In social engineering, phishing campaigns often involve spending out bulk emails to countless addresses with fake premises and links, in the hope that one employee in one company will either give up some sensitive information or open the door for some malware to be downloaded onto their computer. This approach relies on quantity over quality, the idea being that the more emails a hacker sends out, the more people will fall victim to them. Pretexting is the opposite, in that the watchword is quality, not quantity. Pretexting has the same broad aims as phishing, but the communication between the hacker and the victim is often more detailed and over a longer period, working through scenarios and characters to build trust. This higher level of detail means that pretexting campaigns have a higher success rate than individual phishing messages.
How does pretexting work?
Hackers run pretexting campaigns against companies by inventing scenarios that might involve an employee having to hand over information or change payment details so that the hacker can then access an account, or even receive direct payments from that company.
For example, a hacker may impersonate a vendor for whom your company sends regular payments. They would claim to the employee that the last payment did not go through because ‘their’ company had new banking information. The employee would then change the information and the hacker then gets those payments set directly to them (or at least an account they can access because giving the victim company their personal bank details could result in them being caught) until someone realises that the money is going to the wrong place.
These scenarios involve more research than basic phishing, as the situation and the character the hacker plays must be plausible for it to work. For example, in the scenario above, if the hacker tries to impersonate a vendor that the victim stopped trading with six months before, then they’ve ruined their scheme before they got going.
How can I prevent pretexting?
There’s no real way of preventing you and your company from receiving pretexting scams, that’s a symptom of having publicly accessible information available online. The best thing to do to prevent your business from falling victim to pretexting is simply to be aware that it is a possibility and make sure all employees are too. Cybersecurity training should always mention pretexting and phishing scams, and once double-checking people are who they say they becomes a habit for everyone, your business should be safe.
Extra layers of checks for large money transfers or changing a vendor’s banking information can also help stop pretexting scams in their tracks. A second pair of eyes on any situation is always helpful.
You can test your business’ readiness for dealing with a cyber attack by arranging a red teaming exercise with OmniCyber Security. Our world-class team of penetration testers can replicate any attack (including pretexting) tailored to your organisation, so you know where your weaknesses are. Contact OmniCyber Security today to discuss your cybersecurity needs.