Have you ever received a message from someone and assumed they’re probably not who they claim they are? That’s Pretexting.
Pretexting is a social engineering attack where you use a story or material to obtain the information you may not be able to obtain if you were clear and transparent as to who you are.
This means you create a great story around who you are and why you need the information to let that person or business you speak to let their guard down and share information openly.
In the following video, Tim Santoni in his famous #AskaPIShow Episode is explaining what exactly is Pretexting and how to avoid being the victim.
It is against the law to use pretexting to obtain details such as SSN, driver’s license number, banking details, phone records, social handles, and any other private information to gain access.
How does pretexting work? And how do they get sensitive information from you?
In social engineering, Pretexting comes into existence when a pretexter impersonates a co-worker, anyone in authority such as a police officer, a bank manager, tax authority, or an insurance investigator, etc.
The pretexter impersonates as someone having the authority or a right-to-know the details. The impersonator then prepares questions to ask the intended victim. To make pretexting successful in social engineering, all the impersonator needs is to have an authoritative voice, a serious tone, and tidbit information of the victim.
What’s in it for a pretexter? And why do they do it?
By carrying out a pretexting attack, the impersonator gains both sensitive and non-sensitive information via social engineering. Pretexting is high among teens where the imitator pretends to be someone who you like and convinces you to give your private information to them such as private pictures, parents’ credit card details, home addresses, personal information etc.
In today’s age, trusting someone is a luxury. With malicious actors on the loose, it’s hard to distinguish between who you can trust and the untrustworthy. Pretexters are smart, and they build a proper story around you to disarm your suspicions and have you openly talk to them.
How to defend yourself against pretexting?
Like any other defense to an online attack or a social engineering attack, you must have a proactive approach rather than a reactive approach.
Let’s say you received an email from an individual claiming that the AC maintenance guy will be swinging by tomorrow for your free annual maintenance. Don’t just simply rush ahead and buy it. There’s no such thing as “free” as we all pay for nearly every commodity and this free giving is being exploited in social engineering.
Enquire about the sender’s company by calling them up and verify if they indeed exist and are actually sending someone to your address. Ask them to confirm your address before they send someone. If you happen to be at home when the individual arrives, have them show you proper documentation and record the event, if possible.
The same case applies to the digital world, where you will face all sorts of pretexters. Several websites might claim to be hosting an event or an expo near you or invite you to a conference in Vegas (all for free!). All this may seem tempting, but you have to act smart. Make a call at the reception and confirm if this event is indeed taking place.
It’s crucial that you double-check any website that only accepts cash or PayPal. In short, always approach the source of the pretext as that is your best measure of protection and ignore any messages or calls from unknown numbers.