It\u2019s a well-established fact of human nature that we love stories. From fairy tales to blockbuster movies and Super Bowl commercials, narratives provide us with the framework we use to make sense of the world, learn what constitutes proper behavior, and \u2014 as for those commercials \u2014 even buy beer. <\/p>\n\n\n\n
Unfortunately, scammers have a somewhat specialized take on human nature, and to them our love of narrative is a weakness to be exploited. That\u2019s how \u201cpretexting\u201d attacks work, and they\u2019re a widespread component of the identity theft ecosystem.<\/p>\n\n\n\n
Pretexting is a form of social engineering<\/a>, which is to say it relies on psychology.\u00a0 If a stranger walked up to you and asked you to divulge sensitive personal information, or transfer money to a given destination, you\u2019d rightly refuse or at the very least ask a lot<\/em> of questions.\u00a0<\/p>\n\n\n\n That changes if there\u2019s a plausible pretext for the request (hence the term pretexting<\/em>), and if you believe the person making the request has some reasonable grounds for doing so. Typically in these attacks the scammer will impersonate your boss, or the IT department, or your bank, or some other authority figure, which is why it\u2019s more advanced than mere phishing. For pretexting to work, the scammers need to know something about you.<\/p>\n\n\n\n Most of us have had a parent, teacher, boss, or some other figure in our lives whose attitude was:\u00a0 \u201cWhen I say, \u2018Jump,\u2019 you say, \u2018How high?\u2019\u201d\u00a0 Obedience was expected or demanded, and questions weren\u2019t well received.\u00a0 As a result we\u2019re predisposed to respond to this kind of approach.\u00a0<\/p>\n\n\n\n A pretexting attack is more sophisticated than many scams and requires a higher level of skill and research from the criminals. Let\u2019s use a concrete example to illustrate. <\/p>\n\n\n\n Suppose you receive an email or text message that says, \u201cYour device is infected with malware! Click here to remove it!\u201d This is a straightforward phishing scam, even if the scammers appropriate the logo of a legitimate tech company or a not-quite-correct version of a legitimate URL. <\/p>\n\n\n\n Now consider a message that appears to come from one of your employer\u2019s in-house email accounts, and says, \u201cHi, [your name], it\u2019s Grant from the IT department.\u00a0 Intel just released a patch for vulnerability #CVE-2021-0146<\/a>, so I\u2019ll need to log in to your machine remotely for about 10 minutes to apply the UEFI BIOS update.\u201d\u00a0<\/p>\n\n\n\n That\u2019s a believable pretext in many companies, which illustrates exactly why pretexting is so dangerous: It frames a risky behavior (sending money or clicking a link, allowing an outsider access to your computer) as something familiar, routine and expected. Something \u2014 in short \u2014 we\u2019re likely to do without really thinking about it. <\/p>\n\n\n\n As an individual, scammers may have stolen or purchased some of your information, and used that to work up a persuasive script in an effort at stealing the rest of your identity. <\/p>\n\n\n\n For businesses, criminals may follow up an initial attack \u2014 an email server hack<\/a>, perhaps, or successfully spear phishing an executive<\/a> \u2014 by using the information they\u2019ve gained to create and target a pretexting attack.\u00a0 In our previous example, scammers would match the email\u2019s style and language to those of the targeted company.\u00a0 If the company\u2019s culture was authoritarian, the email might be more peremptory:\u00a0 \u201cI\u2019ll be performing the update at 2:15.\u00a0 Please save your work and log out of all programs except your web browser.\u201d\u00a0\u00a0<\/p>\n\n\n\n There are plenty of specific examples of real-world pretexting attacks out there, if you do a bit of Googling. Some of them include: <\/p>\n\n\n\n The scammer has your phone number and knows enough about you to impersonate you in a call to your cellular carrier<\/a>.\u00a0 The pretext is that your phone has been lost or damaged and that \u201cyou\u201d need to have service switched to your new phone and SIM card.\u00a0<\/p>\n\n\n\n If the service rep at your carrier obliges, scammers will now have control of your phone number and \u2014 depending what other information they have \u2014 can use it to log in to your accounts, receive verification texts and even lock you out of your own banking app.\u00a0 Twitter CEO Jack Dorsey famously fell victim to a SIM swap<\/a> in 2019.\u00a0<\/p>\n\n\n\n The scammer has part of your financial information, and the pretext is that they\u2019re the customer service rep helping you fix \u201c…a problem with your account ending in the digits 3058\u2026\u201d You may be prompted to click a link to change your password \u2014 which of course gives them your current one \u2014 or the \u201crep\u201d will helpfully take your current PIN or password over the phone in order to change it for you. The approach might be by phone, email or text message. <\/p>\n\n\n\n In this one, the pretext is that the scammer is a senior person at a vendor<\/a> your company does business with regularly.\u00a0 The scammer sends an email to your accounts payable department, spoofed to look like it comes from the vendor\u2019s actual email address, explaining that they\u2019ve changed banks and could you please update their payment information?\u00a0 If you do, legitimate payments meant for that vendor go to the scammer instead.\u00a0 Depending on the scale of your respective companies, losses can be very large.\u00a0<\/p>\n\n\n\n The pretext is that the scammer is your CEO or another senior executive, and \u2014 since they\u2019re tied up in one way or another and can\u2019t attend to it \u2014 you\u2019re tasked with transferring a sum of money, or sensitive information about your company or its customers, to a bank, potential investor or other plausible destination.\u00a0 Cases like this are seldom publicized (it\u2019s a bad look for the victims), but one manufacturer of networking hardware lost over $40 million<\/a> to this kind of scam a few years ago.\u00a0<\/p>\n\n\n\n The caller (or sender, in the case of messages) claims to be one of your grandkids, or some other member of your extended family: someone you feel obligated to help, but whose voice you wouldn\u2019t necessarily recognize. <\/p>\n\n\n\n The pretext is that they have a problem: an accident or emergency car repair, or maybe they\u2019re down in Mexico and their credit card\u2019s been locked because they forgot to tell the bank they\u2019re traveling. So you wire them some money, which you never see again. The information to pull this off can often be gleaned from social media. <\/p>\n\n\n\n Overall, pretexting is an integral part of the fraud\/identity theft cycle. It\u2019s part of many phishing attacks, and it\u2019s a prerequisite for spear phishing (targeted phishing attacks against specific people or organizations, as opposed to random \u201ctry everyone\u201d phishing). Every time scammers gain a useful piece of information it helps them create better pretexts, which makes it easier for them to steal your money or gain more and better information, which in turn enables better pretexting. It\u2019s great for them, but not so much for the rest of us. <\/p>\n\n\n\n So how can you differentiate between a pretexting attack and a legitimate request? There are a few important tests you can apply: <\/p>\n\n\n\n If you believe you\u2019ve been approached with a pretexting attack, in either the personal or business context, there are steps you can take to verify the legitimacy of the request. Because prevention is better than reaction, you should also take measures to prevent or thwart pretexting attacks. <\/p>\n\n\n\n What can you do about a pretexting attack and how can you prevent them in the first place? <\/p>\n\n\n\n To manage attacks targeting you personally:\u00a0<\/p>\n\n\n\n Subscribe to Spokeo Protect<\/a>, our identity protection service, which can alert you if crucial pieces of information such as your SSN and banking or credit card information are offered up for sale on the dark web<\/a>.\u00a0 If that\u2019s the case, any caller using the same info to establish their legitimacy automatically becomes suspect.<\/p>\n\n\n\n Some of the same principles are fully transferable to businesses, such as teaching everyone how to check for spoofed emails. Other useful measures include: <\/p>\n\n\n\n It\u2019s an unfortunate fact of our modern, connected world that crime rings operate 24\/7. That doesn\u2019t mean you yourself have to lose any sleep, if you\u2019re appropriately informed or prepared. <\/p>\n\n\n\n Pretexting isn\u2019t like data breaches and hacks, which you can\u2019t control:\u00a0 Those will happen, and there\u2019s little if anything you can do about it.\u00a0 For pretexting to work, you have to \u201cbuy\u201d the story the scammer is selling.\u00a0 You can sleep well knowing that if you\u2019re prepared and skeptical, even the best-thought-out pretext won\u2019t trick you into compliance.\u00a0<\/p>\n\n\n\n References:<\/p>\n\n\n\n CSO Online – What Is Pretexting?\u00a0 Definition, Examples and Prevention<\/a><\/p>\n\n\n\n Intel – Intel Processor Advisory SA-00528<\/a><\/p>\n\n\n\n ZDNet – Everything You Need To Know About the Microsoft Exchange Server Hack<\/a><\/p>\n\n\n\n KnowBe4 – Top 5 Spear-Phishing Attacks Targeting Executives<\/a><\/p>\n\n\n\n Mozilla Blog – Mozilla Explains:\u00a0 SIM Swapping<\/a><\/p>\n\n\n\n Wired – How Twitter CEO Jack Dorsey\u2019s Account Was Hacked<\/a><\/p>\n\n\n\n CSO Online (Australia) – How To Defraud a Company?\u00a0 Just Ask.<\/a>\u00a0<\/p>\n\n\n\n Comparitech – What Is a Pretexting Attack (With Examples)?<\/a><\/p>\n\n\n\n U.S. Federal Trade Commission – Most Recent Scam Alerts<\/a><\/p>\n\n\n\n Better Business Bureau – Latest News:\u00a0 Scams<\/a><\/p>\n\n\n\nWhat Differentiates Pretexting<\/h2>\n\n\n\n
Some Real-World Examples of Pretexting<\/h2>\n\n\n\n
\u201cSIM Swapping\u201d Attacks <\/h3>\n\n\n\n
Bank (or Credit Card, or PayPal) Impersonation <\/h3>\n\n\n\n
Vendor Impersonation <\/h3>\n\n\n\n
Executive Impersonation<\/h3>\n\n\n\n
The \u201cGrandkid in Trouble\u201d Scam<\/h3>\n\n\n\n
Spotting a Pretexting Attack<\/h2>\n\n\n\n
\n
Preventing a Pretexting Attack (or Preventing It From Succeeding)<\/h2>\n\n\n\n
\n
\n
Fraud Never Sleeps, but You Can<\/h2>\n\n\n\n