Pretexting is a type of social engineering attack in which the attacker gains a victim’s trust in order to obtain their private information. Establishing the victim’s trust is critical to the attack’s success, so the attacker will research their target and create a plausible backstory to make themselves more credible.
Unlike most phishing scams, pretexting doesn’t require the user to click a link that downloads malware or sends them to a bogus site. Instead, pretexting, much like vishing, sees the attacker masquerade as someone from a legitimate organisation to dupe victims into handing over sensitive information without hesitation.
How does pretexting work?
In pretexting scams, fraudsters build up a relationship with the victim to gain their trust.
Your organisation’s Finance Assistant receives a phone call from someone claiming to be from an existing supplier. After a series of phone calls in which the caller explains the need to verify financial information as part of a new process, the Finance Assistant provides all the details the caller requires.
In this scenario, the caller built a relationship with the victim using a backstory that was compelling enough to trick the target into handing over the information.
Spotting an illegitimate request isn’t easy, so it’s always best to check with a colleague if in doubt. No matter how convincing the story, it’s important not to give out sensitive information over the phone.
How to prevent pretexting
Every member of staff is responsible for information security in their organisation. Security best practices need to be embedded in working practices to be most effective. Regular staff awareness training can break users’ bad habits and increase their vigilance to reduce your organisation’s risk of attack.