search

What is pretexting in social engineering

1 years ago
Comments: 0
Views: 22

Pretexting is a social engineering technique that’s used by hackers, spammers, and pranksters to assume and exploit the trust of an individual. It’s been defined as the act of taking on an identity (usually those of a trusted person, such as a customer service representative) for the purpose of gaining information or participation in a situation.

Show

Techniques include presenting as someone else via phone call, email, instant message, or other means where with this impersonation they have more success than if they don’t adopt an identifiable role. There are generally these types:

  • Identifying themselves as someone else from their target company to gain information about them (e.g., to find out their password)
  • Identifying themselves as someone else via social engineering by referring to them as a trusted and identified individual
  • Confirming the identity of another person and acting on that perceived identity; for example, having an employee use a phishing email and passing it on to the client without approval. The former requires that there are two people talking to each other. 
  • The latter would require only one person because it limited the impersonation to just one person.

Pretexting has also been used in arrangement with phishing attacks. The attacker poses as the legitimate account holder and asks for information that is easily available, such as account credentials. The attacker then obtains those credentials from a phishing website and uses them to gain access to the victim’s account.

Pretexting can also be used in email spoofing to manipulate an email address. This is an easy trick for most email clients to be cheated because a fake name/address can be achieved with a simple Ctrl-W shortcut (wrench icon) on Mac OS X or Ctrl-F shortcut (find on page or find icon) on Windows XP. The user is tricked into thinking the message is from a real person and responding to it. The message can then be modified to have the victim transfer money, buy goods online, or send more communications back to the attacker.

Pretexting is often used in conjunction with phishing attacks. The pretext poses as a legitimate customer of the target organization and attempts to obtain information about them such as their account credentials and passwords, information on their employees, financial records, etc., through fraudulent email messages or phone calls. This is followed up with an attempt by the attacker to acquire those credentials via malware placed on their computers or the social engineering of an employee.

Key Points:

  • Customers are encouraged to visit a fake website against their better judgment; In an email, customers are encouraged to click on a link or open an attachment that they should not open. 
  • This can be accomplished by making the email look like it’s from “someone they know, rather than a stranger. When customers enter their credentials into the site, they may be redirected to another website, which can steal any information entered on the first website. 
  • Customer data is stolen through cross-site scripting (XSS) attacks, where malicious scripts are placed in otherwise legitimate web pages and then run automatically when the page loads in the customer’s browser. 
  • The most common XSS attacks involve inserting JavaScript code into otherwise benign HTML pages, such as the code shown here: <SCRIPT SRC=http://www?> <!– The attacker’s script will get loaded here –><HTML></html> This attack is carried out because many browsers don’t execute JavaScript unless it comes from an approved source, and because some users think the code looks suspicious and so may turn off JavaScript completely.

Countermeasures:

Social engineering is typically used by criminals in the process of stealing passwords, account information, and other sensitive data. This can be detected by monitoring employees’ usage of IT resources. This includes:

  • Real-time observation/monitoring 
  • Suspicious behavior/inconsistencies
  • Analysis of common search words.
  • Audit trails/log review.

Pretexting has been used as part of a fraudulent sales pitch for products such as stock shares and reduced-rate mortgages.

  • Entering Credit Card Information
  • Requesting PIN of CC
  • Requesting Balance of CC

Conclusion: 

Pretexting is a serious form of social engineering that uses trust as a weapon. Attackers often use credentials to gain access to an individual’s personal information, and from there, they are able to commit actions against the victim’s financial and social well-being. One can never rely on the sense of trust rather than the sense of what one sees or hears.

Article Tags :

Ethical Hacking - Social Engineering

Pretexting is a form of social engineering used to manipulate people into giving attackers what they want by making up a story (or a pretext) to gain your trust. 

Attackers commonly create pretexting scams – a pretense or fabricated story that seems reasonable – along with other social engineering techniques, such as impersonation or phishing. Attackers might use pretexting to gain access to confidential information or mislead you into them sending money. Pretexting may happen over any channel of communication as long as there are false pretenses involved, whether it’s through SMS, emails, phone calls, or even real-life scenarios.

To succeed, the attacker has to develop a seemingly authentic story to make you believe the message is coming from a legitimate source.

How Does Pretexting Usually Work?

Two components are needed for a believable pretext: a plausible scenario and a character.

Attackers involved in a pretexting attack usually do in-depth research beforehand to create a plausible scenario the target will believe. If you were the target, the attacker might study your social media to figure out where you’ve been lately or who you’ve met.

Attackers are highly motivated and dedicated. Attackers planning a targeted spear-phishing attack won’t even hesitate to rummage through your trashcan to find the information they need. Doing so might uncover receipts from recent purchases, mail from online subscription services, or even confirmation of where you bank!

Even if you’ve been extremely careful with your data online and in real life, your personal information might be up for sale on the dark web, courtesy of the numerous data breaches that may have included your details. You can check how thoroughly your data is compromised by checking here.

When you put all of these traces together, hackers can draw a surprising number of conclusions about you: who you are, where you go, what you do, and more. Their thorough reconnaissance process gives them all the clues they need to fabricate a plausible scenario and create a believable character to impersonate. Their story just needs to be credible and specific enough to gain your trust and manipulate you.

Common Social Engineering & Pretexting Examples to Monitor

Expert attackers come up with carefully crafted stories that will trick even the most cautious user. To help you identify some common patterns, here are some examples we’ve seen in pretexting or social engineering attacks.

1. “I need your help right away.”

Unusual urgency is expected in a CEO fraud or Business Email Compromise (BEC) attack. Urgency engages someone’s willingness to help and prevents the potential victim from stepping back and considering the request carefully. Because most people are naturally polite and helpful, this phrase effectively enables attackers to reach their goals. 

“I need your help right away” is even more effective when the request comes from someone with a higher rank. This simple request can throw off most staff members, especially if there’s specific, convincing, and confidential information.

In CEO fraud, the main goal is often to wire money to a false bank account, change payment details, or get sensitive information, like a company’s financial information.

2. “Are you free right now?”

This question creates both a sense of urgency and familiarity for victims. It’s a question you hear daily, and it doesn’t seem out of place on an email either.

In 2017, hackers used this strategy in a CEO fraud attack. Here’s what they said: 

From: John Smith

Sent: Monday, 13 November 2017 11:27 AM

To: Susan Brown

Subject: Urgent Attention

Are you available to handle an international payment this morning?

Have one pending, let me know when to send bank details.

Regards

John Smith

Sent from my iPhone

Here’s the thread from Trustwave if you want to see how the scammer navigated the whole conversation.

3. “It was so good to see you!”

This phrase would be ideal if the attacker knew your recent movements, especially who you met or where you went.

It’s one reason why you should be careful about what information you’re posting on social media. You’re never really aware of what information you’re giving away most of the time.

Having details you’d think only the people involved would know makes it easier for attackers to slip under your radar. You need to be aware that attackers can quickly discover what’s going on in your life and take advantage of those details to gain your trust.

4. “What’s your personal phone number?”

At this point, everyone knows that it’s a bad idea to share sensitive data with a stranger, such as passwords, your social security number, or your credit card number.

But what about your phone number?

Some people would think this is harmless information. The only thing the attacker can do with your phone number is to call you. However, this might lead to an elaborate vishing or smishing scheme that puts you in danger, primarily if you’re not used to the tactics attackers use.

In addition, phone numbers are used to verify your identity in some companies and can easily be spoofed to intercept 2FA and other authentication processes.

5. “You won a gift card!”

This scenario seems more plausible in an attack against an individual rather than a company. However, if your employees are using their business emails to sign up for personal services, malware might still slip in using this method.

This strategy is most effective when attackers know what kind of services you use or about your interests and hobbies. Unfortunately, it’s easy for them to conduct research about you just on social media or if you get careless with your private information.

Once they know of your history, the only thing the attacker needs to do is replicate a promotional email commonly sent by the store and swap the legitimate link for a malware-infested one.

6. “Something is wrong with your account.”

This pretense is another favorite of cyber attackers. Organizations sometimes send out automated messages featuring messages like this. As a result, few red flags are raised. 

There are a couple of ways hackers might use this scenario against you:

  • You might see this phrase in the form of a phishing email from a brand you’re familiar with, asking you to log in and check your account. If you’re not vigilant, you might just click on the link instead of going straight to the organization’s official website by typing their domain address. In most cases, the link in the email is spoofed and redirects victims to a duplicate website designed to capture their login information. 
  • You might also see an account issue notification in vishing campaigns where someone claims to be from a retailer, service, or provider you favor. Perhaps they let you know that your last payment has been declined. Since it’s a service you’re familiar with, you might humor them and give them your credit card information or bank account number to help them retry the payment.

3 Simple Ways to Prevent Pretexting

Pretexting attempts are hard to detect, especially if you’re fighting an expert who has done their homework. Here are a few things you can do to help you and your employees defend against pretexting.

1. Secure your email

Since your inbox is the main entry point for most attackers, equipping some email security solution should be on your to-do list. For one, set up your DMARC certificates to protect your email from exact domain spoofing.

In addition to setting up your DMARC certificates, consider investing in email security software that will single out suspicious emails for you. Since messages with suspicious characteristics are marked or isolated, your employees will know they should approach the email with caution.

2. Establish a cybersecurity policy

Establishing and maintaining a cybersecurity policy isn’t easy. But it pays off since a cybersecurity policy communicates what kind of actions your employees should take when facing a cyber-attack.

A cybersecurity policy also helps co-workers and employees be more aware of the threats they face. It further acts as a source of truth they can reference. Finally, it guides them through the appropriate measures to protect your company’s data, customer information, and valuable assets from hackers.

3. Educate and empower your staff

Unfortunately, humans are still the weakest link in securing your system. According to Verizon’s 2021 Data Breach Investigation Report, 85% of data breaches still involve a human element.

When the system you set up fails to protect your users from fraudulent attempts like pretexting, it’s up to your employees to be savvy enough to catch on. Preparing them for such attempts will give your users an edge and make them far harder to trick.

Regular cybersecurity awareness training can help your employees stay on top of possible attacks.

Beyond regular training, phishing simulations will also help users be more aware of what’s going on in their inboxes and make it harder for attackers to fool them with social engineering techniques like pretexting or impersonation.

Prevent Pretexting with Inspired eLearning

Pretexting is just one of the many social engineering tactics commonly used by scammers to gain your trust. What’s even worse is that attackers are creative! It’s easier to fall for these schemes if you’re not trained to detect them in the first place.

Here are a few more security awareness tips you can share around the office to upgrade the awareness level of your colleagues and employees.

Let us know when you’re ready for a dedicated and retention-focused training program, and we can help you navigate our catalog to find the best options for your organization.

Q&A What

Related Posts

Why do northern and Southern Hemisphere experience summer solstice in different times of the year?
Why do northern and Southern Hemisphere experience summer solstice in different times of the year?

What are the reasons the US intervened in Latin America in the late 19th and early 20th centuries?
What are the reasons the US intervened in Latin America in the late 19th and early 20th centuries?

What is the wavelength of light that is emitted when an electron in the hydrogen atom undergoes the n 6 to n 2 transition?
What is the wavelength of light that is emitted when an electron in the hydrogen atom undergoes the n 6 to n 2 transition?

What was the original Hebrew Bible?
What was the original Hebrew Bible?

What is the maximum number of spectral lines produced when an electron jumps from n = 6 to n=1 is
What is the maximum number of spectral lines produced when an electron jumps from n = 6 to n=1 is

What is the importance of the TATA box?
What is the importance of the TATA box?

Why does my propane grill have a low flame?
Why does my propane grill have a low flame?

When two dice are thrown simultaneously What is the probability that the turn up is greater than 10?
When two dice are thrown simultaneously What is the probability that the turn up is greater than 10?

When two balanced dice are thrown simultaneously the probability of getting the total of numbers on dice as 9 is?
When two balanced dice are thrown simultaneously the probability of getting the total of numbers on dice as 9 is?

What is defined as a scalar quantity that describes the total length traveled by an object?
What is defined as a scalar quantity that describes the total length traveled by an object?

What brand of castor oil is best for hair?
What brand of castor oil is best for hair?

What are control charts based on?
What are control charts based on?

Vscode No server install found in WSL, needs x64
Vscode No server install found in WSL, needs x64

How do you get to Motion settings on iPhone?
How do you get to Motion settings on iPhone?

How long is a furlong in horse?
How long is a furlong in horse?

Replace the underlined word with the correct form
Replace the underlined word with the correct form

How many spinach plants per person
How many spinach plants per person

Bread clip in wallet when traveling
Bread clip in wallet when traveling

What aisle is heavy cream on?
What aisle is heavy cream on?

How do you play Roblox on a Chromebook without downloading it
How do you play Roblox on a Chromebook without downloading it

Advertising

LATEST NEWS

How fast does hair grow per day
1 years ago . by TranquilBabbling
Which of the following allows different operating systems to coexist on the same physical computer?
1 years ago . by UnmarkedDuchess
What is being defined as the degree to which something is related or useful to what is happening or being talked about?
1 years ago . by ComingCarcass
Which of the following is NOT a pathway in the oxidation of glucose
1 years ago . by ScarredAccreditation
Juan is the person employees go to when knowledge of a topic was needed. juan holds ________ power.
1 years ago . by AmbitiousExamination
Which of the following is not a standard mounting dimension for an electric motor? select one:
1 years ago . by MiserableSweepstakes
Which set of characteristics will produce the smallest value for the estimated standard error?
1 years ago . by GenerousIntercourse
Is a program that assesses and reports information about various computer resources and devices.
1 years ago . by SeriousBondage
How much energy is needed to move one electron through a potential difference of 1.0 102 volts
1 years ago . by CrackedKnocking
Includes procedures and techniques that are designed to protect a computer from intentional theft
1 years ago . by UneasyInvasion

Advertising

Populer

Advertising

About

Legal

Help

Social

Copyright © 2024 SignalDuo Inc.