Pretexting is form of social engineering in which an attacker tries to convince a victim to give up valuable information or access to a service or system. The distinguishing feature of this kind of attack is that the scam artists comes up with a story — or pretext — in order to fool the victim. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim.
Pretexting has a fairly long history; in the U.K., where it’s also known as blagging, it’s a tool tabloid journalists have used for years to get access to salacious dirt on celebrities and politicians. But today it’s commonly used by scam artists targeting private individuals and companies to try to get access to their financial accounts and private data. And pretexters can use any form of communication, including emails, texts, and voice phone calls, to ply their trade.[ Learn what makes these 6 social engineering techniques so effective. | Get the latest from CSO by signing up for our newsletters. ]
In Social Engineering Penetration Testing, security engineer Gavin Watson lays out the techniques that underlie every act of pretexting: “The key part … [is] the creation of a scenario, which is the pretext used to engage the victim. The pretext sets the scene for the attack along with the characters and the plot. It is the foundation on which many other techniques are performed to achieve the overall objectives.”
Watson says there are two main elements to a pretext: a character played by the scam artist, and a plausible situation in which that character might need or have a right to the information they’re after. For instance, we all know that there are sometimes errors that arise with automatic payment systems; thus, it’s plausible that some recurring bill we’ve set to charge to our credit card or bank account automatically might mysteriously fail, and the company we meant to pay might reach out to us as a result. An attacker might take on a character we’d expect to meet in that scenario: a friendly and helpful customer service rep, for instance, reaching out to us to help fix the error and make sure the payment goes through before our account goes into arrears. As the scenario plays out, the attacker would ask for bank or credit card information to help the process along — and that’s the information they need to steal money right out from our accounts.
In the scenario outlined above, the key to making the scam work is the victim believing the attacker is who they say they are. That requires the character be as believable as the situation. It’s not enough to find it plausible in the abstract that you might get a phone call from your cable company telling you that your automatic payment didn’t go through; you have to find it believable that the person on the phone actually is a customer service rep from your cable company. Thus, the most important pretexting techniques are those the scam artist deploys to put you at ease. If an attacker has somehow obtained your cable bill, for example by going through your garbage, they’ll be armed with the name of your cable provider and your account number when they call you, which makes you more likely to believe that they really are the character they’re playing.
This example demonstrates something of a pretexting paradox: the more specific the information a pretexter knows about you before they get in touch with you, the more valuable the information they can convince you to give up. That’s why careful research is a foundational technique for pretexters. While dumpster diving might be a good source of intelligence on a victim, it obviously also takes quite a bit of messy real-world work, and may not be worth it for a relatively low-value target. But pretexters have a wealth of other more efficient research techniques available, including so-called open source intelligence — information that can be pieced together from publicly available information ranging from government records to LinkedIn profiles. There’s also gigabytes of personally identifying data out there on the dark web as a result of innumerable data breaches, available for purchase at a relatively low price to serve as a skeleton for a pretexting scenario.
There are also some more technical methods pretexters can use to add plausibility to the scenario they’re deploying. For instance, they can spoof the phone number or email domain name of the institution they’re impersonating to make themselves seem legit.
Spoofing an email address is a key part of phishing, and many phishing attempts are built around pretexting scenarios, though they might not involve a great deal of research or detail; for instance, an attacker could email an HR rep with attached malware designed look like a job-seeker’s resume. The targeted variety of phishing, known as spear phishing, which aims to snare a specific high-value victim, generally leads to a pretexting attack, in which a high-level executive is tricked into believing that they’re communicating with someone else in the company or at a partner company, with the ultimate goal being to convince the victim to make a large transfer of money.
Pretexting is also a key part of vishing — a term that’s a portmanteau of “voice” and “phishing” and is, in essence, phishing over the phone. Many pretexters get their victim’s phone number as part of an aforementioned online collection of personally identifying information, and use the rest of the victim’s data to weave the plausible scenario that will help them reach their goal (generally, a crucial password or financial account number).
There’s one more technique to discuss that is often lumped under the category of pretexting: tailgating. Tailgating is a common technique for getting through a locked door by simply following someone who can open it inside before it closes. It can be considered a kind of pretexting because the tailgater will often put on a persona that encourages the person with the key to let them into the building — for instance, they could be dressed in a jumpsuit and claim they’re there to fix the plumbing or HVAC, or have a pizza box and say they’re delivering lunch to another floor. Like many social engineering techniques, this one relies on people’s innate desire to be helpful or friendly; as long as there’s some seemingly good reason to let someone in, people tend to do it rather than confront the tailgater.
As we noted above, one of the first ways pretexting came to the world’s notice was in a series of scandals surrounding British tabloids in the mid ’00s. These papers, in desperate competition with one another for even minor scoops on celebrities and royals, used a variety of techniques to snoop on their victims’ voicemail. In some cases, this was as simple as testing to see if the victim had changed their voicemail PIN from the default (a surprising number had not), but they also used a variety of pretexting techniques referred to internally as “blagging” to get access to information, including dumpster diving and bluffing phone company customer service reps to allow access to the voicemail box.
For many Americans, their first introduction to pretexting came in 2006, when internal strife at Hewlett-Packard boiled over into open scandal. HP’s management hired private investigators to find out if any board members had been leaking information to the press; the PIs in turn impersonated those board members, in some cases using their Social Security numbers, which HP had provided, in order to trick phone companies into handing over call records. The whole thing ended with HP’s chairwoman Patricia Dunn resigning in disgrace and criminal charges being filed (more on which in a moment).
Still, the type of pretexting attack that’s most likely to affect your life will be in one which these techniques are turned on you personally. The KnowBe4 blog gives a great example of how a pretexting scammer managed to defeat two-factor authentication to hack into a victim’s bank account. The victim was supposed to confirm with a six-digit code, texted to him by his bank, if he ever tried to reset his username and password; the scammers called him while they were resetting this information, pretending to be his bank confirming unusual charges, and asked him to read the codes that the bank was sending him, claiming they needed them to confirm his identity. With those codes in hand, they were able to easily hack into his account.
But pretexters are probably more likely to target companies than individuals, since companies generally have larger and more tempting bank accounts. It’s often harder to find out the details of successful attacks, as companies aren’t likely to admit that they’ve been scammed. VTRAC’s Chris Tappin and Simon Ezard, writing for CSO Australia, describe a pretexting technique they call the Spiked Punch, in which the scammers impersonate a vendor that a company sends payments to regularly. Using information gleaned from public sources and social media profiles, they can convince accounts payable personnel at the target company to change the bank account information for vendors in their files, and manage to snag quite a bit of cash before anyone realizes.
In another example, Ubiquiti Networks, a manufacturer of networking equipment, lost nearly $40 million dollars due to an impersonation scam. The pretexters sent messages to Ubiquiti employees pretending to be corporate executives and requested millions of dollars be sent to various bank accounts; one of the techniques used was “lookalike URLs” — the scammers had registered a URL that was only one letter different from Ubiquiti’s and sent their emails from that domain.
Pretexting is, by and large, illegal in the United States. For financial institutions covered by the Gramm-Leach-Bliley Act of 1999 (GLBA) — which is to say just about all financial institutions — it’s illegal for any person to obtain or attempt to obtain, to attempt to disclose or cause to disclose, customer information of a financial institution by false pretenses or deception. GLBA-regulated institutions are also required to put standards in place to educate their own staff to recognize pretexting attempts.
One thing the HP scandal revealed, however, was that it wasn’t clear if it was illegal to use pretexting to gain non-financial information — remember, HP was going after their directors’ phone records, not their money. Prosecutors had to pick and choose among laws to file charges under, some of which weren’t tailored with this kind of scenario in mind. In the wake of the scandal, Congress quickly passed the Telephone Records and Privacy Protection Act of 2006, which extended protection to records held by telecom companies.
One of the best ways to prevent pretexting is to simply be aware that it’s a possibility, and that techniques like email or phone spoofing can make it unclear who’s reaching out to contact you. Any security awareness training at the corporate level should include information on pretexting scams. (As noted, if your company is an American financial institution, these kinds of trainings are required by law.) And to avoid situations like Ubiquiti’s, there should be strong internal checks and balances when it comes to large money transfers, with multiple executives needing to be consulted to sign off of them.
On a personal level, it’s important to be particularly wary whenever anyone who has initiated contact with you begins asking for personal information. Remember, your bank already knows everything it needs to know about you — they shouldn’t need you to tell them your account number. If you’re suspicious about a conversation with an institution, hang up and call their publicly available phone number or write to an email address from their website.
Finally, if a pizza guy tries to follow you inside your office building, tell them to call the person who ordered it to let them in. Don’t worry: if they’re legit, they’ve got a special box that will keep the pizza warm for the few extra minutes it’ll take to deliver it.
More on phishing:
This story, “What is pretexting? Definition, examples and prevention” was originally published by
Josh Fruhlinger is a writer and editor who lives in Los Angeles.
Copyright © 2020 IDG Communications, Inc.