A threat actor targets an organization’s employee with a deceptive email, pretending to be from the IT department. The message requests the password for a critical application and is highly convincing—it references specific details about the application known only to that user, mentions a recent company-wide update email, and even ends on a friendly note: “Hope to see you at next week’s happy hour!”. These subtle touches throughout the email are designed to establish trust between the user and this impersonator. Which thereby increasing their chances of successfully deceiving them.
This technique, known as pretexting, is central to numerous social engineering attacks like business email compromise (BEC) and phishing. Which are causing significant issues for organizations worldwide.
What Pretexting is all about
Pretexting refers to the creation of a false narrative or scenario by a threat actor with the intent to deceive someone into providing information, granting access, or taking some other action.
Pretexting is a significant tactic in social engineering attacks. Threat actors frequently employ it to gain trust and persuade unsuspecting users to take certain actions. Maybe for financial gain or as part of broader attack efforts by gaining initial access.
In the event of a social engineering attack, such as phishing or BEC, the fabricated story employed by the threat actor is known as the pretext. In 2023’s MGM data breach, for instance, a member of a ransomware group impersonated an IT support staff during a vishing attack. This false identity served as the pretext that enabled the cybercriminal to gain trust and convince users that their requests were legitimate.
How Does a Pretexting Scam Work?
A pretexting scam consists of two main elements, both fabricated by the threat actor. The character, which is the false identity they assume; and the situation, which is a concocted plot or narrative designed to manipulate their target into performing a specific action.
The scenario created by a threat actor might be fictional, but it must always appear credible. In the MGM incident, for example, the threat actor took on the role of an “IT support person” and posed a situation where they claimed to “need access to an application.”
To the victim, it seemed reasonable that an IT team member would contact them regarding an application. This belief led to the employee unintentionally granting unauthorized access to their company-issued account in this case. Business Email Compromise (BEC) is another type of attack often involving pretexting. Where a threat actor gains control over an account and impersonates a known contact or uses real-life scenarios to redirect funds to specific vendors. Pretexting attacks may also involve spoofing techniques by using email addresses that are legitimate or nearly so. Unless for minor misspellings, as seen in BEC and phishing attempts.
Pretexting attacks can involve impersonating a familiar contact or business by utilizing email addresses, names, job titles, phone numbers, and other details. These attacks may also incorporate genuine information gathered from public sources to enhance their legitimacy.
The specifics of a pretexting scam can differ based on the particular attack, but it generally follows several fundamental steps:
1. The threat actor gets ready for their attack by gathering information on the target user(s) and organization to make sure their pretext appears convincing. This often involves exploring LinkedIn and other social media platforms for updates on companies and employees. Also browsing the company’s website, checking industry news sites, and using other publicly available sources through Google.
2. The malicious party reaches out to the user via email, text message, or another communication channel.
3. The threat actor might employ spoofing techniques and a touch of creativity to impersonate a character that the user is likely to trust. For example; a supervisor, someone from the C-suite, or an internal IT staff member.
4. The threat actor constructs a convincing scenario that leverages psychological tactics like urgency, empathy, and motivation to deceive the user into performing an action that benefits them, such as granting access or sharing data, credentials, or even money.
5. The threat actor may either terminate the attack or leverage what they have obtained to initiate a more advanced assault on the organization.
If the steps outlined above resemble those of a phishing attack, it’s because these two concepts are closely connected.
Pretexting differs from phishing, although it can be employed as part of a phishing attack. While pretexting is the method used, phishing serves as the medium for delivery. As we’ll explore further below, pretexting is more frequently seen in spear-phishing efforts than in broad-spectrum attacks. Reasons been that spear-phishing focuses on individual targets with personalized and carefully crafted communication. By requiring more extensive use of pretexting to succeed effectively. Despite its targeted nature, this form of attack isn’t uncommon. According to the 2024 Verizon Data Breach Investigations Report, over 40% of social engineering attacks involve pretexting. A higher percentage compared to traditional phishing at 30%.
Pretexting and Business Email Compromise
Pretexting is a significant component of BEC attacks. In fact, as stated in the same Verizon report, the “majority” of pretexting incidents result in BEC outcomes. This occurs because, with BEC schemes, the impersonated character is already well-defined. Typically an executive or high-ranking employee within a company. When threat actors gain control over an email account, they can effortlessly request financial transactions, secure access to sensitive information, or obtain other critical data.
Nonetheless, BEC is merely one type of attack that relies on pretexting to achieve success.
Types of Pretext Attacks
Pretexting, being a technique rather than a distinct type of attack vector, can manifest in various forms.
Some typical forms of pretexting attacks are:
- Spear phishing attacks. They are a type of email-based threat where an attacker focuses on a particular individual within an organization to steal data, credentials, or money. These attacks typically involve the perpetrator impersonating someone familiar to the target. Mostly by using a fraudulent email address designed to resemble those from trusted entities like banks or businesses that the user regularly interacts with.
- Business Email Compromise (BEC) Attacks. In BEC attacks, cybercriminals use pretexting to impersonate an executive, high-level business partner, mid-level financial staff member, or even someone from HR. After gaining access to an internal email account, they exploit it in attempts to defraud the organization or external parties of money.
- Cryptocurrency scams. Involve a threat actor posing as an investor who solicits funds from the user under the guise of investing in a cryptocurrency opportunity.
- Romance scams. In these schemes, perpetrators create fake dating profiles to exploit individuals and extort personal information or money from them.
- Invoice scams involve a fraudster impersonating a third party to send an invoice that either requests funds or contains malware. These scams are frequently utilized during Business Email Compromise (BEC) attacks.
How To Stop a Pretexting Attack
Pretexting can be challenging to prevent because it is designed to seem credible and legitimate to victims. However, security awareness training can play a crucial role in addressing this issue.
Crafted to assist users in identifying and preventing social engineering attacks such as pretexting, comprehensive security awareness training will incorporate microlearning modules, up-to-date threat trends, and engaging content. This approach aims to mitigate human risk within an organization while empowering individuals to recognize pretexting attempts effectively.
However, robust cybersecurity measures should provide protection across various aspects of the attack surface. Email security tools are specifically designed to assist organizations in identifying these threats in real-time. Also eliminating harmful emails from inboxes, blocking access to malicious links, and more. These tools serve as an additional layer of defense alongside security awareness training. By helping decrease the number of threatening emails that reach users’ inboxes generated by threat actors.
