Fraudsters targeting individuals and companies often use emails, texts, or phone calls to extract valuable information and gain access to accounts, data, financial info, and networks. Many of us have experienced a situation in which someone presents themself as a friendly and helpful customer service rep to help resolve an issue based on a cooked up scenario.
The initial fraudulent message can be something like:
- “We noticed your bank account has been dormant and we want to help you reactivate it.”
- “We observed inconsistencies in your customer information record and we want to help you update it.”
- “Someone attempted to log into your account from an unknown location, and we want to quickly help you reset your password/PIN.”
As the conversation unfolds, the scammer asks for private information. It might be a password, credit card number, or other sensitive info that can be used against you. This method of fraud is referred to as pretexting.
What is pretexting?
Pretexting is a form of social engineering attack, the psychological manipulation of people into performing actions or divulging confidential information. The attacker invents a scenario (the pretext) to engage the targeted victim and convince them to divulge valuable information or to perform actions that would be unlikely in normal circumstances.
Pretexting is at the center of virtually every good social engineering attack; and it relies heavily on an attacker creating a convincing and effective setting, story, and identity to fool individuals and businesses into disclosing sensitive information. The information can then be used to exploit the victim in further cyber attacks. The more specific the information a pretexter knows about you before they engage you, the higher the chance of convincing you to give up valuable information.
The key part of pretexting is the creation of a scenario (the pretext), which is then used to engage targets. The “scenario”, in combination with the “character” (role) set the stage for the attack. Those two elements form the basis on which many other techniques are performed to achieve the overall objective. The scenario is a sequence of believable situations and events, crafted and directed by the social engineer to manipulate the target and extract valuable information. It is usually backed up by factual information gathered via reconnaissance—a preliminary survey to gain background information—to make the pretext more believable. The character is the role the pretexter plays in the chosen scenario, impersonating a real or fictitious person.
For example, suppose an attacker wants to use pretexting to obtain bank account credentials from a donor to a charity organization. The attacker had previously gathered basic information (full name, contact address, email and phone number) about recent donors to the charity organization by searching through their waste bin and finding disposed donor information forms. The attacker decides to use the information about the donors to build a pretext around it.
The pretext goes thus: “Hi I’m Jane, the finance officer for XYZ charity organization. An attempt to process your donation and retrieve the funds via direct debit failed. If you are confident that you have the sufficient funds, I would like to check it isn’t a mistake at our end. Please kindly confirm the debit card credentials used for the donation, and I’ll retry the transaction while you’re on the phone. If the transaction is successful, we will amend our records accordingly.”
The character played by the attacker in that scenerio is a polite, friendly finance officer interested in resolving issues with a failed donation—a typical character we’d expect to meet in that kind of scenario. The key to making the scam successful is the victim believing the attacker is who they say they are; and that requires the character to be as believable as the scenario.
The above example represents how a typical pretexting attack is carried out. The pretexter may use impersonation (real or fictitious), persuasion and other credibility gaining techniques to support the pretext and obtain valuable information or compel an action.
Pretexters use different techniques and tactics such as impersonation, tailgating, phishing and vishing to gain targets’ trust, convincing victims to break their security policies or violate common sense, and give valuable information to the attacker. We will discuss those techniques in detail.
An impersonator is someone who imitates or copies the behavior or actions of another. Impersonation is one of the tactics used by pretexters to deceive their targets and make the attack more likely to succeed. By pretending to be a trusted entity such as a friend, a colleague, a customer service rep, a boss, or authority figure, impersonators manipulate their victim into granting them access to a system or facility. The trick is to be able to do so with enough credibility. The pretexter may spoof the phone number or email of the individual or institution they’re impersonating to make themselves seem legit.
In 2015, network hardware manufacturer Ubiquiti Networks lost $46.7 million to this kind of social engineering attack. The pretexters sent messages to Ubiquiti employees pretending to be senior executive members of the organization and requested payments to be made to various bank accounts. The techniques used were a combination of impersonation and spoofing the email of a senior member of staff within the organization.
Pretexters also use impersonation in the SIM swap scam—a type of account takeover fraud that targets a weakness in two-step verification in which the second step is an SMS or phone call. This is achieved by impersonating the victim in a phone call to the mobile operator and claiming that they have lost their phone. If the scammer can convince the mobile operator to move the phone number to a SIM that the scammer controls, the scammer can receive the one-time passwords used in two-step verification and break into the victim’s accounts. In 2019, Twitter CEO Jack Dorsey’s Twitter account was hacked via this method.
Tailgating (also known as piggybacking) in the context of security is when an unauthorized person closely follows an authorized person to gain access into a restricted facility. The attacker may be lurking around the entrance, waiting for the right opportunity.
Pretexters often employ this technique to beat access control mechanisms and gain access to highly restricted areas. This is done by building a pretext and putting on a persona that misleads the gatekeepers into letting them into the restricted facility. The pretext could be in the form of posing as an engineer from a cable company dressed in a jumpsuit with various tools, and in need of access to the facility to check faulty cable lines or a pizza delivery man that needs to deliver lunch to one of the building floors. This pretexting technique relies on people’s innate desire to be helpful or friendly. As long as there’s some seemingly good reason to let someone in, people tend to do it rather than being confrontational.
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication such as email or SMS. Although pretexting and phishing are categorized separately, they often go hand in hand. Many phishing attempts are built around pretexting scenarios, where the fraudsters leverage one to achieve the other.
Pretexting can involve impersonating a CEO or contractor via email. There have been incidents where an employee is phished, compromising an email account that in turn lets the attacker establish an even more convincing pretext against a second target. The targeted form of phishing, known as “spear phishing”, aims to phish a specific high-value target. This usually involves pretexting, in which the high-value target is tricked into believing that they’re communicating with someone within the company or a partner company. The ultimate goal is to convince the target to make large transfers of money.
In 2017, MacEwan University in Canada lost about $9 million to a scammer that university staff believed to be a contractor. The attacker sent a series of phishing emails built around pretexting scenarios that convinced staff to change payment details for a vendor, and these changes resulted in the transfer of payments to the scammer.
Vishing (voice phishing) is a form of social engineering attack that attempts to trick victims into giving up sensitive personal information over the phone for the purpose of financial reward. Pretexting is a key part of vishing and it’s often deployed by fraudsters while impersonating a trusted entity over the phone. Many pretexters gather their victim’s personal information via various reconnaissance approaches, and use the info to weave a plausible scenario.
Vishing-based pretexting takes advantage of a weakness in identification techniques used in voice transactions. The scammers often use modern VoIP features such as caller ID spoofing, rogue interactive voice response (IVR) systems, and more recently AI-generated voices (deepfake) to mimic the voices of certain persons and mislead their targets. The use of these modern technologies makes it more difficult for security agencies to track down criminals.
A scammer recently used a mix of pretexting scenarios and an AI-generated voice of the CEO of a German firm to convince the CEO of the UK subsidiary to transfer a sum of $243,000 to a Hungarian supplier. The UK subsidiary CEO thought he had gotten a call from the CEO of the parent company in Germany. According to the Wall Street Journal report, the AI-generated call accurately mimicked the voice and German accent of the impersonated CEO, enough to get the UK subsidiary CEO to recognize it as his boss’s voice.
Pretexting is not exclusively used by cybercriminals and scammers for illegal activities. Private investigators use it legally, to obtain valuable information from people. A private investigator may use pretexting to track down someone who’s being evasive about where they live. The investigator may call someone up to have them verbally disclose information about the residential address of the target individual.
Depending on your country of residence and the circumstances, pretexting may vary from being a valuable and important tool to illegal and unethical conduct.
In the United States, for example, it is illegal to lie in order to obtain any kind of protected personal information such as financial, insurance, tax, health or telephone records. You also can’t impersonate, under any circumstances, a police officer or federal law enforcement agent. There are some absolutes as well as gray areas; so you have to know where to draw the line. The ambiguity arises from how applicable federal and state laws define pretexting and what information is involved. Where the lines are drawn and how to identify those lines is the challenge confronting most private investigators.
In 2006, HP hired a private investigation company to help it uncover which members of its board were leaking private company information to the media. The investigation company in turn hired a contractor that used pretexting to obtain telephone records of board members, which resulted in an embarrassing scandal. The HP pretexting scandal exposed gray areas in the U.S pretexting law which initially applied only to financial records, and the U.S congress intervened by making the use of pretexting to obtain telephone (non-financial) records a federal crime. The law, formally known as the Telephone Records and Privacy Protection Act of 2006, specifically forbids the act of misrepresentation, impersonation or deception in order to obtain personal telephone records.
Similarly, in 2016, a “private investigation company” hired by Uber used pretexting to gain access to information about its opponents in an antitrust case. The practice eventually landed Uber in an embarrassing legal disaster.
If done right, pretexting is an excellent technique a professional investigator can use to obtain valuable information, which in normal circumstances would be difficult to obtain. However, it’s very important as an investigator or even a client hiring an investigator not to allow illegal pretexting to be used in an investigation. It can backfire on the investigator or even the client, as in the case of HP and Uber.
How to avoid pretexting attacks
Research has shown that humans are the weakest link in the security chain. To mitigate this weakness, we have to begin investing in operational security, or OpSec. One of the most effective countermeasures against pretexting attacks is employee awareness training on how to recognize and respond appropriately to pretexting schemes. Training employees in security protocols relevant to their job role will minimize their vulnerability to social engineering attacks such as pretexting. For example, in situations such as vishing and tailgating, if a person’s identity cannot be verified, employees must be trained to politely refuse. Below are a few specific examples of steps you can take to prevent an attack causing damage to you or your business.
Here’s how to avoid a pretexting attack:
- Establish security protocols, policies, and procedures for handling sensitive information
- Do not divulge sensitive information to unverified entities via email, phone, or text messages
- Be wary of offers that seem “too good to be true “
- Inoculate employees against pretexting techniques by instilling a resistance to persuasion attempts through exposure to similar or related attempts
- Dispose of sensitive documents securely by way of shredding or incinerating
- Be cautious when befriending people online that you do not know in real life