The landscape of cybersecurity threats is vast. But one tactic stands out for its clever manipulation of human psychology: pretexting.
Pretexting has doubled since last year, and now accounts for over 50% of all social engineering attacks, according to Verizon’s 2023 Data Breach Investigations Report.
So, What is Pretexting?
Pretexting is a highly personalized form of social engineering where attackers fabricate a scenario to manipulate specific targets into providing valuable information.
As laid out in the book, Social Engineering Penetration Testing, effective pretexting attacks rely on two key components: a plausible situation and a character.
The situation, or ‘pretext,’ serves as the justification for why the target should provide requested information from the attacker. This justification is based on intimate details that the attacker has gathered about their victim. They carefully craft the situation to appear both time-sensitive and out of the ordinary, applying pressure on the victim to compromise their usual security protocols.
The character is the alias the attacker uses to gain the trust of the victim and ultimately sell the validity of their made-up scenario.
An attacker’s deception isn’t all performance art, however. Before an attack, a truly creepy amount of research (if you could call it that) is conducted. Let’s dive into the headspace of a pretexter.
How does Pretexting Work?
From initial research, to the fabrication of a scenario and character, to the eventual pretexting attempt, attackers employ a well-orchestrated process to manipulate their target.
1. Target Identification & Investigation
The attacker identifies a specific target within an organization they think is susceptible to their deception. This could be anybody—from the help desk employee receiving several calls a day from external contractors, to the new hire who may be eager to please a superior and is unaware of certain security protocols, and especially any personnel with extensive security privilege.
Last year, Elevate saw a 2.5x increase in attacks against privileged users such as engineers with access to source code.
From there, the attacker gets to work researching their target. They’ll scour a number of channels to gather information on their target’s personal life, the names of their co-workers, company partners, and anything else relevant to building a convincing “pretext”.
2. Character & Scenario Fabrication
Based on whatever information the attacker is able to gather on their target, they’ll pick an alias and devise a scenario that, at face value, seems plausible. 82% of phishing emails are sent to just 5% of the population—pretexters know that just targeting the right personnel with an organization can yield results—valuable for them, and catastrophic for their victims.
Threat actors could masquerade as a busy supervisor in a meeting texting an employee to complete a task for them. They could pose as an internet service provider, requesting billing information for a payment failure.
In some cases, the attacker may even dress in disguise to solicit physical access to a building, or deep fake the voice of a real person over the phone.
3. Pretexting Attack
No matter who the attacker is impersonating or the channels they’re using to manipulate the victim, all effective pretexting attacks capitalize on a sense of trust, urgency and/or fear.
The employee is fearful that if they don’t comply with their [fake] boss’ urgent request, it could impact their standing with the company. The [fake] contractor needing access to the building seems likeable enough to be let in…
Pretexting aims to lower the guard of generally good-natured people with the best of intentions—making it all the more important to encourage employees within your organization to slow down and look for telltale signs of a pretexting attack when things seem off.
Signs to Look For in a Pretexting Attack
Urgent requests: Attackers know that every second is precious when trying to gain access to sensitive information. They’ll sometimes embellish the consequences of not complying with their request to get you to second guess whether you should step away from the phone or computer to verify their request.
Unusual requests: Sometimes attackers will leverage a softer approach. They might strike up small talk and mention names, places or events that are familiar to you. As natural as the conversation may seem, if it eventually leads to an unusual request, this could be a sign of a pretexting attack.
Fake emails or domains: This isn’t always easy to spot. Attackers will often change just a few letters of a domain or email address to appear legitimate.
Inconsistencies in communication: Even attackers that have done their homework can’t always replicate the way someone communicates. If you receive a text, email, or phone call from someone that is inconsistent with their normal phrasing, tone, spelling, or grammar, it could be a fake.
Requests for personal information: The bottom line is that if someone requests personal information, you should question why they are asking for it and first verify their identity.
Understanding the signs of a pretexting attack is just the first step in fortifying your organization’s defenses. When just 8% of an organization’s workforce account for 80% of security incidents, hyper-targeted attacks require equally precise countermeasures.
Solutions for Pretexting: Proactive Risk Identification and Response Controls
By the time a pretexting attack has transpired, it’s often too late to respond with mitigative action unless certain controls are in place. Of course, knowing in advance where you’re most at risk of an attack can help too. Pretexters work diligently to understand your personnel, but you can turn the tables by knowing them even better.
Here’s how they complement one another:
Elevate Control: Elevate Control compiles individualized risk profiles for each of your personnel based on their past actions. Insights from these risk profiles can be pulled directly into your existing SecOps tools like SIEM and SOAR, enabling you to set custom email, web, and endpoint controls for your riskiest users—automated feedback nudges can even notify at-risk employees of when they’ve clicked on a suspicious link to stop pretexting in its tracks.
Elevate Identity: In the event that a pretexter gets as far as manipulating personnel into logging into any critical systems, Elevate Identity lets you set conditional access controls and enhance multi factor authentication for your most at risk users. In the most pressing circumstances, you can even totally lock down access for select users.
Pretexting is a type of cyberattack that zeroes in on human psychology and exploits the trust and goodwill of individuals within an organization.
As hyper-targeted pretexting attacks continue to grow and adapt, every employee counts in staying proactive against these threats.
To stay on top of the ever-evolving cybersecurity landscape, download the 2023 CISO Survival Guide to Emerging Trends From the Startup Ecosystem (and peek Elevate on page 8).