Pretexting is a social engineering tactic in which an attacker attempts to gain information, access, or money by tricking a victim into trusting them, according to Josh Fruhlinger at CSO Online. Fruhlinger outlines the various techniques used in these scams, and explains that attackers try to insert enough real details to make the ruse believable.
“It's not enough to find it plausible in the abstract that you might get a phone call from your cable company telling you that your automatic payment didn't go through; you have to find it believable that the person on the phone actually is a customer service rep from your cable company,” Fruhlinger writes. “Thus, the most important pretexting techniques are those the scam artist deploys to put you at ease. If an attacker has somehow obtained your cable bill, for example by going through your garbage, they'll be armed with the name of your cable provider and your account number when they call you, which makes you more likely to believe that they really are the character they're playing.”
Fruhlinger says this highlights how attackers prepare for targeted attacks. The Internet has made it much easier to gather information about any given person or organization, and all of this information can contribute to a social engineering scheme.
“This example demonstrates something of a pretexting paradox: the more specific the information a pretexter knows about you before they get in touch with you, the more valuable the information they can convince you to give up,” he says.
Fruhlinger concludes that the key to thwarting attacks is knowing how they work.
“One of the best ways to prevent pretexting is to simply be aware that it's a possibility, and that techniques like email or phone spoofing can make it unclear who's reaching out to contact you,” Fruhlinger writes. “Any security awareness training at the corporate level should include information on pretexting scams....On a personal level, it's important to be particularly wary whenever anyone who has initiated contact with you begins asking for personal information. Remember, your bank already knows everything it needs to know about you — they shouldn't need you to tell them your account number. If you're suspicious about a conversation with an institution, hang up and call their publicly available phone number or write to an email address from their website.”
New-school security awareness training can help your employees recognize social engineering tactics by teaching them the inner workings of pretexting attacks.
CSO Online has the story: https://www.csoonline.com/article/3546299/what-is-pretexting-definition-examples-and-prevention.html