It’s a well-established fact of human nature that we love stories.  From fairy tales to blockbuster movies and Super Bowl commercials, narratives provide us with the framework we use to make sense of the world, learn what constitutes proper behavior, and — as for those commercials — even buy beer. 

Unfortunately, scammers have a somewhat specialized take on human nature, and to them our love of narrative is a weakness to be exploited.  That’s how “pretexting” attacks work, and they’re a widespread component of the identity theft ecosystem.

What Is Pretexting? 

Pretexting is a form of social engineering, which is to say it relies on psychology.  If a stranger walked up to you and asked you to divulge sensitive personal information, or transfer money to a given destination, you’d rightly refuse or at the very least ask a lot of questions. 

That changes if there’s a plausible pretext for the request (hence the term pretexting), and if you believe the person making the request has some reasonable grounds for doing so.  Typically in these attacks the scammer will impersonate your boss, or the IT department, or your bank, or some other authority figure, which is why it’s more advanced than mere phishing. For pretexting to work, the scammers need to know something about you.

Most of us have had a parent, teacher, boss, or some other figure in our lives whose attitude was:  “When I say, ‘Jump,’ you say, ‘How high?’”  Obedience was expected or demanded, and questions weren’t well received.  As a result we’re predisposed to respond to this kind of approach. 

What Differentiates Pretexting

A pretexting attack is more sophisticated than many scams and requires a higher level of skill and research from the criminals.  Let’s use a concrete example to illustrate. 

Suppose you receive an Email or text message that says, “Your device is infected with malware!  Click here to remove it!”  This is a straightforward phishing scam, even if the scammers appropriate the logo of a legitimate tech company or a not-quite-correct version of a legitimate URL. 

Now consider a message that appears to come from one of your employer’s in-house email accounts, and says, “Hi, [your name], it’s Grant from the IT department.  Intel just released a patch for vulnerability #CVE-2021-0146, so I’ll need to log in to your machine remotely for about 10 minutes to apply the UEFI BIOS update.” 

That’s a believable pretext in many companies, which illustrates exactly why pretexting is so dangerous:  It frames a risky behavior (sending money or clicking a link, allowing an outsider access to your computer) as something familiar, routine and expected.  Something — in short — we’re likely to do without really thinking about it. 

Some Real-World Examples of Pretexting

As an individual, scammers may have stolen or purchased some of your information, and used that to work up a persuasive script in an effort at stealing the rest of your identity. 

For businesses, criminals may follow up an initial attack — an email server hack, perhaps, or successfully spear phishing an executive — by using the information they’ve gained to create and target a pretexting attack.  In our previous example, scammers would match the email’s style and language to those of the targeted company.  If the company’s culture was authoritarian, the email might be more peremptory:  “I’ll be performing the update at 2:15.  Please save your work and log out of all programs except your web browser.”  

There are plenty of specific examples of real-world pretexting attacks out there, if you do a bit of Googling.  Some of them include: 

“SIM Swapping” Attacks 

The scammer has your Phone number and knows enough about you to impersonate you in a call to your cellular carrier.  The pretext is that your phone has been lost or damaged and that “you” need to have service switched to your new phone and SIM card. 

If the service rep at your carrier obliges, scammers will now have control of your phone number and — depending what other information they have — can use it to log in to your accounts, receive verification texts and even lock you out of your own banking app.  Twitter CEO Jack Dorsey famously fell victim to a SIM swap in 2019. 

Bank (or Credit Card, or PayPal) Impersonation 

The scammer has part of your financial information, and the pretext is that they’re the customer service rep helping you fix “…a problem with your account ending in the digits 3058…”  You may be prompted to click a link to change your password — which of course gives them your current one — or the “rep” will helpfully take your current PIN or password over the phone in order to change it for you.  The approach might be by phone, email or text message. 

Vendor Impersonation 

In this one, the pretext is that the scammer is a senior person at a vendor your company does business with regularly.  The scammer sends an email to your accounts payable department, spoofed to look like it comes from the vendor’s actual email address, explaining that they’ve changed banks and could you please update their payment information?  If you do, legitimate payments meant for that vendor go to the scammer instead.  Depending on the scale of your respective companies, losses can be very large. 

Executive Impersonation

The pretext is that the scammer is your CEO or another senior executive, and — since they’re tied up in one way or another and can’t attend to it — you’re tasked with transferring a sum of money, or sensitive information about your company or its customers, to a bank, potential investor or other plausible destination.  Cases like this are seldom publicized (it’s a bad look for the victims), but one manufacturer of networking hardware lost over $40 million to this kind of scam a few years ago. 

The “Grandkid in Trouble” Scam

The caller (or sender, in the case of messages) claims to be one of your grandkids, or some other member of your extended family:  someone you feel obligated to help, but whose voice you wouldn’t necessarily recognize. 

The pretext is that they have a problem:  an accident or emergency car repair, or maybe they’re down in Mexico and their credit card’s been locked because they forgot to tell the bank they’re traveling.  So you wire them some money, which you never see again.  The information to pull this off can often be gleaned from social media. 

Overall, pretexting is an integral part of the fraud/identity theft cycle. It’s part of many phishing attacks, and it’s a prerequisite for spear phishing (targeted phishing attacks against specific people or organizations, as opposed to random “try everyone” phishing).  Every time scammers gain a useful piece of information it helps them create better pretexts, which makes it easier for them to steal your money or gain more and better information, which in turn enables better pretexting.  It’s great for them, but not so much for the rest of us. 

Spotting a Pretexting Attack

So how can you differentiate between a pretexting attack and a legitimate request?  There are a few important tests you can apply: 

• Familiarize yourself with your bank/credit card provider/utility company’s policies.  If you get a text or email purporting to come from them, but you know that’s not how they resolve account issues, it’s easy to dismiss. 
• Ask yourself:  “Is this what I’d say/how I’d act if I was a scammer?”  If the answer is yes, then you should at least question the legitimacy of the contact no matter how plausible it sounds.
• Look for the telltale note of urgency.  Scammers will always push you to ACT RIGHT NOW, before you have time to think about it. 
• Take time to regularly read about the latest scams on sites like the FTC’s Scam Alerts page and the BBB’s “Latest News” page or its online Scam Tracker.  Even the best pretext can lose its effectiveness if you know it’s actively being used by scammers. 
• In a workplace context, ask yourself if you’re being asked to do something that falls outside of normal procedures or bypasses a standing security measure. 

If you believe you’ve been approached with a pretexting attack, in either the personal or business context, there are steps you can take to verify the legitimacy of the request.  Because prevention is better than reaction, you should also take measures to prevent or thwart pretexting attacks. 

Preventing a Pretexting Attack (or Preventing It From Succeeding)

What can you do about a pretexting attack and how can you prevent them in the first place? 

To manage attacks targeting you personally: 

• Respond to dubious phone calls with “I’ll call you right back,” and then reach out directly to the bank/creditor/government agency through their published phone number.  Treat emails or messages the same way, reaching out to the purported sender as opposed to answering the message or (especially) clicking the internal link or dialing the phone number you’ve been sent.
• Learn how to uncover a spoofed email and test any incoming message that could conceivably be a pretexting attack.  It only takes a moment or two and can save you a lot of grief. 
• Actively manage your online identity, aka your “digital footprint.”  The less information you leave lying around, the fewer opportunities scammers have to misuse it. 
• Know how much of your personal information is already public.  Searching yourself using Spokeo’s people search tools is a really valuable starting point. 
• Check your email, phone number and passwords regularly against a database of known breaches, like the one at Have I Been Pwned?  If your information has been compromised, or if a site you deal with shows up on its list of breaches, you’ll know you’re especially vulnerable to pretexting attacks. 

Subscribe to Spokeo Protect, our identity protection service, which can alert you if crucial pieces of information such as your SSN and banking or credit card information are offered up for sale on the dark web.  If that’s the case, any caller using the same info to establish their legitimacy automatically becomes suspect.

Some of the same principles are fully transferable to businesses, such as teaching everyone how to check for spoofed emails.  Other useful measures include: 

• Signing up for an email security service, which can provide anti-phishing and anti-spoofing tools to complement those that come standard from your provider. 
• Training all staff to recognize pretexting when they see it, whether it happens by phone, email or even in person (yes, criminals sometimes physically enter a workplace in order to compromise it).  This includes executives at the C-suite level, who are the highest-value targets for scammers and have an unfortunate tendency to be impatient with security measures. 
• Establishing policies that take common pretexting attacks into account and make them unworkable.  For example, the vendor attack cited above could be prevented if your policy is to verify all such changes directly with the vendor’s accounts payable department. 

Fraud Never Sleeps, but You Can

It’s an unfortunate fact of our modern, connected world that crime rings operate 24/7.  That doesn’t mean you yourself have to lose any sleep, if you’re appropriately informed or prepared. 

Pretexting isn’t like data breaches and hacks, which you can’t control:  Those will happen, and there’s little if anything you can do about it.  For pretexting to work, you have to “buy” the story the scammer is selling.  You can sleep well knowing that if you’re prepared and skeptical, even the best-thought-out pretext won’t trick you into compliance. 

References:

CSO Online – What Is Pretexting?  Definition, Examples and Prevention

Intel – Intel Processor Advisory SA-00528

ZDNet – Everything You Need To Know About the Microsoft Exchange Server Hack

KnowBe4 – Top 5 Spear-Phishing Attacks Targeting Executives

Mozilla Blog – Mozilla Explains:  SIM Swapping

Wired – How Twitter CEO Jack Dorsey’s Account Was Hacked

CSO Online (Australia) – How To Defraud a Company?  Just Ask. 

Comparitech – What Is a Pretexting Attack (With Examples)?

U.S. Federal Trade Commission – Most Recent Scam Alerts

Better Business Bureau – Latest News:  Scams

Have I Been Pwned? – Check if Your Email or Phone Is in a Data Breach