equip themselves with the right knowledge to fend off attempts to steal valuable information. As the saying goes, data is the most precious thing that exists in the modern world. And pretexting involves information about you as the first step towards a larger goal. Cybercriminals are always implementing new and clever ways to bypass basic human instincts.
When someone asks you about personal information, the first instinct is to verify the other person. It’s natural to consider who is asking for the information, why it’s being asked, and where it’s going to be used. Scams such as pretexting involve techniques that alleviate those concerns, allowing the scammer to earn trust and obtain sensitive information.
In this blog, we will cover how pretexting can lead to a breach of financial loss and confidential information.
How Pretexting Works
Pretexting is a social engineering technique. It aims to establish trust between the attacker and the target. To do this, the attacker first has to learn about the target. The internet is rife with information, and you might be surprised how easy it is to learn about a person through places such as social media, professional networking websites, company profiles, or any other place where you have a digital footprint.
The attacker will take one bit from a place and one bit from another place, then make a persona that gives insight about you. The information will then be used in pretexting. As we said, the number one factor that makes a pretexting successful is trust, which can only be built on authenticity. If you work for an organization, then the person will call you up, pretending to be a business affiliate of the organization. The attacker will share some information that will establish a connection of trust, therefore making you lower your guard.
You could be working in the finance department, and the attacker might impersonate as a vendor and demand payment a bit earlier. Pretexting is not limited to corporate professionals; it can happen to any individual. You could receive a phone call alleging to be your bank. Instead of you asking the questions, the attacker would play the card first so that it’s established that you are the one that needs to conform to a certain standard of verification before proceeding. The call could notify that your account has seen some suspicious activity or has been temporarily frozen and requires verbal verification to be reinstated. Once you have given personal information in the form of a credit card number, the attacker has enough to cause you financial loss.
As menial as it may sound, your garbage bin could also be a source of information about you. Organizations make it a point always to shred important files, but personal documents are likely to get rolled into a ball and thrown in the trash bin. The bigger the target, the thorough the pretexting will be.
Pretexting is at the heart of many types of cyberattacks, such as Spear Phishing.
How Pretexting and Phishing Differ
Phishing is a cyber technique that targets users through email, text, and malicious links. Pretexting is the act of establishing trust between the attacker and the target through false identity and story. The essential difference between both is that phishing does not require social engineering. It’s a one-size-fits-all kind of message that’s delivered to hundreds of targets. In phishing, the success rate is assumed to be low.
Spear Phishing is a sub-category that’s much more concentrated in approach and targets a group of people. The prelude or Spear Phishing is social engineering, and it’s here that Spear Phishing and Pretexting go hand-in-hand. The success of Spear Phishing revolves around a successful Pretexting attempt. Similarly, a Whaling Attack goes further and targets a high-level employee of an organization, such as the CEO and CFO.
Verizon published its Data Breach Investigations Report (DBIR)in 2018. The report revealed that Phishing and Pretexting accounted for 93% of the social breaches, and email was the leading medium of attack. As alarming as it may sound, the number of attacks and phishing techniques has only grown since then.
Conclusion – How to Safeguard Information
For every individual, the need to stay updated on the latest cybercrimes and the techniques deployed to carry them out can prepare for the worst. Employees must always be trained to recognize and expect phishing scams. There must always be clear protocols for carrying out certain actions, such as money transfers and sharing of confidential information.
Pretexters hope to have you by the hook through convincing story and identity; adding verification to the process destroys the entire pretext immediately. If you receive an email or call alleging to be a close alias, hear it out, then verify by calling the person’s supervisor or the company. If someone visits you and alleges to be from an IT company that has been sent to upgrade or do routine maintenance on the organization’s infrastructure, always call up the company and verify. Similarly, banks will never call you and ask for personal information over the phone.
Make it a practice to limit the amount of information you share about yourself on the internet and always be aware of security risks.VPN helps prevent data theft on unsecure networks such as public Wi-Fi hotspots by encrypting data.