Phishing attacks growing multifold every day across the globe. But the alarming statistics don’t purport that the con artists solely prefer phishing over other social engineering methods. Before executing any sophisticated targeted attack, threat actors contemplate the target and choose the most effective social engineering method for the lure. And pretexting is one among them.
In easy words, pretexting is a notorious social engineering technique where the attacker pretends to be someone trusted to the prey and extract useful information. Like other Social Engineering methods, they often impersonate others for raising confidence.
But unlike other Social Engineering methods, in pretexting, the adversary usually observes the target for a long time to understand and gather information regarding their likes, dislikes, and various psychological patterns. Once they collect the pertinent information, they exuberantly plan to earn the victim’s trust over email, live chat sessions, or phone calls.
Once they earn the victim’s trust, they easily snitch out all the relevant information, helping them lodge a cyber-attack.
Unlike phishing, a pretexting attack could include or exclude the involvement of malware. For instance, in a pretexting attack, a threat actor can masquerade as a bank authority where the victim has an account. Once they gain trust without arising any suspicion, they could ask the victim to send across relevant banking credentials or payment card information in the name of upgrading their KYC or something identical.
The popularity of the pretexting technique goes beyond the cybercrime business. The methods involved in Pretexting get used by the persons representing enterprise sales, public speaking, journalism, fortune-telling, private investigation, doctor, lawyer, therapist, and countless other professionals to extract useful information. For instance, a private detective can use similar methods to find relevant details to help them solve any specific investigation.
Apart from these techniques, the art of Pretexting also practiced for executing tailgating or piggybacking operations to enter inside unauthorized premises. For tailgating operations, actors often impersonate or steal the access card or RFID key to perform the services.
Phases of Pretexting
Like other social engineering techniques, pretexting also involves multiple stages to achieve the goal. For instance, a pretexting attack should always include a sophisticated planning session based on extensive research on victims’ psychology.
To execute a sophisticated pretexting plan, the social engineer must gain expertise over the specific dialect by learning certain phrases, idioms, terms, and sometimes slangs to stay out of suspicion. For instance, while impersonating a representative from a banking authority, the con artist learns how a bank employee greets its customers or practices the dialect of colloquial idioms.
The threat actors even sometimes learn the local laws and assess the victim’s intelligence level and strategize a proper timing schedule to execute their call-to-action.
The planning phase often involves crucial points, such as identifying the problem they are pretending to solve or planning the set of questions they are supposed to answer. It also adds up more delicate psychological details such as the kind of information they could try to retrieve.
The sophisticated pretexting social engineering attacks often used in highly targeted attacks against large organizations. Verizon’s 2020 Digital Breach Investigation Report claimed that a significant percentage of social engineering attacks were executed through pretexting. The researchers claimed that the numbers had significantly shot up from the previous year and also claimed that the type of attacks could increase even more in the following years. The experts also claimed that poor security policies and a lack of cybersecurity awareness are majorly responsible for increasing pretexting attacks.
In 2018, an alleged Russian spy called Maria Butina was arrested on charges of extracting relevant information from the American citizens, infiltrating political groups, and the U.S. Justice Department. Maria was allegedly associated with the Russian Government and was working under the instruction of an authority figure of the Russian Central Bank. Later she got sentenced to 18 months in prison. The authorities used Butina’s social media pages, including Facebook, Twitter, YouTube, and LinkedIn, to justify their claim. The authorities found Butina in numerous photographs with Alexander Torshin, the deputy head of Russia’s Central Bank, sanctioned by the U.S. Treasury Department.
In another case, Anna Sorokin, a.k.a. Anna Delvey pretended as a German heiress and applied for a $22 million loan to start a private club. Delvey forged all the required documents, including bank documents, and became close to the Big Apple’s socialite hot spots. She later charged with attempted grand burglary and theft of services at Manhattan District Attorney.
In another significant case of pretexting, a California and Oregon based American organization called Perverted Justice used pretexting to execute online decoy operations against many pedophiles and sexual predators. To snitch the relevant information to prove the allegations against the suspects, the Perverted Justice used different pretexting schemes via social media.
During the political unrest in Brazil in 2013, a Brazilian Army intelligence member had developed several profiles across social media platforms, including Facebook, Instagram, and Tinder, to infiltrate the activist’s behavior. Through the series of operations, 21 agents were convicted for flirting with women in various social media, including Tinder.
Pretexting is one of the most sinister social engineering methods and used in many highly sophisticated targeted attacks. The method brazen trickeries, which often manage to deceive the target successfully. To get rid of any such attacks, you should-
- Never share any personal or organization data with any recent acquaintance or any unknown person.
- Share no personal information, including passwords via email or any social messenger.
- Look carefully at the domain names of any site you visit and crosscheck with the authentic site via an internet search. Remember, an impersonated website can come with a similar name but a different extension such as gizmodo.net.
- Verify the person’s authenticity by contracting with the respective company. Never revert to any email address, or phone numbers arrived via a suspicious email.
- Always install layered security software such as K7 Total security, which comes with an email scanner and an active firewall.
- If you get victimized in any social engineering attack, report the incident to the respective authorities immediately and change all the related passwords.