Some cybercriminals should have become actors instead because they clearly like to pretend to be someone they’re not.
Such cybercriminals are constantly coming up with all sorts of made-up situations, called pretexts, trying to convince their victims to divulge sensitive information, grant access to protected systems, or perform some other action that’s guaranteed to have unfortunate consequences.
Let’s take a look at what makes these so-called pretexting attacks so effective that many organizations are still struggling to keep them at bay.
What Is Pretexting?
Pretexting is a social engineering attack where an attacker fabricates a scenario to trick the victim into taking some action that benefits the attacker, such as providing their credit card details, installing an infected software application, or approving an invoice to be paid.
Unlike many other social engineering attacks, pretexting doesn’t depend on any specific digital channel. As long as the attacker somehow communicates the pretext (via email, in person, or over the phone) and successfully convinces the victim to believe it, they can achieve their nefarious objectives.
How Does a Pretexting Attack Work?
Pretexting works by making its victims unknowingly participate in made-up scenarios without them realizing it. For that to happen, two main conditions must be met:
The scenario must be believable.
The attacker must play their role well.
An attacker could call an employee, introduce themselves as their future son, and ask the employee to infect the company network with malware to stop it from turning into Skynet, but nobody would take such a request seriously.
However, if the same attacker introduces themselves as a member of the company’s IT department and claims that there is a security threat that requires urgent action, the employee may be more likely to comply with their requests.
That’s especially true if the attacker is able to provide some convincing details or evidence to support their story. Such information can be obtained by dumpster diving behind the office building or by doing research on social media.
Pretexting vs. Phishing
In most cases, both pretexting and phishing involve fabricated scenarios communicated by an attacker pretending to be someone else in order to gain the victim's trust. The difference is that phishing attacks always happen via email, whereas pretexting attacks can happen through various channels such as phone calls, text messages, or in-person interactions.
Examples of Pretexting
The following three examples of pretexting are supposed to illustrate the wide range of different pretexts employees may encounter and potentially become deceived by:
An attacker visits a company in person dressed like a fiber technician, claiming that maintenance work is scheduled on the company's fiber line. The attacker asks the receptionist to direct them to the server room, where they install a backdoor so they can access the system remotely later.
An attacker sends an email that appears to be from the company's provider of cloud-based accounting software. The email contains an account verification link and a detailed explanation of a cybersecurity incident that supposedly occurred in the provider's system. In reality, the link leads to a fake website designed to steal the victim's login information.
An attacker uses an AI tool to clone an executive's voice using footage that's publicly available on YouTube. The attacker then calls the company to falsely authorize a payment to a foreign bank account. This last pretexting example has really happened, and it cost the victim, a United Arab Emirates bank, $35 million dollars.
How to Protect Against Pretexting Attacks
Pretexting and other social engineering attacks exploit the following weaknesses in human defenses:
Lack of awareness:
Employees are not always aware of the threats they may encounter and the consequences such encounters can lead to.
Neglect of cybersecurity best practices:
Even when employees are aware of the threats they face, they sometimes ignore basic cybersecurity best practices because they don't consider them to be important enough.
Being naturally trusting:
Some employees are naturally more trusting than others, which makes them vulnerable to the tactics used in pretexting attacks.
To strengthen their human defenses and make it harder for attackers to exploit the above-described weaknesses using pretexting and other social engineering attacks, organizations should focus on the following defensive measures:
Employee Training:
Employees should be aware of the different types of pretexting attacks and how they work. To gain this awareness, they can participate in mandatory cybersecurity awareness training sessions organized by a provider of security services.
Policies and Procedures:
Organizations should develop clear policies and procedures for verifying the identity of anyone who requests sensitive information, access to systems, or attempts to perform some other action that could result in a security incident.
Access Controls:
It's paramount for organizations to restrict access to sensitive systems and data by implementing robust access controls, such as multi-factor authentication (MFA). That way, even something as serious as a leaked password won't necessarily lead to a data breach.
By implementing these and other best practices, organizations can much better protect themselves against pretexting attacks and avoid their potentially devastating consequences.
How TechGen Can Help!
Pretexting attacks are a significant threat to organizations, and without proper protective measures in place, they can result in serious consequences. It’s important to remember that the success of these attacks largely depends on human vulnerabilities, so addressing them should be every organization’s top priority.
At TechGen, we can help you train your employees to recognize pretexting attacks before they can cause any harm to your organization, develop and implement policies and procedures, as well as deploy access controls tailored to your organization’s needs, among other things.
Don’t let cybercriminals take advantage of your organization’s vulnerabilities. Contact us today to eliminate them.