What is Pretexting? Definition and Examples
Table of Contents
- By Greg Brown
- Published: Oct 14, 2022
- Last Updated: Oct 18, 2022
Malicious code is now so prevalent that broad categorizing must be applied; for the ability to drill down to specific attack types. Social engineering is a broad range of predatory activities best used through human interaction. Cybercriminals trick their users into believing some made-up scam and then try to lure sensitive information from the user.
Common Social Engineering Attacks:
- Phishing
- Baiting
- Business email compromise
- Spear Phishing
- Pretexting
Social engineering is used nearly 98% of the time with all attacks, accounting for a $6.9b loss. Pretexting occurs when someone misuses their actual job function or creates a fake persona. Trust is inferred by luring the user to hand over sensitive personal info.
Edward Snowden is the classic case of social engineering. The former NSA employee infamously convinced his co-workers to send him their passwords and logins. About two dozen employees sent in their login information without question. Files stolen by Snowden were used in the national security threat and news press leak.
No matter how strong your password or overall security credentials are, there are always vulnerabilities. Online financial institutions, subscription services, and secure email have recently elevated fraud awareness. Sophisticated hackers no longer go after hardware; instead, they attack the human loophole.
Manipulation
Cybercriminals are finding plenty of roadblocks to online accounts. Predators are hacking "you" through impostor fraud and phishing attacks to find easy access.
Pretexting and social engineering have the same definition; manipulate an individual into revealing sensitive information. Pretexting is an attack, creating a scenario that will cause the victim to give up sensitive personal information, such as a password.
Pretext Example:
An employee picks up the phone one afternoon, and their CEO is on the other end of the line. The attacker, posing as the person in power, asks the victim, would they be available for a unique project the company is setting up? The attacker’s goal is to establish a rapport quickly with the victim.
Assuming the victim responds positively, the fake CEO says an email is on its way, and they should respond with vital information as soon as possible. The attacker’s job is to convince the victim that the scenario is authentic and collect the information.
The crucial part of the above scenario; is its creation aimed at the victim, representing the Pretext. A good pretexting attack sets a plausible foundation or scene for the victim. A good pretext attack is comprised of two significant elements.
- Convincing situation: the Pretext is a sequence of believable events, developed by the social engineer, designed to manipulate the target and extract information. High-level attackers do their homework by adequately researching the target and laying the foundation.
- Characters: The attacker plays a role and is almost like a fictitious character. The scam involves a creditor calling to get updated bank information, saying funds are insufficient in the account.
Footprinting the target or reconnaissance helps the attacker better understand the security footing. Many search engines, companies, and member organizations publish member rolls, employee names, email addresses, and much more.
Phishing attacks are assumed to be short-term events; however, some phishing attacks can last for months and even years. In the long term, attackers try to establish a relationship with specific individuals and specific goals. Attackers find greater success by building relationships with their target.
Social Engineering
There are many similar attacks closely associated with pretexting. Each of these attacks has one common element in each of their scams: the unsuspecting victim. Well-organized attack groups buy large blocks of names, numbers, addresses, and other information to start their scams. Knowing there are plenty of vulnerable systems and individuals.
Common Attack Types:
- Quid Pro Quo, The attacker’s goal; pretending to be from the IT or your ISP department, offering to speed up your internet or ask if you would like a free trial. Fake accounts are created in the victim’s name, and the login credentials are sold on the dark web.
- Baiting is a technique where the scam is to lure the victim in by providing fake and sensitive information to the victim for the promise of something valuable in return. Attackers create fake pop-up ads giving away free games or music; the ad is clicked, and the system is infected with malware.
- Smishing is one of the newest forms of attack with its own name. Smishing involves the same parameters as a phishing attack but in SMS form. Small form factor devices like smartphones and smartwatches are incredibly vulnerable to backdoor attacks into the main system files. Predators purchase files containing thousands of victim data points and blast their messages.
- Whaling is another term describing an attack on a high-profile celebrity, government official, or executive. Compromising photos are used on celebrity victims, while confidential information is used in other attacks. Once the victim is convinced, they click on a link, and the malware is already past most firewalls.
Psychological Manipulation
With this technique, they manipulate other people by using their emotions, such as insecurity, and using passive/aggressive tactics to confuse and disorient the victim. With their emotional victim in hand, they ask for every piece of sensitive information this person may have.
The answer to manipulation techniques; is always to be skeptical of the people and organizations you meet online. Do they have your best interests at heart? Usually not.
Everyone’s guilty of manipulation at some point in their lives. Most of these events are minor or of no importance. However, we should always watch for others to take advantage. Not to say ignore others, just be cautious.
Knowing What to Expect from an Attack Helps Keep You Safe
Pretexting and other malicious social engineering strategies have thousands of variants and mutations. The total number of vicious strains, malicious code, and malware, is almost incalculable, and more appear daily. It is up to that person sitting at the workstation or in front of the laptop to take a cautious security footing when they are on the internet.
Attackers found easy pickings when they decided to hack the person rather than the machine.
