Social engineering attacks almost doubled between November 2021 and October 2022, Verizon’s 2023 Data Breach Investigations Report found, making up 17% of all breaches. This is in no small part due to a surge in the use of pretexting, phishing’s “more complicated cousin,” which accounted for half of the social engineering incidents analyzed.
But what is pretexting in cybersecurity and how is it different from phishing? What are examples of pretexting techniques and how does pretexting work? In this article, this is what we’re taking a closer look at, from defining pretexting as a social engineering tactic to exploring how to prevent pretexting as a business that’s not looking to become a statistic.
What is pretexting? Meaning and key facts
So what is a pretexting attack? Pretexting is a social engineering technique used to trick victims into divulging sensitive information or granting access to secure systems. By definition, pretexting involves the creation of a false pretext or scenario to manipulate targets into giving up confidential data or performing other actions that can compromise their own security – or that of the organization they work for.
Pretexting is nothing new, CSO Online points out. In the UK, it’s known as “blagging,” a shady practice tabloid journalists have been using to dig up dirt on celebrities and politicians for decades. It famously came under fire in 2011 after allegations that journalists from multiple papers had been “blagging” access to the bank account, legal file and voicemail of former prime minister Gordon Brown.
In cybersecurity, pretexting can be considered one of the earliest forms of social engineering, which was thrust into the spotlight in the 2006 Hewlett-Packard spying scandal. The incident led to the company acknowledging that the investigators it hired to find the source of an information leak had used pretexting to access HP directors’ and journalists’ phone records, bringing down the company’s chairwoman and other top executives.
How does pretexting work?
In a pretexting attack, the scammer typically impersonates a trusted entity like a coworker, law enforcement officer, bank representative, tax authority official, or insurance investigator. By assuming a position of authority or trust, the pretexter aims to exploit human psychology and our natural inclination to comply with requests from seemingly legitimate sources.
The process of pretexting often starts with information gathering. Pretexters carefully research the target’s background, interests, and connections, as well as the character they’re looking to portray to create a convincing story. Whoever that character is, it’s usually someone who has the right to access the information requested or who can use it to help the target. This points to a paradox that’s inherent in all types of social engineering: the more attackers know about their victims before they initiate contact, the more willing the victims are to give up information – and the more valuable the information they’re willing to share.
The pretexter then gets in touch with the target, usually through phone, email, text, or a messaging service, to establish rapport and build trust. During these interactions, they present a plausible reason for seeking sensitive information, including login credentials, bank details, or confidential business documents. The “pretext” can be any scenario that’s believable enough to persuade people into giving up such information. Think: a technical support agent claiming to fix a non-existent IT issue, a bank officer calling to verify account details for a supposed suspicious activity, or HR personnel conducting routine data verification.
Alternatively, targets might be asked to perform actions that could compromise security, like downloading and executing malicious files or granting unauthorized access to systems. The end goal, however, is always sinister: obtaining private individuals’ social security numbers or bank account details, corporate trade secrets or financial information. Once the attacker gets their hands on these, they can commit identity theft, financial fraud, or corporate espionage. Pretexting tactics can also be used to gain unauthorized access to IT systems for malicious activities such as ransomware attacks or data breaches.
The most common pretexting attack techniques, explained
Phishing, according to the US National Institute of Standards and Technology, is a technique cybercriminals use to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or through a website while posing as a legitimate business or reputable person. Email is by far the most commonly exploited phishing attack vector and scam links are almost always involved.
Vishing refers to scams where fraudsters use telephony and voice technology to steal personal information or money from their targets. A classic example is when a scammer, pretending to be a credit card company representative, calls targets to alert them of unusual activity on their account and ask them to provide personal information to verify their identity.
In this case, victims are enticed with the false promise of a reward. The bait can be a physical object, such as a seemingly lost USB drive with an “Employee Salary Details” label and a company logo on it, or digital, for example, an “exclusive” online offer. Once the target bites, that is, they plug the USB stick into their personal or company device or click the link in the fake ad, they inadvertently download malicious software.
Piggybacking involves attackers manipulating or posing as a trusted individual to bypass security measures and gain unauthorized access to secure systems or buildings, whether it’s through an unlocked device or someone’s kindness or naivety. This form of pretexting is prevalent in both physical and digital breaches, highlighting the importance of strong security protocols and employee awareness in preventing it.
Scareware is a type of malicious software that uses social engineering tactics to cause shock, anxiety, or the perception of a threat, in order to manipulate users into visiting a fake website or buying or downloading malware. It often appears in the form of a pop-up message on the target’s computer, claiming that an infected file has been detected and prompting them to fix a fictitious problem by installing a worthless, or downright harmful, program.
Love and other scams: pretexting attack examples you should know about
1. Impersonation scams
Often masquerading as stakeholders, external vendors, or high-ranking executives within the organization, impersonators can dupe unsuspecting staff into revealing confidential data or granting system access. In doing so, they create a sense of urgency, fear, or reward, leading to hasty actions without proper verification. For example, they might pretend to be the company CEO and pressure an employee from the financial department to settle an “overdue invoice.”
2. Account problem scams
As its name suggests, this type of pretexting involves impersonating legitimate companies, like a bank or delivery service, and contacting targets alleging that their account needs fixing or updating. Plus inducing fear or urgency, with scammers telling victims that their subscriptions or services are at risk unless immediate action is taken. They then provide a link to a bogus website or require direct submission of login credentials and other sensitive details.
3. Dating scams
These scams begin with the attacker establishing a romantic relationship with the potential victim, more often than not via online dating platforms or social networking sites. If you’ve seen the Netflix documentary The Tinder Swindler, you know exactly what comes next. Once a deep emotional connection is established, the scammer begins to ask for money, citing various plausible scenarios such as medical emergencies, travel expenses, or even investments.
4. Cryptocurrency scams
Riding the cryptocurrency craze, pretexters have added a new role to their character portfolio: that of a well-known crypto exchange or investor. They often lure victims with lucrative investment opportunities or fabricated stories about urgent needs for cryptocurrency transactions. Their decentralized nature, anonymity, and the irrevocability of transactions make cryptocurrencies ripe for fraud, leaving victims with little recourse for recovery.
5. Tax authority scams
In recent years, over 75,000 Americans have lost $28 million in tax scams, according to the US Federal Trade Commission. Scammers use mail, telephone, and email to defraud individuals, businesses, payroll, and tax professionals, the US Internal Revenue Service advises. For example, by faking official communications and seeking information “related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.”
Pretexting vs. phishing: are pretexting and phishing the same?
Yes and no. Pretexting, phishing and vishing are all considered common and effective social engineering techniques used by hackers to obtain sensitive information or access from unsuspecting targets by exploiting human weaknesses. Pretexting, however, refers to the method scammers use to trick victims into giving up sensitive information, that is, devising a compelling narrative to make their request credible. Phishing, by definition, indicates the medium through which the attack is conducted, that is, deceptive email messages and websites. Or in the case of vishing attacks, phone calls or voicemail messages.
How to prevent pretexting: 4 essential tools to fend off pretext-based social engineering attacks
1. Employee education
Regularly train and update employees on how social engineering attacks work, what warning signs to look out for and how to respond if they spot a potential pretexting attack.
2. Access controls
Limit the amount of data accessible to staff by applying the principle of least privilege. The less data each employee can access, the less they can potentially disclose.
3. Multi-factor authentication
Add an extra layer of protection by requiring users to provide more than one verification factor. This way, knowing a victim’s password won't be enough for attackers to access sensitive data.
4. Incident response plan
Have a well-defined incident response plan in place to ensure timely detection of suspicious activities, offer containment strategies, and outline steps for recovery and future prevention.