Whether it's the bug-ridden code we write or the mistakes we make at our keyboards, it is human error that threat actors usually exploit when they attack—82% of breaches analyzed by Verizon in its 2022 Data Breach Investigations Report (DBIR) involved some kind of human element.
Potentially one of the most damaging attacks to your organization is the pretexting attack. If left unchecked, it could lead to significant financial and reputational damage. Tackling pretexting effectively may require changes to people, process and technology.
What is pretexting?
Pretexting is a type of social engineering scam where the attacker tries to convince the victim to give up valuable information or access to a service or system by creating a story or pretext.
There is some crossover here with phishing, a more widely understood form of social engineering. But phishing is the broader and more generic term used to describe any impersonation attack where the user is tricked into handing over info or unwittingly installing malware. In this context, pretexting could best be described as a type of phishing attack specifically focusing on the human victim. Typically, it's one in which the threat actor spends more time performing reconnaissance and engaging with the victim. That means a pretexting tactic is often used in attacks with a higher anticipated pay-out.
In fact, a pretexting tactic was present in 27% of social engineering breaches analyzed by Verizon. Social engineering turns our humanity against us. It is the art of manipulating the victim's mind to do the attacker's bidding—which, in a cyber security context, usually means handing over sensitive information or money.
Elements of a pretext
The key here is the "pretext"—the scenario or story the attacker invents in order to persuade the victim to do their bidding. There may be several elements to a typical pretexting attack:
- The attacker may impersonate a trusted entity (e.g., a CEO, or the representative of a bank, telco or corporate supplier).
- They may use legitimate information to make the scam seem more authentic (e.g., your name and email, the contact details of the person they're spoofing, etc.).
- They also might use email, phone or text channels—that is, a pretexting attack may be part of a broader phishing, vishing or smishing campaign. For example, a phishing attack may be used to compromise a CEO's email account, which is then used to launch a pretexting attack designed to trick the recipient into wiring money out of the business (known as business email compromise or BEC).
The bad news is that there's no shortage of scenarios or sensitive data that can be leveraged by savvy social engineers. They could use:
- Open source intelligence, such as extracting information on targets from social media and corporate websites
- Cybercrime forums, which are stocked full of stolen log-ins and personal and financial information. In one 2021 investigation, researchers discovered 1.5 billion breached username and password combos and over 4.6 billion pieces of personally identifiable information circulating on the dark web.
What's the impact of a pretexting attack?
By using a pretexting tactic, fraudsters could elicit corporate log-ins and financial information, or even trick the victim into downloading malware such as ransomware onto their machine. But pretexting is most commonly associated with BEC, according to Verizon's DBIR. In these attacks, the threat actor may impersonate a CEO and, in an email to a member of the finance team, demand an urgent wire transfer of funds to an account under their control. Or they may masquerade as a supplier brandishing an unpaid invoice. In both scenarios, and others, the attacker's chances of success are usually tied to the quality of their reconnaissance and groundwork. Legitimate email accounts may be hijacked via phishing, and internal emails may be monitored for names of suppliers, invoice templates and, critically, the right time to drop a fake payment request.
The impact of such attacks could therefore be significant in terms of financial and reputational damage, whether it's a data breach, a malware compromise or a BEC attack.
How can your organization prevent and mitigate pretexting?
Cyber criminals using a pretexting tactic to get what they want can be highly skilled. But they're not infallible. A combination of best practices and advanced tooling can help to largely mitigate the risk. Consider the following:
- Train employees to spot the warning signs of pretexting. Courses should run continuously, include real-world simulations and last only 10-15 minutes.
- Enhance simulation exercises with login banners and regular emails to keep staff alert.
- Deploy multi-factor authentication to guard against the risk of password theft.
- Keep software continuously patched and updated across all corporate devices/machines.
- Install anti-malware on all devices including phishing protection.
- Deploy DMARC (Domain-based Message Authentication, Reporting, and Conformance) and use a reject policy to mitigate the risk of domain spoofing.
- AI-powered email protection can help to spot suspicious writing styles and email behavior indicative of account takeover.
- Update business processes to ensure all high-value money transfer requests need sign-off from multiple team members.
- Update incident response plans to minimize the impact of any successful pretexting attack or alternate tactic.
Above all, organizations benefit from a proven response plan for a wide array of incidents that can disrupt operations and imperil sensitive data. The best of these response plans are powered by threat intelligence tailored to an organization's specific risk profile.
Discover how Verizon's threat advisory services can help your organization to enhance its resilience against social engineering attacks like pretexting.
The author of this content is a paid contributor for Verizon.