1.866.609.PATH
Select Page

Common Cyber Threats: What Is Pretexting & How Do You Prevent It?

Jul 26, 2024

Social engineering cyber-attacks come in all shapes and sizes, and a healthy security strategy involves being aware of all of them and knowing how to defend and respond. One of the most important social engineering attacks to prepare for is pretexting.

Dyopath Common Cyber Threats: What Is Pretexting &Amp; How Do You Prevent It?

According to Verizon’s 2024 Data Breach Investigations Report, pretexting accounted for 40% of all breaches — even more than phishing. So what exactly is this method of attack? How is it different from phishing? And how can you protect your organization from pretexting?

In this article, we’ll tell you everything you need to know about pretexting and share some real-life examples of pretexting attacks.

What Is Pretexting & How Does It Work? 

Pretexting involves using a fabricated story or context to win an individual’s trust and convince them to share important information, assets, or access to restricted areas.

For example, a criminal might contact you claiming to be your company’s client. The most sophisticated pretexting attacks will build trust over time, using a realistic email address and dropping convincing details to gradually convince you that they’re the real deal. Eventually, they ask you to share confidential data with them, and the scam is complete.

Pretexting vs. Phishing

Pretexting is very similar to phishing. Both rely on deceptive messaging that convinces users to share critical information. And to make things even more confusing, phishing can often be part of a pretexting attack.

The difference is that phishing is when one message is in itself an attack. The malicious link, download, or request is contained within the message. Often, phishing uses fear or urgency to compel you to take action fast.

Pretexting, on the other hand, is more about establishing trust, which can take place over multiple messages, many of which don’t ask for any action at all. Pretexting refers to the process of building trust via a fabricated context, whereas phishing refers to the specific attempt to gain information or access.

Is Pretexting Illegal?

Pretexting is nothing new and has been regulated for many years in different forms. The legality varies depending on a few factors. For example, pretexting to obtain financial information, phone records, or health records is explicitly prohibited under U.S. law. Additionally, pretending to be any kind of law enforcement officer is illegal.

However, there are some murky areas, like pretending to be a friend. And it’s worth remembering that many hackers are based overseas and therefore difficult to prosecute.

Real-Life Examples of Pretexting Attacks 

The best way to approach and mitigate pretexting is to prevent it from ever becoming successful. That starts with informing yourself of ways in which hackers carry out pretexting schemes. Here are three real-life examples of pretexting attacks.

Pretexting via SMS

Hackers commonly use text messaging as part of pretexting schemes. An example of this involved the software firm Retool, whose employees were targeted with SMS messages asking them to resolve an issue by clicking a link.

Dyopath Common Cyber Threats: What Is Pretexting &Amp; How Do You Prevent It?

Eventually, this allowed the attackers to access the systems and steal almost $15 million in cryptocurrency.

Piggybacking Off Pandemic Chaos

The COVID-19 pandemic was a confusing time for everyone, and hackers used the atmosphere of disorientation to pull off some highly successful pretexting attacks.

One example took advantage of the stimulus checks sent out by the U.S. government. Criminals targeted people with convincing email series promising faster check delivery if the recipients shared their personal info. This resulted in tens of millions of dollars in damage.

Devious Use of Deepfakes

Deepfake technology allows hackers to take pretexting to the next level by creating highly realistic fake video and audio clips of specific people. Early in 2024, a finance worker was targeted with one such scam, where the hacker used pretexting supported by deep-faked video content to impersonate a CFO and multiple other staff in a staged video conference.

The attack resulted in a loss of 200 million Hong Kong dollars, equivalent to about $25.6 million U.S.

How to Prevent Pretexting

Just like phishing, pretexting scams rely heavily on human fallibility and a lack of awareness around security. This means the best approach to pretexting security involves a mix of technical readiness and the right training.

In terms of tools, you should have email filtering in place to prevent most pretexting emails from ever reaching their targets. You should also invest in strong anti-malware software for when users download harmful files. And multi-factor authentication can make a big difference in preventing password theft.

The best thing you can do, though, is effectively train all your staff, at all levels, to be aware of pretexting and its risks. They should know all the warning signs to look out for, best practices to follow to avoid scams, and the steps to take if they do fall victim. Run regular training around cyber awareness, and build this into your company culture.

The DYOGUARD Solution

Defending against pretexting attacks is easier when you have access to the best tools out there. That’s what DYOPATH’s DYOGUARD solution is there for — it provides a comprehensive suite of technologies to keep your organization safe from all kinds of attacks, including social engineering attacks like pretexting.

Learn more about the advantages of DYOGUARD here.