What Is Pretexting And Do You Know How To Protect Against It?

Are you sure you can tell when someone is trying to scam you online?

As humans, our cognitive bias leads us to make irrational decisions, and we are easily inclined to trust.  Social engineering encompasses a broad list of malicious activities such as phishing, baiting, quid pro quo, tailgating, and pretexting. However, this article will specifically focus on pretexting.

In the IT security industry, social engineering refers to psychological manipulation or the fooling of unsuspecting persons into divulging sensitive and confidential information. Social engineering relies on human instinct, and it is a more straightforward and less costly method to gain access to data compared to hacking into systems.

Defining Pretexting

Pretexting is an example of social engineering where the attacker invents a scenario or a story (pretext) to charm the potential victim in a way that raises the possibility of the said victim disclosing sensitive and valuable information about themselves. This revealed information (in the form of bank details, social security number, the last bill paid, etc.) will enable the perpetrator to gain access to systems and services that the victim is subscribed to.

How Does Pretexting Work?

• Pretexting can take place through a communication medium: this can be in the form of a phone call or an email.
• Pretexting can be face-to-face: The attacker may present themselves as a person in authority who has the right to get access to specific information and aims to use this data to ‘help’ the target. The attacker may impersonate a police officer, a banker, or a tax official. The character they present helps them establish a sense of trust with their victims.

Before the confrontation, the attacker will have carried out extensive research on their potential victim. They will often use the Internet and leaked personal data from previous data breaches to establish their authenticity.

This data will also help them create a credible tale that leaves little room for doubt to help establish trust and build rapport with the potential victim. The attacker will provide the target with aspects of their personal information such as their job title, home address, job location, phone number, work history, and credit card information.

The attacker typically creates a sense of criticality by pretending to need the victim’s confidential information to perform a crucial task. Since they already have some of the target’s personal information, they will claim to need more personal information on the victim to confirm their identity.

2 Ways To Know You’re Being Targeted For Pretexting

To be successful, the attacker must invent a believable scenario or story to convince the target. This scenario is also known as a pretext.

They include:

• A Plausible Situation: The scenario that is to be presented to the target is everything. It determines how well the objective will be achieved. The case should fit the target’s location and time. It should also be relevant, appealing, and believable as it will add credibility to your story. For example, a customer service representative would likely contact you if you’re having trouble accessing services.
• A Believable Character: The plausible situation requires role-playing. The role that the attacker takes is very vital. It is crucial that the perpetrator presents themselves confidently, dresses, and speaks the part. The character they show will help solidify their story. For example, if they are impersonating a banker, they should dress formally, use banking vocabulary, and address the subject the same way the bank would.

In the process of engaging the target, the attacker gets personal information that they would use to commit secondary attacks or identity theft.

Traditionally, employees for companies such as credit card companies, insurance companies, security firms, financial organizations, and banks were the main targets of pretexting. However, the focus has been shifted to individuals.

How Can You Protect Yourself And Your Company From Pretexting?

How Can You Take Personal Responsibility?

1. Avoid sharing personal information on social media. If you have already shared out this information, request to have it pulled down.
2. Use authorized and trusted channels to verify your email address and phone number in case you receive a suspicious message.
3. Do not click on links sent via emails, instead use trustworthy websites.
4. Do not disclose your personal information and passwords to anyone if you are uncertain.
5. Cancel requests for help from a company if you have not requested assistance.
6. Find out who has access to your data at work and ensure that it is secure.
7. Do not open emails from an unknown source.
8. Secure your computer by installing anti-virus software, email spam filters, firewalls, and always keep them updated.

What Steps Can You Take To Protect Your Organization?

1. Provide an awareness program that informs employees on how to avoid falling victim to pretexting and not to share information about the organization.
2. Develop a policy that will be used when handling suspected attackers.
3. Filter staff emails to prevent them from clicking on unknown link sources.
4. Engage a cyber-security solutions provider that will improve and maintain your current security systems and structures. In case all the above measures fail, a cyber-security solutions provider can intercept areas of risk and block attacks before they occur.

Outsource IT Solutions Group Will Protect You From Pretexting

Click here to get started and let our years of expertise, professionalism, and experience in cyber-security design solutions that will guarantee your data security.