Pretexting: definition and examples | Social engineering
WHAT IS PRETEXTING?
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try stealing their victims’ personal information. These attacks commonly take the form of a scammer pretending to need certain information from their target in order to confirm their identity.
HOW IS IT DONE?
Pretexters can impersonate co-workers, police officers, bankers, tax authorities, clergy, insurance investigators, etc. Simply put anyone who has authority or a right-to-know by the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. Sometimes, an authoritative voice, an earnest tone, and an ability to think on one’s feet are all that is needed to create a pretextual scenario.
Pretexting attacks are commonly used to gain both sensitive and non-sensitive information. Back in October, for instance, a group of scammers posed as representatives from modeling agencies and escort services. They invented fake background stories and interview questions to make women and teenage girls, send them nude pictures of themselves. Later, they sold those pictures to pornographic businesses for large amounts of money.
One of the most important aspects of social engineering is trust. If you cannot build trust you will most likely fail. A solid pretext is an essential part of building trust. If your alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around you and can disarm their suspicions or doubts and open up the doors, so to speak.
DEFEND YOURSELF AGAINST PRETEXTING!
Like any other defense to social engineering, you must be proactive and not reactive.
Pretexting – Liars Don’t Actually Get Longer Noses !
If you receive an e-mail from someone saying that a maintenance worker will be swinging by, contact the sender’s company, not the sender. Give them a ring and verify that they are sending someone. If you are home when they arrive, ask to speak to their supervisor, don’t take their word for it. Ask for the company’s corporate number and their supervisor’s name, so that you can call from your own personal phone. It may seem rude, but if they are a social engineer, your best defense is to punch holes in their story.
The same applies to websites advertising events and expos. Call the event center and ask about the event; go straight to the source. Beware of any website that only accepts cash or PayPal.
In any event, your best measure of protection is to hit the source of the pretext. If the social engineer is using pretexting, their weakest point is the fact that their source doesn’t exist, it’s all fabricated.
Common Pretexting Techniques
Phishing is another social engineering scam that seeks to steal personal data, such as usernames, passwords, banking details, etc. Like Pretexting it involves building trust with victims by using fake emails, fake phone calls and generally imitating personnel who have authority. Usually, perpetrators will send you an email acting as your bank and telling you to click that link to change your credentials. Where in reality they are stealing them.
Smishing very similar to phishing but this social engineering scam uses SMS texts as opposed to emails and links. Hence the name SMSishing. It tends to be more effective as getting someone’s emails these days is easy. It could be that your email was leaked in a data breach and was sold on the Dark web. However, a phone number is a bit more intimate thus it already creates a sense of connection and trust when you an SMS from your bank or another service.
Another form of phishing but this time it is with voice. The social engineer will impersonate the usual services as phishing does. But this time, you will have a person on the other end of the line instead of links and emails. With the right tone, the right questions, and with some patience, this can be really effective against unaware individuals. Especially older people who do not use emails and SMS texts.
Example #1 Internet service provider
A guy posing as an employee of your internet provider. He could easily trick you by saying that he came for a maintenance check. First, if you are like the average Joe you don’t know much about network maintenance only that it is required so you can keep watching Netflix. Hence you are going to fall for it and let him “work”. What you can do in this scenario is to question him and say that nobody informed you that such a visit would occur. Moreover, you can take this a step further and ask him what internet plan you are subscribed to or more advanced questions that only a real employee would know.
Example #2 Gift card eligibility
You get an email with the subject GOOD NEWS!! you open it and you see that you are eligible for a free gift card. Great right? Who doesn’t like free stuff especially gift cards? You see a link inside that says fill in your details so you can have it delivered to you.
It requires first/last name, address, etc. However, ask yourself if someone says you are eligible for a gift card wouldn’t he/she know already your details? On what grounds are you eligible, what did you do for it? Did you compete somewhere? See this is the part that is extremely fishy and should smell you from the get-go.
Pretexting is not limited to these examples only, scammers will always come up with a new pretexting technique. Your best response would be to arm yourself with knowledge and be aware that such scams will always exist and will take many forms.
- What is social engineering?
- Common threats to online security and privacy
- Security & privacy awareness course
– Mailfence Team