Some cybercriminals should have become actors instead because they clearly like to pretend to be someone they’re not. They are constantly coming up with all sorts of made-up situations, called pretexts. And this is important to small businesses because, according to Verizon, the number of cyber incidents involving a fake story (or another pretext) doubled in 2022.
So, let’s look at what makes these pretexting attacks so effective – making it challenging for small businesses to keep them at bay.
What Is Pretexting?
Pretexting is a social engineering attack where a scammer fabricates a story to trick you into taking an action that benefits the attacker.
Hackers use these stories to try to convince staff to divulge sensitive information, grant access to protected systems, or perform some other action that’s guaranteed to have unfortunate consequences.
They might try to get you to:
- Provide them with credit card details
- Install an infected software application
- Approve an invoice to be paid (to them)
Unlike many other social engineering attacks, pretexting doesn’t depend on any specific digital channel. If the attacker communicates the pretext and convinces the victim to believe it, they can achieve their goals.
Some methods scammers might use are:
- In person
- Over the phone
How Does a Pretexting Attack Work?
Since pretexting works by making its victims unknowingly participate in made-up scenarios without them realizing it, two main conditions must be met:
- The scenario must be believable.
- The attacker must play their role well.
An attacker could call an employee and introduce themselves as their future son. Then, they could ask the employee to infect the company network with malware to stop it from turning into Skynet. But no one would take that request seriously (we hope anyway).
But if that same attacker introduced themselves as a member of the company’s IT department and claimed that there was a security threat that required urgent action…
Well, the employee would be much more likely to comply with their requests – because it’s a feasible scenario. In fact, a pretexting attack happened to Uber where someone posed as an IT tech in 2022.
That’s particularly true if the attacker can provide them with convincing details or evidence to support their story. And this type of information can often be easily obtained by dumpster diving behind the office building or by doing research on social media.
Pretexting vs. Phishing
In most cases, both pretexting and phishing involve fabricated scenarios communicated by an attacker pretending to be someone else to gain the victim’s trust.
The difference is that phishing attacks always happen via email. Whereas pretexting attacks can happen through various channels (like phone calls, text messages, or in-person interactions).
Pretexting Attack Examples
The following three examples of pretexting are supposed to illustrate the wide range of different pretexts employees may encounter and potentially become deceived by:
- An attacker visits a company in person dressed like a fiber technician, claiming that maintenance work is scheduled on the company’s fiber line. The attacker asks the receptionist to direct them to the server room, where they install a backdoor so they can access the system remotely later.
- An attacker sends an email that appears to be from the company’s provider of cloud-based accounting software. The email contains an account verification link and a detailed explanation of a cybersecurity incident that supposedly occurred in the provider’s system. In reality, the link leads to a fake website designed to steal the victim’s login information.
- An attacker uses an AI tool to clone an executive’s voice using footage that’s publicly available on YouTube. The attacker then calls the company to falsely authorize a payment to a foreign bank account. This last pretexting example has really happened, and it cost the victim, a United Arab Emirates bank, $35 million dollars.
Why Pretexting is So Successful
Pretexting, and other social engineering attacks, rely on exploiting weaknesses in human defenses, including:
1. Lack of Awareness
Employees are not always aware of the threats they may encounter and the consequences such encounters can lead to.
2. Neglecting Cybersecurity Best Practices
Even when employees are aware of the threats they face, they sometimes ignore basic cybersecurity best practices because they don’t consider them to be important enough.
3. Being Naturally Trusting
Some employees are naturally more trusting than others – which makes them vulnerable to the tactics used in pretexting attacks.
How to Protect Your Small Business from Pretexting
To strengthen your small businesses resilience with human defenses organizations should focus on the following defensive measures:
1. Employee Training
Employees should be aware of the different types of pretexting attacks and how they work. To gain this awareness, they can participate in mandatory cybersecurity awareness training sessions organized by a provider of security services.
2. Policies and Procedures
Organizations should develop clear policies and procedures for verifying the identity of anyone who requests sensitive information, access to systems, or attempts to perform some other action that could result in a security incident.
3. Access Controls
It’s paramount for organizations to restrict access to sensitive systems and data by implementing robust access controls, such as multi-factor authentication (MFA). That way, even something as serious as a leaked password won’t necessarily lead to a data breach.
By adopting these cybersecurity best practices, along with others, your organization significantly strengthens its defenses against social engineering attacks, including pretexting.
This proactive approach not only makes it more challenging for attackers to exploit vulnerabilities but also protects your business from the potentially devastating consequences of such breaches.
Check out these articles if you’re interested in learning about other types of social engineering attacks:
How Teal Can Help
Pretexting attacks are a significant threat to small businesses. Without proper protective measures in place, they can result in serious consequences. It’s important to remember that the success of these attacks largely depends on human vulnerabilities, so addressing them should be one of your organization’s top priorities.
At Teal, we can help you train your employees to recognize pretexting attacks before they can cause any damage to your organization, develop and implement policies and procedures, as well as deploy access controls tailored to your organization’s needs, among other things.
Contact us today to learn more.