What is pretexting?
Pretexting is a form of social engineering where a mal-actor tries to convince you to give up valuable information or access to a service or system. The distinguishing feature of this kind of attack is that the mal-actor comes up with a story – or pretext – designed to fool you. In the pretext, the mal-actor appears to be someone in authority who has the right to access the information being sought.
Very often, the mal-actor pretends to need your personal information to confirm your identity. This could include publicly available information such as your full name and address (or part of it). The aim is to get you to trust them. Once the mal-actor has established trust with you, he will then request further personal information that he can use later, for example, your email address, bank account details, PIN, or password, etc.
More often than not the initial contact will come through a telephone call or an email. You should verify that the person is who they say they are. With a phone call, get their name and company they are calling from and say you’ll call them back. Then phone the number you know – not the number the mal-actor may have given you – and ask for them by name. With an email, again call the company on the number you know and ask to speak to the sender of the email. Check that they actually exist and sent you the email. If the call or email is genuine, you’ll be put through and speak to the same person. If not – congratulations, you’ve just foiled an attack.
Catch me if you can
In the film Catch Me If You Can (which is based on a true-life story), Tom Hanks plays an FBI agent who is chasing Frank Abagnale Jr. (Leonardo DeCaprio) who used pretexting techniques to forge millions of dollars’ worth of checks while posing as a Pan Am pilot, a doctor, and a legal prosecutor. He was eventually caught and spent time in jail.
Kevin D Mitnick
Possibly the most famous person in cybersecurity circles for performing pretexting scams is Kevin Mitnick. He tells his story in the book “The Art of Deception“. Kevin now uses the skills he learned (and was jailed for) to perform security consultancy and penetration testing for large global companies.
Do you want to learn more?
Network Midlands runs seminars to help you detect and defeat social engineering attacks. Find out more at “The Art of Deception“.