Cyber attackers use pretexting scenarios, a type of social engineering, to manipulate victims in order to gain access to personal or valuable information. In this scam, the attacker creates a plausible situation or a pretext to dupe the user into revealing their personal details. Often, the victims of common pretexting attacks are members of organizations that retain customer information, such as credit card details, bank account information, and details of company transportation and utility usage. The pretexters approach companies by pretending to be clients, usually over the phone.
Pretexting has been around for ages. The practice is called blagging in the UK, where it is used by journalists to extract dirt from politicians and celebrities. Today, however, it is more often used by internet attackers to gain physical access to financial information and sensitive data from companies, financial institutions and individuals. In their attack, pretexters can use any type of communication, including email, phone calls, and text messages.
The most common form of pretexting scam today is business email compromise and spear phishing. It is usually the first stage of a larger attack to get data or confidential information from the user. Many companies lose large sums of cash to deceptive practices like pretexting.
Just like HIPAA protects a patient’s healthcare information, and SOX protects financial information of public companies, the GLBA Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. If a financial institution fails to comply to GLBA, the institution will be subject to a civil penalty of not more than $100,000 for each violation.
Fortunately, Trustifi, the premier email security solution provider, detects and stops many forms of pretexting, which target individuals and companies. If you were wondering how pretexting works, below are just five of the pretexting and social engineering attacks Trustifi routinely encounters and blocks.
Pretexting Examples
There are various pretexting techniques that threat actors can use to trick victims into divulging sensitive information, breaking security policies in their organizations, or violating common sense. Commonly used techniques include phishing attacks (via emails), vishing (via phone calls), and smishing (using text messages). Today, phishing is considered one of the most frequent examples of cyber crimes. Phishing attacks tend to lure individuals into providing valuable data such as personally identifiable information, account number and credit card details, and passwords. Phishing email attacks which target employees can lead to severe losses for their victims including sensitive information, identity theft, as well as government secrets.
Pretexters can use a variety of tactics to target organization employees and other individuals, such as psychological manipulation, false pretenses, impersonation (presenting oneself as someone else), persuasion, and other credibility gaining techniques. We listed 5 pretexting examples that involve different techniques and tactics mentioned above.
1. Are You Available?
These days, everyone is busy, including hackers. Thus, it shouldn’t come as a surprise if the attacker begins the conversation with the message “Are you available?” In this way, the attacker determines the availability of their chosen victim. It is their goal to establish a rapport with the targeted victim as well as determine whether the targeted person will be useful to them.
In the event that the victim receives such an email and responds with “Yes, I’m available,” the scammer, which tries to pose as trusted person, sometimes even a high level executive, sends an email that contains instructions about remitting money or purchasing gift cards. On the other hand, a sly attacker may simply initiate a friendly conversation to build more trust with their victim. If the user responds “No,” the attacker will most likely move on to the next target since the hacker knows the victim is not open to fulfilling the hacker’s demands and will not divulge information in a timely manner.
2. Nice Seeing You
As the attacker researches the identity of both victim (recipient) and the sender (the imposter), they can see how the two are related. Through social media and intercepted emails, attackers can extract information and obtain highly specific details they can use effectively as a pretext.
A potential attacker could, for example, uncover a recent meeting between the targeted recipient and the impersonated sender. They exploit that private information to dupe the victim by sending a message that contains the element of familiarity: “It was nice seeing you at the meeting.” Once again, the con artist initiates a friendly conversation to gain the victim’s trust before asking for the prize, whether it be money or sensitive information.
3. I Need You To Do The Task ASAP
Imitating high-level executives is among the many common techniques used in spear phishing attempts. Spear phishing often includes a pretext message. As a result of this attack, the user implicitly trusts the impersonated source because of the intimate nature of the pretext. Thus, they act too quickly, potentially leading to poor judgment. In this type of phishing, people who aren’t used to getting emails from their senior executives are often the ones who fall for it. Also known as CEO Fraud, the attacker poses as the CEO and sends the victim an email demanding the victim to do the job as early as possible. As it allegedly comes from the CEO of the company, the user doesn’t hesitate before acting.
4. I’m Planning A Surprise
In this example of pretexting, the attacker tells the victim they are arranging a surprise for a client or colleague and needs their help. It is a form of social engineering attack that serves two purposes: First, it makes the victim believe what they are doing is good. Second, it assures the attacker that the victim will not disclose anything to anyone else. It gives the hacker the advantage of hiding the attack from others who might be more suspicious.
5. Send Me Your Phone Number
The widespread plague of business email compromise has led many organizations to mandate workers to authenticate wire transfers and other financial transactions via phone. A social engineering technique to get a user’s phone number allows attackers to have a phone conversation with their potential victims to establish a pretext for their social engineering attack. The attacker simply sends an email to the intended target asking for that person’s phone number. Using this email spoofing technique, an attacker can lead their victims into a “deepfake.” Last year saw multiple cases of deepfakes. One well known example of this attack vector occurred in the UK, where a spoofer impersonated the CEO’s voice and stole $244,000 from the company.
How to Avoid a Pretexting Social Engineering Attack
Avoid becoming a victim of such scams by being aware that they can happen at any time. Whenever you communicate over the phone or through email, always double-check your information. Validating requests is the first step in identifying a potential pretexting attack. Verify that the email or phone number you received is coming from the intended recipient and not from a threat actor. Call the alleged sender directly and ask if they sent the message.
Pretexting must be included in company training on cyber security and social engineering. Employee awareness of pretexting techniques and their common characteristics can go a long way towards better security.
The best way to prevent pretexting attempts and all other forms of cyber attacks is to implement Trustifi’s industry-leading email security solution. Inbound Shield detects pretexting attacks on the spot and prevents them from entering into the user’s inbox. Trustifi’s Email Encryption service prevents would-be hackers from analyzing your company’s email traffic, further reducing the potential for a pretexting scenario. Contact a Trustifi representative today to see a free demo of their acclaimed email security solutions and learn how quickly and affordably you can protect your company from cybercriminals.
