What is Pretexting?
Attention to detail is the number one thing cybercriminals try to get right before any attack. The effort required varies between the type of attack, but the goal is the same: to seem convincing to the victim. Fabricating a convincing story is essential for cyber frauds to succeed because the victim is less likely to suspect it.
Pretexting is the process of collecting information about a target. It is the ‘preparation phase’ that is fundamental for the attack to succeed. You could say that it is a little like cyberstalking. While we would all hope that such attacks never see the light of the day, but the reality is far from optimistic. Hence, you must equip yourself with the right knowledge to identify what is pretexting and prevent becoming a victim.
How Cybercriminals Use Pretexting
Pretexting is a social engineering technique that attempts to trick a person into giving up certain types of information. For example, it could be personal or financial details that the attacker would try to extract from you by fabricating a story.
Such attacks work on developing trust, either by familiarity or by divulging information that knocks your guard down. An attacker could impersonate a coworker, family, friend, or an entity that holds the right to ask you for that particular information. An email or phone call impersonating to be your bank informing you that your account has been temporarily suspended or requires additional information is just one example of how cybercriminals can target you.
Pretexting is the story around which the attack is carried out. So if you picked up the call and heard an introduction, that is all part of pretexting, of trying and establish trust so that you don’t hang up the phone or question the motives.
The bigger the target, the more pretexting will be involved to avoid alerting the person. The first step towards building a pretext is to collect as much information about the target. For example, the scam artist would reach your social media accounts and navigate through everything from public posts, likes, and comments. The person will also note any immediate family members and build a profile on you.
Cybercriminals may even locate where you live and go through the trash that you throw in the trash bin. It may seem far-fetched, but when the target is big, no preparation is small for cybercriminals. You may even be stalked.
Example of Pretexting
With all that you’ve learned about the many ways attackers prepare for an attack, here’s a possible pretexting scenario.
An attacker impersonates the CEO of a company and contacts the finance department of the company. The attacker will use an email address similar to the company’s name to escape detection. The fake CEO asks the finance department to make an urgent payment to a vendor who may be upset over the delay. By giving information obtained through sources like social media, the victim is likely to lower its guard down and proceed with the payment without asking questions. Of course, the account number that the fake CEO would provide will be of the attacker’s.
Similarly, an attacker could impersonate a colleague to target someone with access to confidential information like an ongoing project. If the two employees met recently, the attacker would use this detail in the email to build trust, then casually ask something about the project. Of course, asking about a project directly may raise suspicion, so the email will be centered around something else entirely, with the project’s mention casually thrown into the mix.
What is the Difference Between Pretexting and Phishing?
Pretexting and Phishing both fall under social engineering techniques. Phishing is more commonly used to describe fraudulent activities aimed at getting information out of people. It could be more than just the login information to your bank account, social security number, health insurance details. A scammer could even impersonate a modeling agency and ask for your photos.
Phishing is anything that tries to trick you through lies and deception into giving information that you own. It is one of the more common techniques used for data breaching.
On the other hand, pretexting is the basis on which the phishing attempt will be made successful. It is phase one of the plan. Scouting for information on the target so that there is relevant information to build a convincing story to lay the trap is all part of pretexting. So, while they are not exactly the same thing, they work together.
Phishing is further divided into other categories, such as Vishing and Smishing. However, irrespective of what name social engineering techniques bear, pretexting is at the root of all them.
How to Protect Against Pretexting Attack
Most cyber frauds are successful due to human error. There is generally a lack of education on privacy and security among the masses. Therefore, the criminals of the digital world are winning. It’s not always easy to get up to speed on the various threats that lurk on the internet, but the dangers present themselves.
Certain practices can significantly improve your chances against such cyberfrauds.
- Never share your banking details with anyone. Banks will never ask you to repeat your credit card number or PIN-code over the phone or email.
- Check the sender’s email address before replying or downloading any attachments, regardless of how urgent it seems. Look for spelling mistakes in the email address.
- If you have been asked for payment by the vendor, call the vendor first before following through with the request.
- Keep your social media profiles private and only add trusted people to your friends list. Never share personal information publicly that could be used in such instances. It’s a number one rule for online privacy and security.
- As a business, you must educate your employees on how to respond to external emails. In addition, having a zero-trust policy helps in preventing confidential information from leaking out.
- Winning lotteries over the phone might sound exciting, but remember this: no giveaway or lottery will ask you to pay some amount of money to claim the prize. So don’t divulge your personal information, and don’t pay to scammers.
Make it a rule to never share personal information over the internet. The less information a scammer has about you, the harder it will be to scam you, which works in your favor. At iProVPN, we always recommend that you – the user – remain vigilant of any suspicious activity like phishing emails by educating yourself on how scammers operate.
The Federal Trade Commission (FTC) often updates on new scams and statistics to help you stay in the know.
Start Browsing Privately!
iProVPN encrypts your data for protection against hackers and surveillance. Unblock your favorite streaming platforms instantly with the best VPN for streaming.