What is pretexting? Definition, examples and prevention – Digitaleclub
Digitaleclub
Best for you!

What is pretexting? Definition, examples and prevention

Pretexting definition

Pretexting is form of social engineering in which an attacker tries to convince a victim to give up valuable information or access to a service or system. The distinguishing feature of this kind of attack is that the scam artists comes up with a story — or pretext — in order to fool the victim. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim.

Pretexting has a fairly long history; in the U.K., where it’s also known as blagging, it’s a tool tabloid journalists have used for years to get access to salacious dirt on celebrities and politicians. But today it’s commonly used by scam artists targeting private individuals and companies to try to get access to their financial accounts and private data. And pretexters can use any form of communication, including emails, texts, and voice phone calls, to ply their trade.

Pretexting techniques

In Social Engineering Penetration Testing, security engineer Gavin Watson lays out the techniques that underlie every act of pretexting: “The key part … [is] the creation of a scenario, which is the pretext used to engage the victim. The pretext sets the scene for the attack along with the characters and the plot. It is the foundation on which many other techniques are performed to achieve the overall objectives.”

Watson says there are two main elements to a pretext: a character played by the scam artist, and a plausible situation in which that character might need or have a right to the information they’re after. For instance, we all know that there are sometimes errors that arise with automatic payment systems; thus, it’s plausible that some recurring bill we’ve set to charge to our credit card or bank account automatically might mysteriously fail, and the company we meant to pay might reach out to us as a result. An attacker might take on a character we’d expect to meet in that scenario: a friendly and helpful customer service rep, for instance, reaching out to us to help fix the error and make sure the payment goes through before our account goes into arrears. As the scenario plays out, the attacker would ask for bank or credit card information to help the process along — and that’s the information they need to steal money right out from our accounts.

In the scenario outlined above, the key to making the scam work is the victim believing the attacker is who they say they are. That requires the character be as believable as the situation. It’s not enough to find it plausible in the abstract that you might get a phone call from your cable company telling you that your automatic payment didn’t go through; you have to find it believable that the person on the phone actually is a customer service rep from your cable company. Thus, the most important pretexting techniques are those the scam artist deploys to put you at ease. If an attacker has somehow obtained your cable bill, for example by going through your garbage, they’ll be armed with the name of your cable provider and your account number when they call you, which makes you more likely to believe that they really are the character they’re playing.

This example demonstrates something of a pretexting paradox: the more specific the information a pretexter knows about you before they get in touch with you, the more valuable the information they can convince you to give up. That’s why careful research is a foundational technique for pretexters. While dumpster diving might be a good source of intelligence on a victim, it obviously also takes quite a bit of messy real-world work, and may not be worth it for a relatively low-value target. But pretexters have a wealth of other more efficient research techniques available, including so-called open source intelligence — information that can be pieced together from publicly available information ranging from government records to LinkedIn profiles. There’s also gigabytes of personally identifying data out there on the dark web as a result of innumerable data breaches, available for purchase at a relatively low price to serve as a skeleton for a pretexting scenario.

Leave A Reply

Your email address will not be published.