What is Pretexting?
Cybercriminals are engaging their targets with plausible, personalized stories that persuade victims to provide sensitive information that leads to an attack.
Key Points
- Pretexting is a personalized social engineering technique designed to con users into sharing credentials and other sensitive data.
- For the cybercriminal, pretexting attacks are more labor-intensive — and often more effective — than phishing attacks.
- Artificial intelligence (AI) can automate and elevate pretexting attacks.
- Companies can also deploy advanced technology tools, like AI, to defend against pretexting.
Pretexting Definition
The massive shift to virtual work has ushered in a correspondingly colossal increase in remote online social engineering (ROSE) attacks on organizations — many of which are fueled by a practice known as pretexting.
Pretexting refers broadly to the techniques attackers use to convince individuals to provide the valuable details needed to access otherwise protected systems, data, or physical locations. At the most basic level, this tactic involves would-be criminals devising a convincing narrative — the pretext — to get the victim to hand over a password, account number, or other lynchpin necessary to launch a cyberattack.[1]
Unlike its social engineering cousin phishing, which tends to rely on urgency or fear to induce individuals to unwittingly enter their passwords on an illegitimate website, pretexting exploits a victim’s trust. Armed with information now easily gathered from open-source intelligence or the Dark Web, cybercriminals can weave a believable tale and be long gone before anyone is even aware that the pretexting attack has taken place.
Cybercriminals use phone, text, email — or some combination thereof — to carry out their pretexting attacks. Technology tools, such as those offered by Mimecast, can be deployed to root out sophisticated email attacks, prevent domain and email spoofing, and provide automated protection against pretexting threats.
How — and Why — Pretexting Works
Pretexting is highly personalized. For the attacker, it takes more work than, say, a generic phishing email. The more specific personal or professional knowledge a pretexter has of their victims ahead of time, the more likely they are to get valuable information from them.
According to Verizon’s “2022 Data Breach Investigations Report,” 27% of social engineering breaches that resulted in the confirmed disclosure of data to an unauthorized party were due to pretexting attacks. [2] But for high-value targets, the ROI is clear. And in many cases, pretexting can be a more effective method for persuading users to part with sensitive information than phishing.[3]
A cybercriminal who is planning a pretexting attack typically begins by identifying a target who has what they need — say, access to a particular system, knowledge of sensitive information, or the ability to transfer funds. Next, they decide how they will initiate the conversation with the target, often using email. They might also supercharge their efforts by spoofing an email domain or phone number to back up their false identities.[4] Finally, they develop the pretext.
Because the person perpetrating the pretexting attack needs the victim to defy cybersecurity policy — and often common sense — their story has to be solid, and the delivery has to be convincing. Most pretexting attacks involve the creation of a plausible situation and often a fictional character who the cybercriminal will portray in the scenario.[5] Both are driven by the initial intelligence gathering on the victim and organization.
Pretexting, at its core, is a persuasive art. An attack might involve someone sending an email claiming to be from the IT team and trying to clear up a problem with the victim’s user account. After a reasonable back and forth (wherein the pretexter might casually inject personal details), the fake network administrator will ask for the victim’s credentials.[6] Or the threat actor could pretend to be someone in HR or finance to get information out of members of the C-suite.[7]
Pretexting Attack Techniques
- Baiting
- Impersonation
- Phishing
- Piggybacking
- Scareware
Tailgating - Vishing and Smishing
Pretexting Examples
A pretexting attack is rarely the end game but rather an opening salvo in a larger battle. Cybercriminals may use pretexting to acquire credentials or other information necessary to gain a foothold in an organization or attack its infrastructure.[8] While many successful pretexting attacks never become public, numerous examples illustrate losses — financial and otherwise — precipitated by pretexting.
In July 2020, for example, pretexters tricked Twitter employees into revealing account credentials over the phone, enabling attackers to take control of 130 Twitter accounts, including those of Barack Obama and Kanye West.[9] The hackers tweeted solicitations for donations to a Bitcoin wallet and racked up $110,000 in transactions before Twitter removed the tweets.
In some cases, pretexting can seem decidedly low-tech. In 2015, a high school student gained access to the personal email account of then CIA director John Brennan after posing as a Verizon technician and coercing a “fellow” employee into sharing personal information about the head of the government’s top intelligence agency.[10] The student then used that intelligence to answer security questions to gain access to Brennan’s email account. The young hacker ultimately posted the personal information of thousands of former and current government intelligence officials and shared screenshots of sensitive documents he found on Twitter.
In more recent years, hackers have harnessed advanced cognitive computing capabilities to supercharge their pretexting efforts. For example, in March 2019, cyber fraudsters employed software with artificial intelligence (AI) to trick the CEO of a UK energy company into thinking he was talking to his boss and, at the direction of the computerized facsimile, transferring $243,000 to what he was told was the company’s Hungarian supplier.[11] Experts said it was one of the first clearly AI-powered cyberattacks. But it’s unlikely to be the last.
Pretexting Attacks and the Law
The U.S. federal Gramm-Leach-Bliley Act makes most of pretexting illegal. The law originated from a newsworthy case in which a board of directors hired an investigator to impersonate someone else to obtain cell phone records, which were then used in a court case.
Pretexting Attacks: Identification and Detection
The best way to identify and detect pretexting attacks is to use automated tools to screen emails and texts for red flag language such as urgency, spoofed websites, and suspicious requests. It is also very beneficial for organizations to make identifying pretexting as part of their security awareness training.
How to Prevent Pretexting Attacks?
The proper combination of using automated tools to screen emails and other messages that come into your organization and effective security awareness training is the best way to prevent pretexting attacks.
The Bottom Line
When it comes to defending against the pretexting threat, security awareness training is critical. Pretexting attacks are designed to manipulate human trust to elicit specific behaviors, so it’s important to educate employees, contractors, and partners about pretexting. But even with increased training and awareness, employees are human and still vulnerable to exploitation. That’s where leading-edge cybersecurity tools provide unmatched value.
Just as cybercriminals exploit AI to supercharge their pretexting efforts, organizations can arm themselves with sophisticated and automated defenses against them. Natural language processing (NLP) technology, for example, analyzes language and learns to look for words and phrases commonly used in pretexting. In addition, Mimecast’s CyberGraph uses AI to identify malicious patterns indicative of pretexting and prevent sophisticated email attacks. The company’s DMARC Analyzer does the same for domain and email spoofing that cybercriminals employ to make their entreaties seem legitimate.
[1] “What is pretexting? Definition, examples and prevention,” CSO Online
[2] “2022 Data Breach Investigations Report, Verizon
[3] Ibid
[4] “What is pretexting? Definition, examples and prevention,” CSO Online
[5] “Social Engineering Penetration Testing," Gavin Watson
[6] “The Basics of Cyber Safety,” John Sammons and Michael Cross,
[7] “5 Social Engineering Attacks to Watch Out For,” Tripwire
[8] “2022 Data Breach Investigations Report,” Verizon
[9] “Some of the world's biggest Twitter accounts got hacked this week. Here's what we know about what happened,” Insider
[10] “High school Student Hacked Into CIA Director's Personal Email Account,” The Hacker News
[11] “Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case,” WSJ.com
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!