What is a pretexting attack? Everything you need to know

What is pretexting?

How pretexting scams work

As a type of social engineering attack, pretexting scams center around cybercriminals convincing victims to give them sensitive information or money. They craft well-researched stories and imitate trusted friends, coworkers, and superiors. Social engineering attacks prey on people’s emotions by inspiring trust and sometimes fear.

Some of these attacks include fake websites and email spoofing to manipulate you. They also use AI-powered deepfake technology to make an impersonation seem highly convincing over audio or video.

Let’s take a look at a breakdown of how pretexting works:

• Research. Pretexting scams rely on a wealth of knowledge about the victim. Before a cybercriminal can launch an attack, they must gather information on the victim. They research names relevant to the victim, addresses, and social media accounts. This step enables them to create a compelling pretext.
• Storytelling. Armed with their research, the cybercriminal is able to come up with a pretext that will draw the victim in and manipulate them into sharing information.
• Engagement. Most of these scams involve the cybercriminal engaging the target over the phone or via email. They often use some common interest to develop rapport and bring the victim’s guard down.
• Request. Now that the victim’s defenses are lowered, the cybercriminal asks for sensitive information, usually under the guise of something urgent and time-sensitive, so the victim won’t have time to think.
• Fraud and exploitation. Once the cybercriminal has the sensitive information, they can exploit it to commit data breaches, steal money, and sell the information on the dark web. The information can also be used to launch future scams.

Techniques used in pretexting 

The best way to avoid falling for a pretexting scam is to recognize how attackers try to trick you. Here are some of the most common techniques used in these attacks:

• Building trust. Establishing a friendly tone helps the cybercriminal get past the victim’s defenses. This way, the victim is more likely to comply with requests for sensitive information.
• Impersonating figures of authority. A cybercriminal will impersonate someone like your boss or another executive. 
• Using fear and urgency. In social engineering attacks, cybercriminals will often emphasize that they need information right away, with the danger of an account being closed or payments being late. Like with the other techniques listed so far, threat actors prey on emotions to get people to act quickly without thinking too hard.
• Tailgating. Tailgating is an in-person scam. A scammer follows a person into a secure area, like when an employee holds the door open for someone who appears to be a delivery person. A scammer might also pretend to lose a keycard and ask to use an employee’s.

Types of pretexting scams

Pretexting scams take many forms, but they all involve someone pretending to be someone else to gain your trust and access your personal information. Being familiar with the most common tactics can help you recognize and avoid them. Here are some of the main types:

• Account update scams. A scammer claiming to represent a legitimate business (like your bank or email provider) will email you and say you need to update your account information. A link in the email will lead to a site where you are prompted to input your login credentials and other personal or financial information.
• Business email compromise scams. You will receive an email from a high-level executive who needs a forgotten password or money to be wired right away. These scams rely on how employees react to figures of authority and how it will make them eager to comply.
• Cryptocurrency scams. In cryptocurrency scams, a scammer will pose as a successful investor and convince you to invest in an “exciting” cryptocurrency opportunity. The cryptocurrency turns out to be fake, and you end up losing your money and/or financial information.
• Grandparent scams. A fraudster impersonates a grandchild and pretends to be in some sort of trouble, like having been arrested or in a car accident. They ask for money to post bail or pay for medical bills.
• Invoice scams. A scammer will send you an invoice for a product you never received. There will be a link to complain about the charge, which will take you to a fraudulent website that will require you to use personal information to log in.
• IRS and government scams. A scammer will impersonate an IRS official or some other government representative and create a false sense of urgency. Typically, they will try to convince you to pay money to cover taxes or to avoid arrest.
• Job offer scams. In job offer scams, scammers pose as potential employers. Eager to be hired, targets will divulge personal information.
• Romance scams. Romance scams involve scammers creating fake online profiles and tricking lonely singles into romantic relationships. Eventually, these scammers will attempt to extort money from their victims, ostensibly to pay off debt or for a plane ticket so they can meet the victim in person.
• Scareware scams. Scareware scams are a form of social engineering that uses fear and urgency to trick victims into downloading malware, paying for fake security software, or sharing personal information. The victim will typically see an aggressive pop-up or banner that says their computer has a virus or some other security issue and recommends fake software to “fix” it.

Real-life examples of pretexting attacks

Real-life examples can help you understand how pretexting scammers use trust and fear to achieve their malicious goals. Let’s take a look at some of the biggest pretexting examples that have taken place in the past:

• The AIDS trojan. This attack was one of the first pretexting examples. In 1989, attendees at an international AIDS conference received floppy disks labeled “AIDS information” that contained a trojan virus. The virus would hide all directories on a victim’s computer, encrypt the files on the infected hard drive, and then demand a ransom of $189 by mail to an address in Panama.
• Ubiquiti network attack. In 2015, criminals used pretexting to impersonate top executives and ask employees to make fraudulent payments to their bank accounts. The payments amounted to $46.7 million.
• Twitter account hijacking. In 2020, hackers used pretexting, hacking, and spear phishing attacks to trick Twitter employees into sharing account credentials. The threat actors were then able to use high-profile accounts like those belonging to Elon Musk, Kanye West, and Joe Biden to promote a Bitcoin scam. 

The consequences of pretexting 

Pretexting scams can have serious consequences for both individuals and businesses. Since the impact on businesses often involves broader risks like financial loss and reputational damage, it’s important to understand how these attacks can affect your company specifically.

• Financial losses. In pretexting scams, scammers can steal money directly. They can also commit fraud. Recovery costs to deal with the aftermath of these attacks can be substantial as well.
• Data breaches and security compromises. Pretexting scams can result in the loss of sensitive information and intellectual property.
• Reputational damage. These sorts of attacks cast your company in a bad light. Your business can suffer a loss of trust from customers, partners, and the public.
• Legal and regulatory ramifications. When your business falls victim to a pretexting attack, your company may have to pay fines and penalties for data protection violations.
• Operational disruptions. While your system is down, productivity is likely to drop. Overall, this kind of attack interrupts business in a way that is hard to bounce back from.
• Psychological impact on victims. It’s important to account for the kind of psychological impact pretexting scams can have on victims. They may suffer from stress and anxiety, particularly if their identities are stolen in the attack.

How to prevent pretexting attacks

You may be feeling afraid of potentially becoming the victim of a pretexting attack. However, you can take a few steps to avoid these scams. 

• Use the DMARC protocol. Domain-based message authentication reporting and conformance (DMARC) is an email authentication protocol that verifies whether an email was sent from the domain it appears to have come from. If DMARC finds that the email address is spoofed, it will send the email to your spam folder or delete it.
• Use verification methods. Multi-factor authorization (MFA) is a great way to add a layer of security to your accounts. Aside from a username and password, MFA requires at least one other factor, like a code sent to your phone. It’s important to apply your own skepticism to unsolicited emails as well. Keep an eye out for grammatical errors, suspicious-looking email addresses and domains, and a sense of urgency. And don’t forget you can always try to get in touch directly with the person the email claims to be from.
• Implement employee training and awareness programs. It can be very helpful to educate your employees about what to look for when trying to spot pretexting scams. Employee training and awareness programs will help employees to feel more prepared should an attack occur.

What to do if you suspect a pretexting attack

If you suspect a pretexting attack, follow these tips:

• Do not provide sensitive information. Refuse to share passwords, financial details, or other confidential data.
• Report the incident. Immediately report the attack to the appropriate security team or authority within your office. Individuals should report to the relevant authorities or security experts.
• Seek professional help if necessary. If personal information has been compromised, consider credit monitoring or identity theft protection services.