Social Engineering: What is Pretexting ?
Pretexting attack is a specific kind of social engineering focused on creating a good pretext, or a fabricated scenario, that scammers can use to trick their victim into giving up on their own personal information.
Let’s have a look at some pretexting examples and how to prevent this kind of social engineering.
What is pretexting?
Pretexting is based on trust. Pretexters can impersonate co-workers, police officers, bankers, tax authorities, clergy, insurance investigators, etc. Simply put anyone who has authority or a right-to-know by the targeted victim. These attacks commonly take the form of a scammer pretending to need certain information from their target in order to confirm their identity. The pretexter must simply prepare answers to questions the victim might ask. Sometimes, an authoritative voice, an earnest tone, and an ability to think on one’s feet are all that is needed to create a pretextual scenario.
Attackers pretend to have some authority over you and then ask for both sensitive and non-sensitive information. Back in 2020, a group of scammers posed as representatives from modeling agencies and escort services. They invented fake background stories and interview questions to make women and teenage girls, send them nude pictures of themselves. Later, they sold those pictures to pornographic businesses for large amounts of money.
As a pretexting attack is based on trust, attackers trick their victims into giving up on their own personal information.
One of the most critical aspects of social engineering is trust. If you cannot build trust you will most likely fail. A solid pretext is an essential part of building trust. If your alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around you and can disarm their suspicions or doubts and open up the doors, so to speak.
- Example #1 Internet service provider
A person is posing as an employee of your internet provider. They could easily trick you by saying that they came for a maintenance check. First, if you are like the average Joe you don’t know much about network maintenance only that it is required so you can keep watching Netflix. Hence you are going to fall for it and let them “work”. What you can do in this scenario is to ask questions and say that nobody informed you that such a visit would occur. Moreover, you can take this a step further and ask what internet plan you are subscribed to or more advanced questions that only a real employee would know. Check their sources and directly call your internet provider.
- Example #2 Gift card eligibility
You get an email with the subject GOOD NEWS!! You open it and you see that you are eligible for a free gift card. Great right? Who doesn’t like free stuff, especially gift cards? You see a link inside that says fill in your details so you can have it delivered to you. Alternatively, a hacker may first check victim’s availability, to determine if his chosen victim is useful to him and to establish a rapport.
It requires first/last name, address, etc. However, ask yourself if someone says you are eligible for a gift card wouldn’t he/she already know your details? On what grounds are you eligible, what did you do for it? Did you compete somewhere? See, this is the part where you should sense that it is likely a scam.
Pretexting is not limited to these examples only, scammers will always come up with a new pretexting technique. Your best response would be to arm yourself with knowledge and be aware that such scams will always exist and will take many forms.
Follow this link to learn more about it.
How to prevent Pretexting?
Scammers exploit human weaknesses to steal your personal information. We do what we can to protect users from this kind of threat e.g. check our DMARC enforcement strategy, but this is not enough. To help you to educate yourself against all kinds of social engineering, we suggest you follow our email security and privacy awareness course. We strongly advise you keep yourself informed against social engineering, especially since it’s one of the most common threats to online privacy and digital security.
If you receive an email from someone saying that a maintenance worker will be swinging by, contact the sender’s company, not the sender. Give them a ring and verify that they are sending someone. If you are home when they arrive, ask to speak to their supervisor, don’t take their word for it. Ask for the company’s corporate number and their supervisor’s name, so that you can call from your own personal phone. It may seem rude, but if they are a social engineer, your best defense is to punch holes in their story.
The same applies to websites advertising events and expos. Call the event centre and ask about the event; go straight to the source. Beware of any website that only accepts cash or PayPal.
Like any other defence to social engineering, you must be proactive and not reactive.
In any event, your best measure of protection is to hit the source of the pretext. If the social engineer is using pretexting, their weakest point is the fact that their source doesn’t exist, it’s all fabricated.
Common Techniques similar to Pretexting
All social engineering attacks are pretty similar because they are all based on trust, just like pretexting. However, they all have their specificities. Sometimes, a phishing attack (for example) can be combined with a pretexting attack.
Phishing is another social engineering scam that seeks to steal personal data, such as usernames, passwords, banking details, etc. By using fraudulent websites and false emails, fake phone calls, and whatnot – perpetrators attempt to steal your personal data – most commonly passwords and credit card information. Just like pretexting attacks, they are based on trust. However, phishing attacks tend to trick their victims using fake urgency as well.
Smishing is very similar to phishing but this social engineering scam uses SMS texts as opposed to emails and links. Hence the name SMSishing. It tends to be more effective as getting someone’s emails these days is easy. It could be that your email was leaked in a data breach and was sold on the Dark web. However, a phone number is a bit more intimate thus it already creates a sense of connection and trust when you an SMS from your bank or another service.
Vishing is another form of phishing but this time it is with voice, hence the name. The social engineer will impersonate the usual services as phishing does. But this time, you will have a person on the other end of the line instead of links and emails. With the right tone, the right questions, and with some patience, this can be really effective against unaware individuals. Especially older people who do not use emails and SMS texts.
Whaling is comparable to phishing, except the victim is specifically targeted as ‘whales’ due to their high rank at a valuable organization. On the contrary, phishing scams get sent massively.
As scammers exploit human weaknesses, taking measures and following good practices are great, but they don’t guarantee that your mail box will never be compromised. In case of a hacked account, don’t panic and follow those steps to regain control.
At Mailfence, not only do we aim to make our platform more private, secure and encrypted, but we also try to make our users aware of the importance of improving their email security and privacy in general.
– Mailfence Team
Salman works as an Information security analyst for Mailfence. His areas of interests include cryptography, security architecture and design, access control and operations security. You can follow him on LinkedIn @mohammadsalmannadeem