With the advancement of modern technologies, and particularly the Internet, nearly every person in society has access to new opportunities. These include email, social media, online banking, and other necessities. So long as these technologies are used for good, they are making the world a better place. But technology is always a double-edged sword.
As amazing as these opportunities are, they each have risks associated with them, the least of which are computer viruses. One of the most destructive online threats is social engineering attacks. Chief among these is a technique referred to as pretexting.
In this article, we will cover everything you need to know about pretexting attacks, and most importantly, how to avoid pretexting and other social engineering attacks.
What is Pretexting?
Before we dive deeper into this article, let us define what pretexting is first.
Pretexting is a form of social engineering in which an attacker attempts to persuade a victim to divulge private information or grant access to their system. The distinctive characteristic of this type of attack is that the scammers create a story, or pretext, to manipulate the victim.
The pretext usually places the attacker in the position of someone who is in power and rightfully has access to the information requested, or someone who can use the information to assist the victim. Furthermore, that information is usually used to steal money from the victim’s bank accounts or other forms of identity theft.
In general, pretexting attacks are very similar to spear phishing, but they are two different scams. Usually, phishing attacks tend to be done through emails only, and it involves the victim downloading files that contain malicious codes designed to gain access or steal data from the victim’s device.
On the other hand, pretexting can be done through email, phone calls, or even physical contact, and most of the time, the victim willingly gives the requested information to the attacker.
Why is Pretexting Dangerous?
There are a few reasons why pretexting attacks are extra dangerous. Most phishing emails or other social engineering attacks are easy to spot because they are generic in nature and don't often call out things specific to the victim. Like spear phishing, a pretexting attack uses either information about the victim or creates a very convincing case for why the victim should believe it. The attacker might use known information about the victim or create an elaborate backstory that qualms any suspicion the victim may have.
If a "handyman" with a ladder walks into your office, would you question it?
If a service you actually use called you about an issue with your account, would you think twice?
These are examples of how a pretexting attack uses sneaky tactics to trick you. Next, we'll dive into the pretexting process and how social engineering scams are concocted.
The Pretexting Process
Every pretexting scam occurs in three stages.
The first stage is the impersonating stage. For this stage, the scammer, also called a social engineer, identifies someone who he will impersonate.
He could impersonate someone you already know, such as a friend, family member, or coworker. But they could also impersonate someone you don’t know, and this could be a real person or a fictional character (e.g. a customer service rep).
For the second stage, the social engineer is looking for a pretext. The pretext is the reason why the person he will be impersonating would contact the victim. The pretext has to be as plausible as can be , so it will be easier for the social engineer to obtain the information he wants without making the victim suspicious.
Before contacting the victim, a social engineer will do his homework on them. This includes identifying the appropriate victim, finding their email address or other contact information, identifying where they work, what their role is, what banks they use, and so on.
After the scammer identifies who he will impersonate, who the victim is, and what pretext he will use to contact the victims, he will decide on the techniques and tactics he will use to make the victim give up their valuable information, leading to things like identity theft.
Pretexting Attack Techniques and Tactics
One thing you have to know about these types of scammers is that they are quite smart, and have great psychological skills in most cases. They’ll be relying on all of these skills to make their job easier.
Here are a few psychological tactics used by pretexting scammers:
Most people are taught not to question the authority of someone who has a higher position than theirs, and many scammers take advantage of this.
For example, if an employee of a certain company is contacted by someone, a scammer, who presents himself as the CEO, or another important role in that company, will the employee question the authority of the person who contacts him?
In most cases, he will not do that. But why is this? Because the employee does not want to get herself into trouble by doing this. So in that case, the imposter CEO can obtain all the information he demands.
Liking, Similarity, and Deception
If people like someone or have a good relationship with them, they are more likely to do favors for them. This tactic is used by social engineers when they impersonate people the victim knows.
Commitment, Reciprocation, and Consistency
Social engineers are always kind and polite while they are trying to obtain something from their victims. And when people are treated with respect, they tend to act with reciprocity. In such cases, they want to be consistent with what the scammer is asking them to do, and they commit to doing it. By the time they realize that they have made a mistake, it will be too late.
When talking to you or texting you, the scammers are looking to complete their mission as quickly as possible, so you will not suspect anything. In this situation, they are trying to distract your attention from certain questionable circumstances by creating a false emergency.
Humans usually act quick and without thinking when there is an emergency involved, and scammers use this to their advantage.
Social engineers also use several tactics to contact their victims. When contacting the victims, pretexting scammers are trying to eliminate a number of suspicions from the beginning. Here are a few technical tactics they rely on.
Email address spoofing
When social engineers contact their victims through email, in most cases, they spoof the email address to look legitimate.
Email spoofing is a tactic used in pretexting and phishing scams to fool victims into believing an email came from someone they know or could trust. Spoofing involves the scammer forging email headers so that victims see the forged email addressed, and believe that the email was sent by a trustworthy individual.
Of course, spoofing an email address is not something that scammers can do in most cases because of some secure protocols. In some cases, spoofed emails might not even be delivered to the victim’s inbox because the email provider identified them as being suspicious.
Creating similar email addresses
To avoid having to go through the complicated process of spoofing an email address, some social engineers create new email addresses that differ from the legitimate email addresses only by a character.
In such situations, most victims do not even notice the difference.
Caller ID spoofing
In some cases, pretexting is done through phone calls, and scammers are choosing to spoof caller IDs or phone numbers. Usually, they spoof numbers of companies, governmental organizations, and even individuals.
This is intended to make victims believe that the person calling them is legitimate and gives them fewer reasons to question his or her identity.
Recreating social media accounts
This is one of the easiest tactics for certain social media platforms. All the scammers have to do is create an account that looks identical to that of someone you might know. After that, all they have to do is contact you under a pretext.
As simple as this tactic is, many people are fooled by it, unfortunately.
Using hacked accounts
There are some situations when pretexting scammers have already hacked into someone’s email or social media accounts, and they use those accounts to contact their victims. In those situations, the account is genuine, but the person behind it is not.
Scammers today are very creative, and they find thousands of ways to get access to their personal information and money of their victims. Here are a few pretexting examples scammers are using at the moment:
The unsuccessful payment
Nowadays, most people pay their bills via automated wire transfers, and sometimes there might be an error, and the transfer might not take place. Social engineers might use that as a pretext for contacting their victims.
For example, a victim gets a call from a scammer who seems like a helpful customer service rep of their internet service provider, and the latest attempt to obtain the required funds to pay their bill via direct debit was unsuccessful. Then, the scammer will say that he needs the victim’s bank account information to verify that it is not a mistake on their side and redo the money transfer.
The new bank account
Another pretexting scenario might take place when a business owner is contacted by a scammer, who impersonates a supplier of that business, under the pretext that they have changed their bank account. He then asks the business owner to send the required funds to the new bank account.
In this case, the scammer is not looking for passwords or other types of information. Only money.
The bank method
A very common pretexting scenario is when a scammer pretending to be from a bank, financial institution, or the IRS contacts you and requests you to verify some information to ensure they have contacted the correct person. In such cases, they request bank account information, Social Security numbers, login information, and other financial information.
If anyone who claims to be from a bank asks you any of this information, it is extremely likely to be a scam. The bank already has this information, and there is no reason for them to ask you these questions.
The CEO method
Frequently, scammers pretending to be CEOs or other important roles in a company contact employees from different departments under the pretext they need certain information about the company, clients, or even employees’ personal information.
The scammers might also contact employees from the financial department under the pretext they have to transfer funds to a certain bank account to pay some company expenses.
Again, these scams take place because employees usually do not question the authority of the people who have a higher role in the company.
Physically breaking into office buildings or tailgating
In the case when a scammer does not have success obtaining the information he is looking for through emails or phone calls, he might want to obtain it by physically entering the company’s office building.
In that case, he will try entering under the pretext he is making a delivery, or that he is responsible for some repairs (e.g. performing a fire extinguisher check). Commonly, scammers also use tailgating to avoid security measures.
When the scammers enter the building, they will search through documents or connect to the computer network to search for the information they want.
As bad as it sounds, [retexting is not always used for malicious reasons. But those cases are rare and only take place in these situations:
- When the police or other state authorities are trying to acquire information about dangerous criminals or other types of illegal activities.
- When a company has created a bounty, inviting hackers to find their security vulnerability in exchange for a prize.
- Pretexting is sometimes used by journalists to acquire certain information they can not get access to using traditional methods.
How to prevent pretexting?
Remember: it is always easier to prevent something than it is to deal with its consequences. And this is the case with pretexting as well. So, how can we prevent pretexting?
Some actions required to avoid being the victim of a pretexting attack are completely in your control. Plus, they are not hard to take. Although you can not stop scammers from contacting you, what you can do is stop them from completing their mission.
Here are a few things you have to do to avoid becoming a victim of pretexting:
Do not reveal personal information to anyone
There is a reason why it is called ‘personal information ’. It is personal, and it only belongs to you. Please keep it that way.
Check if the sender’s email address is written correctly
To make their emails more credible, scammers create new email addresses that look the same as a genuine one at a glance, and many people are fooled by this tactic. So if you receive an email with a miswritten email address, be aware that it is likely a spear phishing scam.
Do not open email attachments in suspicious emails
The reason you shouldn’t do this is that those attachments could be malicious files that will download to your computer (without you noticing) and steal your personal information.
Simply opening the email will not harm your device, but clicking on suspicious attachments might.
Pay attention to false emails from big companies
Pretexting scammers don’t only impersonate individuals. They also send emails that are designed to look like they are sent by certain companies. For example, they might send a false email that is supposedly coming from PayPal to a targeted victim.
Even if the scammer has successfully spoofed the sender’s email address, and you did not notice the miswritten email address, you might be able to notice other differences between the email you received and a genuine email.
If you notice anything strange about the email you received, do not reply to it, and do not open any email attachments. Just delete it.
Contact the person or the company who allegedly contacted you
If you are contacted out of the blue by someone you know and are asked for personal information or even money, you should contact that person through other means to verify. Ideally, through contact information that you know is genuine, and ask them if they have recently contacted you. Just to be safe.
If you are contacted by an agency or company, contact them through the details provided on their website, and ask them if they contacted you. If they deny contacting you, someone is trying to scam you.
Install anti-phishing antivirus software on your devices
Even if you click by mistake on a suspicious link that could be harmful to your devices, antivirus software that has anti-phishing protection will reduce the risks that your personal information will be stolen.
Educate your employees
Like we mentioned multiple times throughout the article, pretexting scammers often contact a company’s employees under the pretext they are the CEO, or another important role in the company. They could even pretend to be a client.
If you are the owner of a company, you should invest in training your employees on how to react to this type of scam.
Do not let unauthorized persons in your office building
As a last resort, scammers will try to physically enter a company’s office building. In this case. Once they are inside, they will start looking through documents or connect to your computer network.
To stop this, a company’s office building must have strict security measures, and it should not allow tailgating under any circumstances.
Those are only a few suggestions to keep in mind to avoid becoming a victim to pretexting attacks. Know that there are many other ways to avoid these types of scams. The most important thing is to be vigilant and not let your guard down.
In today's world, you can not blindly trust anyone when it comes to your personal information and finances. Be very careful not to disclose any sensitive information to anyone who is not authorized to have it, no matter what they are saying to you.
Remember that scammers identify new ways to obtain what they want every day, and you never know what exact tactics they might use to scam you and gain access to private information. Therefore, question anything used as a pretext, and remember that it is ultimately better to be skeptical than to be fooled.