Pretexting is a form of social engineering in which an attacker creates a believable story to gain someone’s trust and steal valuable information from them. This information can include login credentials, money, or further details about a person or business. Attackers craft realistic stories, or pretexts, to gain trust or seem reasonable in their requests.
Social engineering is any method of manipulating someone to gain information, access a physical or digital location, or benefit financially from them. Pretexting is one of the more believable types of social engineering because it typically targets a specific individual or group of people. Pretexting is more likely to slip past victims’ observation than other forms of social engineering because the attackers have done specific research about their victims.
Characteristics of pretexting
- Urgent/rushed requests, especially appearing to be from company executives, asking for money or other information while they are too busy or preoccupied. Pressure isn’t typically as strong in pretexting attacks, because the attacker aims to have a good story and foster trust with the victim, but they may still apply a sense of urgency by pretending to be a trusted source.
- Strange email domain names, especially ones that look similar to coworkers’ but are a little bit different. Pretexters try to make their schemes as believable as possible.
- Requests for personal information, such as account login credentials or even Social Security numbers. Pretexters will try to make their request sound sensible, perhaps by describing an account that the user actually has and trying to help them fix a false problem.
How to identify and avoid pretexting attacks
- Contact the initial source directly, rather than the person sending or requesting information or money. If someone claiming to be from a company contacts your business, requesting entry to the building or access to technology, calling or emailing that company directly will allow you to verify the service or request.
- Use additional caution when interacting with individuals outside of your business who claim to be providing a service (coming into the building to fix an issue) or requesting that you reset a password for an account. This might include instructing every person who comes on premises to provide photo ID or asking if you can call back later to reset the account password. Often creating another step in the process and strictly enforcing it will cause a pretexter to give up.
- Employ artificial intelligence in company email platforms. AI may not catch every suspicious email, but it can be trained to notice strange domains and commonly used phishing phrases through natural language processing. These messages can then be quarantined and require the recipient go through additional authentication steps to verify the email’s validity.