Social Engineering: What is pretexting?
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, clergy, insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases, all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet to create a pretextual scenario.
Pretexting attacks are commonly used to gain both sensitive and non-sensitive information. Back in October, for instance, a group of scammers posed as representatives from modeling agencies and escort services, invented fake background stories and interview questions in order to have women, including teenage girls, send them nude pictures of themselves – which they later forwarded to pornographic businesses against large amounts of money.
One of the most important aspects of social engineering is trust. If you cannot build trust you will most likely fail. A solid pretext is an essential part of building trust. If your alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around you and can disarm their suspicions or doubts and open up the doors, so to speak.
DEFENDING YOURSELF !
Like any other defense to social engineering, you must be proactive and not reactive.
Pretexting – Liars Don’t Actually Get Longer Noses !
If you receive an e-mail from someone saying that a maintenance worker will be swinging by, contact the sender’s company, not the sender. Give them a ring and verify that they are sending someone. If you’re home when they arrive, ask to speak to their supervisor, but don’t take their word for it, ask for the company’s corporate number and their supervisor’s name, so that you can call from your own personal phone. It may seem rude, but if they are a social engineer, your best defense is to punch holes into their fantasy world.
The same applies to websites advertising events and expos. Call the event center and ask about the event; go straight to the source. It should raise red flags in your head when you notice that only cash and PayPal are accepted.
In any event, your best measure of protection is to hit the source of the pretext. If the social engineer is using pretexting, their weakest point is the fact that their source doesn’t exist, it’s all fabricated.