With the geo-political instability and economic uncertainty present in today’s world we are seeing more phishing attempts across the globe and pretexting tactics are becoming more effective and sophisticated as well.
A common misconception about phishing is that a phishing attempt must use malicious links or attachments to steal information or leak valuable data. In fact, we are seeing more attacks that originate with seemingly innocent, link-free communication. This particular tactic is called pretexting.
What is Pretexting?
Pretexting is a clever form of social engineering in which a cyber criminal attempts to lure information or system access out of a target through a story, or pretext. In most cases, the pretext may come from a seemingly credible source, a friend or coworker, or authority figure to lower the defenses of the target. The goal of this pretext is to gain trust and eventually, valuable information. Typically, their story can be considered highly credible, which is why it makes pretexting a difficult tactic to spot.
In this post, we’ll walk you through three common pretext phishing attempts.
Scenario 1: Asking for Help
It is normal to receive requests from family, friends, and coworkers on a regular basis. That’s why asking for help is often a plausible scenario for pretext phishing attempts.
In this scenario, the cyber criminal may use spoof contact information to appear as a colleague or authority figure, which can quickly lower the guard of the target.
Perhaps an email appears from your CEO asking for help doing a task. This seemingly innocent gesture lures the employee into the trap. If he or she agrees, the attacker may then go on to define the “task” as providing access or information.
Asking for help can come in more direct forms. Some attackers impersonate people in Payroll or HR, asking for help or clarification on payment information or bank account details.
Scenario 2: Requesting Additional Contact Information
Sensitive information, such as payment details and account information, usually needs to be conveyed via phone. In this scenario, cyber criminals attempt to open a pretext to get a target on the phone to convey personal information.
For example, an employee may receive an email (again from a CEO, coworker, or other authority figure) that goes something like this:
Are you available? Can you give me your work or personal number, there’s a task I want to discuss with you and it would be easier to talk over the phone.
This seems like a perfectly reasonable request. However, once on the phone, the employee could be walking into a trap, or even a deepfake, where the hacker or even an AI-software is impersonating the person with whom they think they’re talking.
Scenario 3: Requests Funds for a Surprise or Event
One of the most unfortunate scenarios is when cyber criminals hide behind the pretext of a good deed or promising social event. Perhaps the hacker tells the victim they are planning a surprise or event for colleagues or business partners. Then, they ask for your “help” or “contribution.”
This pretext achieves two purposes. One, it lowers the victim’s guard as he or she believes he or she is genuinely doing something good for their team or company. Two, bringing a “surprise” into the mix will naturally encourage the victim to keep quiet about the activity, thereby giving the hacker more time to pull off the phishing attempt.
What Happens if You Respond to a Pretext Phishing Attempt?
Pretexts are only becoming more common. To make matters more complicated, their tactics are varied and ever-changing. If you do respond to a pretext attempt, it doesn’t automatically mean that you are trapped. Typically, a response is just the first step to instigating a back-and-forth chain of events.
If successful in the first step, a hacker likely knows that time is limited, and therefore accelerates the pace of conversation or request. If you do buy into a seemingly reasonable pretext, pay attention to the series of events that happen after, with particular attention to the following considerations:
- Pace: is the conversation speeding up past what feels natural for the person or circumstance? Is the correspondent rushing you or putting the pressure on?
- Money/Stakes: your alarm bells should go off if there is a significant amount of money involved. When in doubt, take a pause from the conversation and analyze the circumstances.
- Sensitive Information: you should NEVER provide sensitive information via email. If you are asked to provide passwords, login information, bank account details, or other sensitive information, it’s a good sign to stop and reanalyze the situation.
While there are steps to deescalate the phishing attempt, we believe that prevention is key to stopping phishing attempts. Creating a cyber-aware culture will help employees identify phishing attempts even as hackers use more sophisticated methods.
Stop Data breaches Before they Happen with PhishNet
The best way to protect against phishing attacks is to prevent them in the first place. This is most easily accomplished by cybersecurity awareness training. Staff who receive effective cybersecurity awareness training are better prepared to recognise and take the necessary steps to avoid a phishing attempt.
PhishNet delivers highly effective, engaging, and affordable cybersecurity awareness training to help businesses mitigate the risks of human error data breaches.
Talk to PhishNet today to learn more or check out our free Risk Assessment.