Imagine receiving a call from your bank’s fraud department, urgently alerting you to suspicious activity on your account. The caller knows your full name, address, and recent transactions, making the threat seem all too real.
But what if this trusted representative is actually a scammer employing a deceptive tactic known as pretexting?
In this guide, we explore the topic of “pretexting” — a sophisticated form of social engineering where attackers fabricate scenarios to manipulate individuals into divulging confidential information. We’ll cover:
- what pretexting is;
- real-world examples of pretexting attacks, and their consequences;
- and how to spot and stop being a victim of pretexting attacks.
What is Pretexting?
Pretexting is a form of phishing attack that relies on a “pretext”, i.e. a fabricated scenario.
If you haven’t yet, make sure to check this blog post covering extensively the concept of phishing. Many of the ideas explored in that article are applicable here too. You can also check this article which covers the difference between spam and phishing.
Social engineering and phishing attacks in general rely on one or several of the following components:
- Trust: attackers pretend to be someone they’re not (a bank, a government agency…) by using their logos, tone of voice, formatting, etc. They often use an email address that is very close to the real one (a method called spoofing).
- Compliance: as humans, we are trained to comply with authority. By impersonating high-ranking officials or important companies such as your bank, attackers can get you to reveal sensitive data.
- Urgency and fear: people act irrationally when overcome with a sense of panic. Attackers prey on these emotions by using fake credit card alerts, warnings of account deletion, etc.
Pretexting attacks rely on all 3 of these elements.
Let’s explore this further with an imagined example.
How pretexting relies on trust, compliance, and urgency
Imagine receiving an urgent email from your company’s IT department, warning of a recent security breach.
The email instructs you to reset your password immediately to protect sensitive data.
The email then provides a link to a password reset page that looks exactly like your company’s website. It’s only later that you realize you just sent your login credentials to hackers, and there never was any security breach.
Let’s dissect the anatomy of this pretexting attack:
- The pretext: your company has suffered a security breach, and you therefore need to update your password.
- Trust: the attackers spoof your IT department and the website you are led to looks totally legitimate.
- Compliance: the email uses an authoritative tone, and seems to come from “higher up”. We are naturally inclined to follow orders and protocols, especially under the pretext of security.
- Urgency and fear: the email might use words like “recent breach”, “immediate action” and “urgently”. This creates a sense of urgency and fear if you do not act quickly.
In other scenarios, the pretext can be much simpler: your ISP needs your logins to upgrade your connection speed for example. Pretexting attacks can even happen in the physical world, which brings them closer to tailgating attacks.
For example, an individual could pretend to be a delivery courier. He then convinces the receptionist to grant them access to a secure area to deliver a package.
The best pretexting attacks build on trust, compliance, and urgency to build their pretext. That is why spotting them is key to avoiding falling victim to such attacks.
Real-World Examples of Pretexting Attacks
Let’s now look at several high-profile cases of pretexting attacks, and what we can learn from them.
Lapsus$ Group’s attack on Microsoft and Nvidia
In 2022, the cybercriminal group Lapsus$ executed a series of high-profile pretexting attacks on major tech companies, including Microsoft and NVIDIA.
The attackers impersonated company insiders and used stolen credentials to gain unauthorized access to sensitive data.
Their approach often involved manipulating employees through social engineering to bypass security protocols. For example, attackers posed as internal IT support personnel, contacting employees under the guise of performing routine security checks or addressing technical issues.
The same group was also responsible for an attack on Otka, the digital identity management company, as well as Nvidia.
To learn more about this attack, check Microsoft’s blog entry here.
MGM Resorts International Data Breach
In September 2023, the hotel chain MGM Resorts International experienced a data breach initiated through a sophisticated pretexting attack.
Attackers posed as company employees and contacted MGM’s IT help desk, convincing staff to provide network access.
By impersonating trusted personnel and creating a sense of legitimacy, the attackers deceived employees into granting them access to sensitive systems. Sensitive data such as customer names, phone numbers, email addresses, driving license numbers, and more were acquired.
You can find more information about this pretexting attack in MGM’s press release.
Retool pretexting cyberattack
In August 2023, software firm Retool suffered a cyber attack initiated by an SMS phishing (also known as smishing) scheme.
Attackers posed as members of the IT team, and fabricated a believable scenario, convincing employees to click on malicious links.
The links allegedly related to some kind of payroll issue. All the attackers needed was for one person to fall for the pretext of gaining access to the internal systems of the company.
In the end, the attackers managed to take over 27 customer accounts, with one customer losing US$15 million in cryptocurrency.
Pretexting Attacks: How to Prevent Them?
Spotting and preventing pretexting attacks is mainly achieved through training and awareness.
Here are some of the steps you should go through whenever you are suspicious of an email or call:
- Never hand out confidential information by email or over the phone – especially financial information.
- Always pay attention to the sender’s email address. It may imitate a legitimate business with only a few characters altered or omitted.
- Never open a suspicious attachment, as it is a standard delivery mechanism for malware.
- Hover over links to check the real destination. Check for misspellings in the URL, which could be an indication of a spoofed website.
- Never act out of fear or urgency. Take the time to assess the situation, and contact the sender through the usual means (official website, phone number, etc.)
Conclusion
That’s it for this guide on pretexting attacks! Hopefully, you now have a better grasp of this type of attack and will be able to prevent future ones from occurring.
As a final reminder, you should never trust unsolicited text messages coming from your bank, your employer, or even a friend which include links to an app or website.
If you want to take your cybersecurity further, then your first step should be to get a private and secure email provider. Here at Mailfence, we pride ourselves on:
- Advanced security tools: end-to-end encryption, symmetric encryption, digital signatures, and a lot more.
- No tracking or advertising. We do not use any third-party advertising or marketing trackers. We do not track your activity in the application. Mailfence is completely free from ads.
- Strict privacy laws. Mailfence’s servers are based in Belgium, with strong laws protecting privacy. Only a valid Belgian court order can force us to release data.
Interested in taking your privacy and cybersecurity to the next level? Create your free account today!
Want to dive deeper into the world of pretexting attacks? Check this extensive report by Verizon on the state of data breaches in the world, their sources, and their consequences.