Social engineering attacks have increased as circumstances have changed, with most companies sending their employees home due to lockdowns. Ethical hackers face new challenges in identifying these attacks as tactics are evolving and becoming more elaborate. Among the many different forms of social engineering attacks, pretexting is one of the most complex yet dangerous. Through this article, you’ll learn what is pretexting along with the means of identifying and avoiding these issues.
What Is Social Engineering
Social engineering refers to the art of maneuvering people to reveal confidential information. It usually involves psychological manipulation, communicating a sense of urgency, inciting fear, and similar emotions in the victim. This will prompt the unsuspecting user to give up sensitive information quickly.
Based on recent data breach reports, the reason for the increase in social engineering attacks is money. The incentive for money-inspired attacks has doubled from 2018 to date and has continued to soar even after the COVID-19 pandemic.
Recently, a Chinese manufacturer lost about USD 60 million through a fraud scam which landed the CEO in court. In this social engineering attack, the scammers imitated senior executives and deceived workers into transferring huge funds. Gartner forecasts that by the year 2024, CEOs could be legally responsible for data breaches and pretexting will be a primary reason for this.
What is Pretexting?
Pretexting is a social engineering strategy where a vicious attacker retrieves sensitive information from unsuspecting users. This social engineering attack’s main characteristic is that the scammer crafts a somewhat believable story (or pretext) to manipulate the victim.
One of the most popular examples of pretexting attack is when an unknown caller contacts a staff member and imitates the CEO or someone in power to obtain sensitive information. The scam artist persuades the victim that the setup is real and acquires the necessary information.
Common Pretexting Techniques
The key feature of a pretexting attack is the crafting of a believable story. This is the pretext the scammer uses to lure the victim. It sets the stage for the plot. Some hackers also create supporting characters in order to lure the victim into believing that the attempt is from an authentic source. This is the major foundation for any technique used to obtain unauthorized information.
Usually, there are two outstanding features of a pretext. This includes the plausible scenario and the character in power played by the scammer. We are all conversant with the errors that come with financial transactions.
There is no clear report on who could potentially be a victim of pretexting but attackers typically target someone whose breach could result in massive financial damage. The trickster pretends to be a character that executive-level employees will trust. The more information the scammer has about the victim, the easier it is for the victim to fall into the trap.
What Is the Difference Between Phishing and Pretexting?
Pretexting and phishing are not very different from each other, but the attack method and the targets often vary depending on the victim. Here are some differences that you should know about:
|Attackers use elaborate methods to lure victims.||Not very elaborate and fake email addresses can easily be verified.|
|Attackers impersonate CEOs, clients, partners, or other senior management members for manipulation.||Attackers impersonate someone important without much research.|
|Less typos and grammatical mistakes.||Communication is prone to typos and grammatical mistakes.|
|Always results in information compromise or massive funds loss.||The degree of compromise or loss depends on who the attacker is able to manipulate.|
How to Prevent Pretexting
You can prevent pretexting through the following safety measures:
- Ensure every employee wears the appropriate employee tags and credentials to prevent tailgating on the office premises.
- Focus on removing the “treasure” the attacker is hunting for — your password. You should focus on technologies that improve password protection, credential management, and multi-factor authentication.
- Don’t click on unknown links in email messages.
- Constantly update your antivirus software.
- Ensure security awareness training to build a defense against human error.
- Always verify a call, text, or email you receive before granting a request.
- Invest in artificial intelligence solutions to prevent social engineering attacks.
Apart from this, make sure that you have a team of ethical hackers who are well trained to sense these attempts and alert you before the incident occurs. It is also not a bad idea to train your existing IT support team with ethical hacking certification. New certifications that cover new technologies and industrial breakthroughs are vital to counter modern-day cybersecurity challenges. If you are a student or an employer looking for ethical hacking certification, you should always select a program that also offers simulations to counter social engineering attacks while on your job.
About EC-Council’s Certified Ethical Hacker (CEH)
EC-Council’s is the most widely recognized and demanded certification in this industry. CEH v11 teaches participants about the latest commercial-grade hacking technologies, methodologies, and techniques leveraged by hackers and information security experts to hack an organization legitimately. CEH v11 certified cybersecurity professionals are trained to recognize social engineering tactics like phishing, cybersecurity pretexting, snooping, sniffing, and more.
For more information, visit our course page today!