Someone calls you from your bank. The representative sounds competent and confident. They offer you a new update, which will make your bank app run way smoother. But to enable it, they must log into your system. You give them your login data, they say the update was successful and hang up. However, your app remains unchanged, and you realize that you just gave your data to a cybercriminal. This is how insidious pretexting is.
Pretexting is a social engineering tactic used by fraudsters who invent fake scenarios to get victim’s personal information or make them perform certain actions (e.g. make a payment, download malware etc.). To achieve their goals, they’ll impersonate people you trust, like your coworkers, tech support agents, bank representatives, government officials, etc.
The reasons behind pretexting may vary. Criminals might use it to extract confidential or sensitive information, seek monetary gain, or use it for entertainment. Law-enforcement agencies and private investigators sometimes employ pretexting too. They use it to obtain information from criminals.
Similarly to spear phishing, pretexting is a focused attack that requires a lot of research. A cybercriminal needs a believable scenario, therefore, has to prepare for questions a victim might ask and know the way the impersonated person communicates.
Your company’s tech-support representative calls you and claims that they need to check whether an internal money-transfer system is working. They give you a bank account number for the transfer, and also ask for your corporate account login data to check whether it works properly.
You trust this person because they identify as a representative from a known company, they sound professional and know all the tech terms. You do all they ask, and the next thing you know the fraudster is gone with your money and login credentials.
You enter the office with your access card, and a pizza delivery guy walks in behind you. There should be pizzas in the office today, so you let him in. Later on, you find that this person was an impostor. He accessed a laptop someone left in the kitchen and transferred a few sensitive documents onto his USB.
Such scammers could also pretend to be cleaners, plumbers, electricians, or anyone who’s doing some maintenance work and is usually unnoticeable by office workers.
Cybercriminals can also send pretexting emails. For example, they can impersonate your CEO and ask you to send them some sensitive data. They usually claim they need it for some urgent operations such as money transfer for a very important order or a software maintenance task. They play with fear and urgency here. The scammer claims you need to do it very quickly or, otherwise, some damaging consequences might occur (e.g. financial loss, server malfunction, etc.). You don’t have time to check whether the request is legitimate, so you send the info to a spoofer.
To minimize your chances of falling for pretexting, follow these steps:
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!