Have you ever received a call and been told that your identity has been stolen and that your social security number is needed to verify it?
Or maybe you received an email from what looked like the IT department claiming you need to change your password ASAP.
If youβve been on the receiving end of an elaborate ploy to get you to take action, whether it be to click a link or hand over sensitive information, then you may have fallen victim to pretexting.
A hacker uses pretexting to win over a victimβs trust. With that trust, the hacker may persuade the victim to download malicious software, hand over sensitive information, transfer money, or do whatever else the hacker has in mind.
Letβs explore how pretexting is used in social engineering attacks to help attackers accomplish their goals and what you can do to protect against it.
If youβre ready, weβre too. Letβs go!
What Is Pretexting in Cyber Security?
Pretexting in cyber security can be defined as a social engineering attack whereby the attacker seeks to build a relationship with the victim.
Once a relationship has been established through various psychological means, an attacker will leverage it to force a victim into taking some sort of action.
Pretexting is just one of the many tactics a black or white hat hacker will have in their arsenal.
To be clear, social engineering is a psychological attack that tricks a user into sharing sensitive information or performing an action that benefits the hacker.
Some other popular social engineering attacks include:
- Phishing attacks
- Whaling attacks
- Smishing attacks
- Tailgating
- Scareware
- Business email compromise (BEC)
The steps involved in carrying out a pretexting attack are similar to those used in a social engineering attack.
Step One: The first step involves gathering information about your target. Pretexting attacks wonβt work if you donβt know who your target is. Conduct research by using techniques to gather open-source intelligence (OSINT) to learn as much about the target as possible.
Step Two: Before or after gathering reconnaissance, youβll want to figure out how to weaponize your attack. In this phase, youβll use or decide upon a weapon. Maybe you want them to click on a link, hand over sensitive information via phone calls, wire you money, or send over login credentials via a fake website.
Step Three:
Next comes the execution. Now that you know how to manipulate the victim and the exploit youβll use to get the desired action, itβs time to put it all together.
Common Prexting in Cyber Security Scenarios
A pretexting definition in cyber security may seem a little abstract at this point, so letβs look at some more concrete and common pretexting scenarios within this context.
- IRS impersonation: Someone claiming to be from the IRS calls to tell you that your personally identifiable information (PII) has been exposed in a hack. They want to help you out but will first need your address and social security number.
- IT support impersonation: Once they know where you work, a hacker will call you, claiming to be part of IT support. Theyβll tell you that your password has been compromised and you need to change it immediately. Theyβll then ask for your current password to help facilitate the process.
- Vendor impersonation: The marketing agency you work with lists its clients on its website. A hacker sees youβre a client of this marketing firm, decides to impersonate your vendor via email, and sends you a fake invoice.
- Survey scam: Black hat hackers may impersonate researchers, students, clients, or vendors and send you a seemingly innocuous form asking for sensitive information. They may then collect it and use it to create a more custom social engineering attack.
- Phishing attack: Phishing attempts often use pretexting to convince a victim to take a certain action. In this attack, you receive an email from PayPal claiming that your PayPal account has been charged $500.
To dispute this charge, you need to click the link provided to log into your account. Once clicked, youβre sent to a PayPal-like page where you provide your login credentials to the hacker.
Goals of Pretexting
The goal of a pretexting scam is to have the victim carry out an action that benefits the attacker.
Hackers are after all types of information that can be used throughout the course of a larger social engineering hack. Pretexting is simply used to convince a target to do what the hacker wants them to, whether that means accessing malicious websites and links or handing over PII.
Some types of information hackers commonly target include:
- Social security numbers
- Name/address/birthday
- Credit card numbers
- Account and routing numbers
- Login credentials (passwords, usernames, email addresses)
- Trade secrets
- Medical records
Pretexting Techniques
Letβs illustrate how this attack works by examining a real-life example of a pretexting scenario.
One incredibly elaborate scam that uses pretexting to gain the confidence of a victim is a pig-butchering scam.
Surely youβve received a message recently from a stranger. This message may read something like:
βHey, I forgot my bag at Gemmaβs house, can you give it to me?β or βHey, it was so nice meeting you at Rickβs, maybe we can get coffee this week?β
These opening messages are used as a pretext to draw you into the conversation. Naturally, if you receive messages like these, you want to reach out and help or at least respond by saying they have the wrong number.
This is exactly what the scammer wants.
From here, theyβll carefully build a relationship with you as they attempt to win over your confidence. Pro Publica recently published a real exchange a victim from Connecticut had in 2020 with a scammer:
[12/28/20, 12:06 AM] SCAMMER J: Long time no see, how are you recently
[12/28/20, 10:10 AM] SCAMMER J: πAre you not Kevin? Sorry, I guess I added the wrong person, sorry
[12/28/20, 10:16 AM] TARGET C: Not Kevin.
[12/28/20, 10:16 AM] SCAMMER J: Sorry, I made the wrong call. Since I have many business partners, my assistant saved the wrong number, please forgive me
[12/28/20, 10:17 AM] TARGET C: No prob. What country are you calling from?
[12/28/20, 10:17 AM] SCAMMER J: I come from Hong Kong. Hong Kong is a metropolis with technology, finance and food. Have you ever been here
[12/28/20, 10:18 AM] SCAMMER J: Acquaintance is fate, where are you from
[12/28/20, 10:18 AM] TARGET C: Iβm from NYC originally
[12/28/20, 10:19 AM] SCAMMER J: Your place is a very beautiful place, I went there years ago
These scammers wonβt strike immediately but will continue to form a relationship.
This scam is called a pig butchering scam because, just like a pig, the scammer fattens up their victim with trust until the opportune moment to strike presents itself.
After weeks or months of building a relationship, the scammer will begin to talk about investingβmore often than notβin cryptocurrency. Theyβll try to persuade the victim to sign up to a fake crypto site that the scammer controls and deposit money which theyβll ultimately steal.
But first, the scammer may alter the victimβs investment so that it appears as though the investment is working. This will convince them to deposit more money until the scammer takes the money and runs.
One man from California was persuaded to deposit $440,000 which he then quickly lost. Desperate to earn that money back, he then deposited $600,000 more, which the scammer subsequently stole as well.
This is a snippet of the conversation he had with the scammer that bamboozled him.
[11/18/21, 11:59:16 AM] TARGET Y: I lost all my money
[11/18/21, 11:59:18 AM] SCAMMER J: If the principal is not enough, it cannot be supported to the profit point.
[11/18/21, 11:59:34 AM] SCAMMER J: Donβt worry,
[11/18/21, 11:59:46 AM] TARGET Y: I am negative $480k
[11/18/21, 12:00:01 PM] SCAMMER J: Prepare the funds and earn them back.
[11/18/21, 12:00:12 PM] TARGET Y: I donβt have any money or funds to prepare
[11/18/21, 12:00:20 PM] TARGET Y: Thatβs all I have!!!!!!!!!!!!
In 2023, it was reported that victims around the world lost $75 billion from pig butchering scams.
You may think a ruse like the one above could never happen to you. However, cybercriminals are savvy professionals who use an array of psychological tricks when pretexting.
Here are some tricks theyβll use to convince you to take action:
- Authority: Pretending to be a CEO to get information quickly.
- Urgency: Creating a sense of urgency so the victim feels compelled to hand over sensitive information they wouldnβt otherwise.
- Closeness: Quickly gaining the trust of the target by being cordial and building a bond.
- Fear: Scaring the target into taking action by pretending to be the IRS and claiming their SS number has been stolen.
- Social Proof: Claiming that everyone else has already taken an action that the attacker wants the victim to take, creating a sense that what theyβre being asked to do is not only safe but that theyβll miss out if they donβt take action now.
In-Person Pretexting Example
Someone claiming to be from an IT support company shows up at the office. They bypass security by claiming to work with a trusted IT vendor and were called in to respond to an IT emergency. They then manage to gain access to this companyβs physical hardware and use a USB Rubber Ducky to execute malicious software on the companyβs computer.
Impact of Pretexting Attacks
The impacts of pretexting attacks will depend on the attack, and a personal pretexting attack only targeting you could lead to any number of issues.
If a pretexting attack is successfully carried out, your identity could be stolen, your computer could be hacked and used in a botnet, you might be the victim of ransomware, or any number of other issues could occur.
Of course, the impact of an attack is amplified if a major company is targeted.
In total, Americans lost $12.5 billion to cybercrime attacks in 2023. We have no way of knowing how much was lost in attacks where pretexting tactics were used, but most social engineering attacks use some form of pretexting to accomplish their goals.
To illustrate the impact a pretexting attack can have and just how easy they are to carry out, hereβs a journalist who gets hacked while at DefCon:
Detecting and Defending Against Pretexting Attacks
Detecting a pretexting attack can be incredibly difficult.
Hackers can spoof phone numbers, use email addresses that appear legitimate, and even use AI to impersonate the voices of your co-workers.
Here are a few ways you might identify a pretexting attack:
- Youβre being asked for information you shouldnβt give out.
- Your psychology is being played with in order to coax information out of you.
- Wrong email address, logo, faulty spelling, suspicious link/attachment, or non-sensical request made via email.
Even if youβre mindful of how to identify a social engineering pretexting attack, cybercriminals may still be able to spoof their way into impersonating someone you trust.
The best way to confirm someoneβs identity is to contact them via a trusted source.
If you work in IT and just received a suspicious call or email from Joe in accounting, look up his email or phone number and contact him to ascertain whether it was he who actually contacted you.
The best possible way to prevent pretexting from occurring is to provide employees with security awareness training. While cyber security professionals are tasked with protecting a company, every employee can play a role in safeguarding a companyβs sensitive data.
Pretexting in Ethical Hacking
Thus far, weβve discussed pretexting in relation to hacking, but itβs also a tool that many ethical hackers use while Red Teaming.
Remember that ethical hackers working in Red Teams are employed to use the same tactics, techniques, and procedures (TTPs) as cybercriminals to find vulnerabilities in a companyβs physical and digital security setups.
Social engineering tactics are often used by penetration testers to test a companyβs digital security, and pretexting is a popular tactic ethical hackers use when conducting a penetration test.
While there are no pretexting-only cyber security positions, the closest thing would be a penetration tester.
To become a penetration tester, youβll have to learn a number of technical hacking skills. While on the job, you may also develop and use social engineering skills such as pretexting.
To learn more about social engineering, we recommend reading the following books:
- Social Engineering: The Art of Human Hacking
- Social Engineering: The Science of Human Hacking
- The Art of Deception: Controlling the Human Element of Security
- The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
- Unauthorised Access: Physical Penetration Testing For IT Security Teams
Even when youβre employed to carry out a social engineering attack, there are still lines you donβt want to cross. For instance, attacks should not shame the target, and certain sensitive data should not be dug up or used against targets.
Prior to carrying out a penetration test, you should go over the dos and don'ts with the client so both parties know what is considered fairground.
Conclusion
Pretexting is such a common tactic that itβs used in just about every social engineering hack.
A criminal will impersonate someone or quickly try to strike up a relationship before asking you to do something for them. They may be after sensitive information, such as your social security number or email address, or want you to deposit money into their account.
The best way to defend against such an attack is to train employees on how to spot them.
Hackers use an array of sophisticated tools, many powered by AI, to create more refined attacks. Itβs vital that all employeesβand not just those in IT or cyber securityβlearn how to identify and defend against these attacks.
To learn more about pretexting and social engineering attacks, we encourage you to join the StationX Accelerator Program.
Here, youβll find over 1,000 courses and labs on a range of cyber security-related topics. Youβll also be welcomed into our community of cyber professionals, receive one-on-one mentorship, learn which career and certifications to pursue, and even join an accountability group.
To learn more about pretexting and social engineering, check out these courses:
Frequently Asked Questions
Guarantee Your Cyber Security Career with the StationX Masterβs Program!
Get real work experience and a job guarantee in the StationX Masterβs Program. Dive into tailored training, mentorship, and community support that accelerates your career.
- Job Guarantee & Real Work Experience: Launch your cybersecurity career with guaranteed placement and hands-on experience within our Masterβs Program.
- 30,000+ Courses and Labs: Hands-on, comprehensive training covering all the skills you need to excel in any role in the field.
- Pass Certification Exams: Resources and exam simulations that help you succeed with confidence.
- Mentorship and Career Coaching: Personalized advice, resume help, and interview coaching to boost your career.
- Community Access: Engage with a thriving community of peers and professionals for ongoing support.
- Advanced Training for Real-World Skills: Courses and simulations designed for real job scenarios.
- Exclusive Events and Networking: Join events and exclusive networking opportunities to expand your connections.
TAKE THE NEXT STEP IN YOUR CAREER TODAY!
