Your organization may have sound policies for information and technology use, but threat actors will always go for the weakest surface of the cybersecurity program: the workforce. According to Verizon’s 2021 Data Breach Investigations Report, 85 percent of all breaches involved the human element of cybersecurity. Therefore, pretexting social engineering remains a top concern for organizations.
What is a Pretexting Social Engineering Scam? And How Can You Prevent It?
Social engineering is the attack method threat actors use to manipulate and convince personnel to disclose sensitive information by playing upon human emotions and psychology. “Pretexting” is the cybercriminal effort to create a situation that increases the attack’s apparent legitimacy and the likelihood of success.
Defending your organization from these types of scams require familiarity with the following:
- What pretexting social engineering is
- Examples of pretexting scams
- Prevention and protection
Since pretexting and other social engineering scams target your organization’s personnel, providing periodic, comprehensive security awareness training provides the best cyberdefenses for this type of attack.
Pretexting Social Engineering Defined
Pretexting involves presenting the attack target with a plausible situation, to which their reaction overrides scrutinizing its legitimacy (e.g., distress). During social engineering, someone pretends to be a known entity (e.g., colleagues, delivery persons, government agencies) to gain access to information or restricted spaces.
The social engineering situation presented to potential victims is based on the attacker’s research. Therefore, the more legitimate or affecting the pretext information is, the more likely the attacker’s desired intention will occur (e.g., provide user credentials, click on a malicious link).
The attacker sells the story to the victim using legitimate-seeming formats and graphics (e.g., government logos), mannerisms, tone, and presentation consistent to improve the success rate of social engineering in information security.
Cybersecurity training is critical to defending against social engineering scams because most attempts generally contain indications that the person or message isn’t legitimate (e.g., misspelled words).
Examples of Pretexting Scams
The type of pretext used is based on the attacker’s skills and appetite for risk. The path of least resistance and exposure is ideal, and the believability of their story plays a part in their success. The following four examples should help you recognize pretexting social engineering in action.
The goal of pretext emails depends on the recipient and the attacker’s intention. For example, the executive of a company involved in a merger could receive an email from the “managing director” of the other firm attempting to verify account information or wire transfer confirmation.
If the name, tone, logo, and signature “appear” to be in order, the unsuspecting executive has a higher likelihood of responding with the information requested.
An employee in your organization may receive a call from someone claiming to belong to one of your third-party service providers. They may request information or to begin a remote session that would grant them access to your organization’s IT environment.
In vishing and other social engineering scams, cybercriminals may increase their apparent legitimacy with techniques such as politely asking how some of your colleague’s—by name—are doing. Since many companies publicly present their organization’s personnel and hierarchy (e.g., on their website), this information may be readily available to attackers.
Furthermore, if a cybercriminal can access social media or other news related to your organization’s employees, they can make themselves appear that much more legitimate.
Commonly known as “smishing” (i.e., short message service phishing) is where the victim receives text messages from a familiar phone number or contact.
An example of smishing is when someone in your organization receives a text from “your financial institution” saying a recent transaction took place and requesting authorization confirmation by clicking a link. The link takes the victim to a site requiring their credentials, which the attacker then uses to access the accounts.
This method is the riskiest attempt for the threat actor. Although electronic social engineering provides attackers with high success rates, on-site pretexting remains a legitimate threat.
Tailgating depends on bypassing physical access controls and security measures (e.g., card swipe locks on doors). Attackers employing this method commonly dress up as personnel that would be granted legitimate access to blend into the environment (e.g., personal protective equipment worn by construction contractors, business attire, or courier).
Tailgating attackers depend on personnel to achieve access (e.g., requesting them to “hold the door”). To increase legitimacy, their hands may be full, they may offer a smile, or merely fit in by appearance. Successful tailgating attempts grant intruders direct physical access to workstations, servers, and documents.
Prevention and Protection Against Pretexting
The best defense of pretexting social engineering is recognition, and it starts with security awareness training for all employees. Consider the following practices to prevent social engineering in information security:
- Do not click on any links from unknown or unverified senders.
- Ask for identification if someone does not have it displayed.
- Examine emails closely for misspelled words, fake URLs, sensitive information requests.
- If financial account information is requested via email or text, always directly contact the sender to confirm legitimacy.
- Conduct regular security awareness training with mock pretexting drills.
- Utilize phishing simulation services that send fake scam emails to help employees better recognize them in “live” environments and identify whether additional training is needed.
Proactively Counter Breach Attempts with Experts in Cybersecurity
Pretexting social engineering and similar scams rely on convincing potential victims of their legitimacy and influencing them to perform the cybercriminal’s desired actions (e.g., provide credentials, click a link). Since social engineering attacks target people, there is only so much your security architecture implementations can help. Instead, your organization must prioritize security program advisory and awareness training so personnel can recognize the signs of a scam.
To reduce the likelihood of successful pretexting social engineering in your organization, contact RSI Security today!