As technology continues to evolve, cybercrimes are becoming increasingly sophisticated in cyberspace, particularly in terms of using technology-related tricks. As operations become digitized, organizations are growing more vulnerable to different types of cyber-attacks, and arguably one of the most deceptive of them is pretexting. Usually, the attackers will gather information about their victims from social media and other internet sources.
Attackers can impersonate known figures such as employees, IT support, or businesses to engage individuals into divulging important information including passwords and financial information. Pretexting in cyber security uses human psychology, trust, and an authority figure rather than technical vulnerabilities as traditional hacking does.
What is Pretexting in Cyber Security?
Pretexting is a misleading social engineering scheme used by malicious attackers to bait people into divulging sensitive information by fabricating false but believable circumstances that will enable the attacker to gain the trust of the target to convince the target to share confidential information or perform actions for the attacker to exploit later. In doing so, an attacker will typically assume a disguise by impersonating an individual known and trusted by the victim.
Social engineering is when a hacker acts as someone that the victim knows and trusts, such as a coworker, delivery person, or even a government organization, to gain access to information systems or sensitive information. Often in these situations, pretexting may involve engaging in a face-to-face conversation and/or using counterfeit email addresses as they initiate the first step of future attempt to access a network or steal data using emails.
How Do Pretexting Attacks Work?
Maliciously constructed pretexts are based on the socio-engineering techniques used by con artists throughout history to manipulate victims: deception, validation, flattery, and intimidation. Understanding the goal of pretexting helps organizations better defend against these sophisticated attacks. Attackers could enhance their pretexting attack through:
Research and Information
The first step involves thorough research into the target; individual or organization. Attackers may look through public databases, social media websites, company websites, and other publicly available sources to find detailed information such as target job and responsibilities, coworkers or personal details to help make the attacker's pretext more believable. This preparatory step is key to developing a convincing story that resonates with the intended victim.
Impersonation/Roleplaying
After collecting sufficient background knowledge about their target, the attackers create a plausible story to suit their target. This story could involve pretending to be someone inside or outside the organization, such as an IT person performing a regular check, a financial auditor requesting sensitive account information, or even law enforcement demanding immediate attention on a sensitive matter. The key to success at this stage is presenting a story that explains why the attackers need the requested information.
Attackers play such roles as a customer, service provider, colleague, or authority figure, so the victim feels inclined to cooperate. This results in exploiting weaknesses in authentication processes or in trusted relationships.
Building Relationships
After the target has been communicated with, often through a phone call, email, or in person, the attacker utilizes psychological strategies to develop a rapport and establish authority within their plausible role. They may refer to specific information obtained during their research in order to heighten authenticity and lower suspicion from the victim. Attackers can employ manipulation techniques to gain legitimacy and trust with a target using a phone call, social media, or in-person conversation.
Exploiting Emotions
Emotions like uncertainty, doubt, and fear can create urgency in any situation. Attackers can cause fake emergencies, limited time opportunities, and more to coax targets into quick action bypassing security constraints.
Execution of Request
With trust established through deception, an attacker will then directly request sensitive data (e.g., passwords), access permissions (to restricted systems), PINs, financial information or persuade victims to engage in actions that are advantageous to further compromising security (e.g., enabling remote desktop protocols).
Exit Strategy
Once the attacker has successfully obtained the sensitive information, they take the time to gather and secure it for their use, whether that use is to access financial accounts, breach secure systems, or sell the information to other malicious actors. The exit plan is executed in a way that leaves little chance of discovery or links back to them. By the time any unusual activity is brought to the attention of the targeted victim, the attacker has already destroyed any evidence of their location and leaving no visible traceable marks.
Pretexting attacks combine careful planning and social engineering, which is the process of using research and a story crafted specifically for the person or organization to help build trust and authority.
How Do Criminals Use Pretexting?
Pretexting in cyber security scenarios lie at the core of many types of cyberattacks, including:
General Phishing
Simple pretexts are often incorporated into many “wide net” phishing attacks, which can be as basic as sending an email asking you to “please find the attached invoice” or infinitely many more types of variations. This tactic can be a steppingstone to a more sophisticated attack, like ransomware.
Spear Phishing
Attackers trying to acquire highly sensitive or valuable information may generate painstakingly intricate stories to make prospective victims think they are legitimate and trustworthy.
Vishing
With just a phone call and a persuasive pretext (often with phone-number spoofing), attackers can steal bank information, social security numbers, and other private information. Today, attackers can imitate the voice of almost any person using an AI-powered tool called "deepfake." They can use these deepfakes to say whatever they want.
Theft and Espionage
Professional or skilled impersonators can disguise themselves as employees or contractors who can fool real staff and “tailgate” into private or secure areas, where they can access valuable equipment or privileged information.
Real-World Examples of Pretexting
In the past few years, there has been an exponential growth in pretexting attacks, and the impact these attacks have had on individuals and organizations of all sizes. These pretexting examples will help to examine the nuances of pretexting in cyber security, pointing out the techniques and tactics used by attackers to exploit individuals and organizations for personal gain:
Deepfake CFO Impersonation (2024)
In 2024, Arup, the British engineering company fall prey to deepfake which caused total loss of over USD $25M. A staff member initiated the transactions based on the direction of a video conference call with deepfakes posing as the company's CFO along with other employees. Specifically, the staff member was duped into sending 15 transactions totaling HK $200M (almost USD 26 million) to five bank accounts in Hong Kong.
Job Offer Phishing and Extortion (2023)
As layoffs began to impact the tech sector, scammers became eager to take advantage of job seekers looking for job opportunities. Scammers impersonated real recruiters on platforms like LinkedIn and posted real job listings on fake career sites to deceive victims into filling out faux employment applications and submitting personal documents.
Twitter Scam (2020)
In 2020, Twitter experienced a major security breach that attacked accounts belonging to dignitaries such as Elon Musk, Joe Biden, Barack Obama, and Apple's corporate account, all trusted figures in the eyes of society. The scammers sent tweets from these accounts asking users to send Bitcoin to certain accounts and promising to double the payment for a set amount of time, or until a specific total was received.
Ubiquiti networks fraud (2015)
The technology company Ubiquiti Networks, Inc. became a target of a social engineering cyber-attack where hackers impersonated company executives to engage in various wire transfers totaling $46.7 million. Using the names of top executives within Ubiquiti Networks, the pretexters sent company employees messages instructing them to wire funds to the threat actor’s bank accounts. This elaborate social engineering scheme resulted in a total loss of $46.7 million.
Best Practices: How to Prevent Pretexting
Modern email services have automated blocking of many phishing emails, although attackers are continually thinking of new ways to get around detection. An effective strategy is required to protect against pretexting in cyber security that involves employee training, strong verification protocols, and rigorous data access protocols:
Awareness and Employee Training
One of the best defenses against pretexting is an informed and vigilant workforce. Organizations should provide regular training to their employees about the nature of pretexting scams, common warning signs of a fraudulent request, and the importance of an attitude of skepticism in any interaction involving confidential information.
Strict Verification Processes
Organizations should implement strict policies to verify identities over the phone or through emails, particularly when communication pertains to access to personal or corporate data. Policies may include asking secret questions only known by the two parties or verifying a caller through an official list for return phone calls.
Limit Access to Sensitive Information
Implementing the Principle of Least Privilege (PoLP) throughout all levels of your organization ensures that people will have access to only the information required for their job functions. Limiting and monitoring who has access to that information minimizes damage, even when an attacker successfully tricks someone in your organization.
Improved Simulation Exercises
While simple training is good, adding simulation exercises that replicate actual pretexting attempts can enhance employees’ competency in monitoring and reporting attacks. Having a login banner that reminds staff of security policies each time they access a computer system, and sending regular emails that remind staff of the latest scams helps to maintain cyber security vigilance.
Conclusion
Pretexting in cyber security is a form of social engineering that is based on deception and manipulating trust, instead of taking advantage of a technical weakness. The attacker creates a believable story and impersonates a person of trust to gather sensitive information or access systems. Real life incidents, such as the Deepfake CFO scam, have demonstrated how easily trust can be abused. To mitigate pretexting in cyber security attacks, a company should focus on awareness, verification, and restricted data access. Employee training and realistic simulations are important in building a vigilance and security-minded workforce that can effectively defend against pretexting threats.
Related Posts
Is Cyber Security Hard to Understand? Best Strategies for Success
What is GRC in Cybersecurity? A Complete Guide to Aligning Security with Business Goals
