Do you ever receive suspicious phone calls, fraudulent texts, or emails asking for personal information from strangers? Or perhaps you’ve received a message from your bank or financial institution asking you to confirm your account information. If this is the case, you may have been the target of pretexting, a dangerous social engineering attack.
Pretexting isn’t new; con artists and spies have used it for decades. However, the advance of the internet has made it easier than ever to create fake personas and storylines. So, let’s understand pretexting, examples, and how to prevent pretexting attacks.
What is Pretexting?
Pretexting is a social engineering attack type in which a threat actor assumes a fake persona or situation to trick an individual or organization into providing sensitive data or performing an action that benefits the attacker. The unique feature of this pretexting attack is that the threat actors usually come up with a story or pretext to trick the victim.
In pretexting attacks, the attackers pose as someone else, such as a trusted authority figure or a bank staff, to earn the target’s trust and gain access to sensitive information. Moreover, pretexting is a complex and deceptive method of stealing sensitive information, including personal details, financial data, and corporate secrets. It’s often used with other social engineering techniques to achieve a larger goal, such as obtaining unauthorized access to a system or network.
What Are the Common Pretexting Attack Techniques?
Impersonation is the act of a threat actor pretending to be someone else to obtain access to sensitive data or systems. This can be done through phone calls, emails, or in-person contacts. To earn the victim’s trust, the threat actor may impersonate a vendor, a senior executive, or a colleague within the company.
For instance, SIM swap fraud exploits vulnerabilities in two-step verification processes, including phone or SMS verification, to take over victim accounts. The threat actor usually impersonates a victim, pretends to have lost their phone, and convinces the mobile provider to change the phone number to the attacker’s SIM. The attacker receives one-time passwords rather than the victim.
Phishing is an email-based attack that uses a fake login page or website to trick the target into giving away sensitive data like passwords, usernames, or credit card numbers. The login page or website is usually designed to look real, making it hard for the user to know it’s a scam. Although phishing and pretexting are two different things, they can be used together. For example, phishing attempts often leverage a pretexting situation.
Pretexting usually increases the possibility of successful phishing attacks; for instance, if the target employees believe they’re talking to an employer or contractor, the attempt is more likely to be successful. Also, compromised employee accounts can be used for other pretexting scams targeting individuals through spear phishing.
Tailgating is a social engineering attack that allows attackers to acquire physical entry to a restricted area without the proper identification or approval. The actor may pretend to be an employee, a contractor, or a delivery person to access a secured area.
Conversely, the attacker may sneak inside a facility behind an authorized employee and jam their foot or another object against a door before it is entirely closed and locked. Once inside, the threat actor can steal valuable information or install malicious software on the facility’s system.
Vishing is a voice-based social engineering technique that uses phone calls to trick a target into disclosing sensitive data or performing an action that can lead to a security breach in the victim’s computer system. The threat actor usually impersonates a trusted entity, such as a service provider or a bank, and then manipulates the target into sharing their personal data or making a financial transaction.
For instance, a typical vishing operation involves the attacker calling victims while posing as an Internal Revenue Service (IRS) officer. The attacker may use threats or intimidation to scare the target into giving sensitive or personal information.
IRS vishing operations often target older adults. However, anyone may fall for a scam if they aren’t well-informed.
Baiting is a physical attack involving leaving a physical item like a CD or a USB drive in commonly visited locations, such as bus stations, lobbies, or bathrooms, where an unsuspecting victim might find it.
When plugged in, the item will have malware or other malicious software to infect the target’s computer. The bait item can be labelled with enticing titles like “HR Salary Details,” “Company Confidential Information,” or The Company’s Secrets,” making it more appealing to the target.
Piggybacking is a lot like tailgating. In this case, the authorized person knows the threat actor and allows them to “piggyback” off the credentials. For instance, an authorized person arrives at the facility’s entrance.
The attacker asks for help, claiming to have forgotten their access badge. Another instance is an attacker carrying heavy boxes. In any case, an authorized person may allow these attackers access to the facility.
Scareware usually attacks victims with false alerts and fictitious threats. The target is tricked into thinking that malicious software has infiltrated their computer. They are then prompted to download and install malware or software from which the attacker can gain.
For instance, a typical scareware attack involves displaying legitimate-looking popup ads in the browser of an unsuspecting victim. The ad may display a text message like, “Your computer might be infected with malware programs.” The scareware then offers to install a specific tool (often malware-infected) for the victim or leads them to malicious websites where the computer becomes infected.
Common Pretexting Attack Examples
1. Banking Scams
Banking scams involve the threat actor impersonating financial institutions or a bank representative to obtain access to the bank account information of a target or steal their money. The actor may use phishing emails, phone calls, or fake websites to trick the target into revealing their login credentials or personal information.
2. Cryptocurrency Scams
This scam is common on networking platforms. A threat actor may message a target posing as a successful investor, offering them a chance to “get rich quick.” The threat actor might even create a genuine site that includes fake reviews to earn the target’s trust.
Suppose the target sends money and wants to withdraw some. In that case, the attacker will claim the transaction is invalid because of taxes, fees, or an insufficient account balance.
3. Tech Support Scams
Tech support scams involve the threat actor pretending to be a technical support agent or a representative of a genuine tech firm to access the victim’s computer or steal personal data. The threat actor may use phishing emails, popup messages, or phone calls to trick victims into sharing their login credentials or giving remote access to their computers.
4. Romance Scam
A romance scam is a social engineering attack that manipulates feelings like love. Such scams often target older people. They are an easy target for hackers because of their vulnerability.
In a pretexting scam, the threat actor pretends to be a potential romantic partner. They slowly gain the victim’s trust over several weeks or months. Eventually, they may approach you for a large loan for an emergency, a plane ticket, or a hospital bill.
5. Whaling Attack
A whaling attack is a social engineering attack that specifically targets high-ranking executives or employees to obtain access to valuable assets or steal sensitive information.
These attackers either pretend to be organization leaders, such as the CEO, CFO, or other top-ranking officials, to target employees or directly target high-level players. Here, they may be able to access sensitive information or large financial payments by pretending to do business.
Tips on How to Prevent Pretexting
1. Educate Employees
Create training and awareness campaigns on phishing and the risks of pretexting attacks to educate your employees. Besides, teach them how to identify suspicious information requests and confirm the requester’s identity.
2. Implement Strict Access Controls.
Limit employee access to data to what is necessary to do their job. Limit sensitive data by allowing access only to those who require it using role-based access control.
3. Use Encryption and Secure Communication Channels.
Using encryption and secure communication channels, such as VPNs or encrypted messaging applications, to protect sensitive information.
4. Have a Formal Incident Response Plan.
Create a formal incident response plan that details what to do in the case of social engineering attacks. This should include steps such as reporting the incident to superiors and authorities, investigating the pretextual attack, and mitigating the effects of the attack.
5. Verify Identities
Employees should verify the requester’s identity via multiple channels before disclosing sensitive information, such as by verifying their credentials with a supervisor or calling the person’s office phone number.
6. Monitor and Audit Access
Set up a solid system to keep track of and audit access to sensitive data and frequently check logs for suspicious behavior.
Featured Image Source: pexels.com