Pretexting attacks are a growing threat to organizations, warn Chris Tappin and Simon Ezard from the Verizon Threat Research Advisory Centre. Verizon’s 2018 Digital Breach Investigation Report shows that 170 data breaches this year were caused by pretexting attacks, compared to 61 in 2017. Tappin and Ezard attribute this rise primarily to poor security policies and a lack of security awareness among employees.
Pretexting is a targeted, social engineering-based attack in which attackers use continuous dialogue to build a sense of trust with the victim. By creating a fabricated scenario and posing as a senior employee or a trusted vendor, attackers manipulate victims into willingly giving up sensitive information, granting access to systems, or even transferring money. These attacks are surprisingly effective because they target the human element and are often able to compromise systems that have appropriate technical defenses in place.
Tappin and Ezard believe that security professionals often face “decision paralysis” brought on by the multitude of varied threats to their organizations. They recommend that these professionals focus first on ensuring that basic, fundamental security principles are being followed by employees. Phishing and pretexting are not highly-technical attacks, yet they are among the top ten causes of all data breaches. Even the most sophisticated attackers use these methods because they are so effective.
Tappin and Ezard say that organizations need to educate their employees about malicious activity and compel them to respond if they see something suspicious. For example, employees should be encouraged to question strange or unexpected emails from their superiors. Pretexting attacks are successful when employees are unaware of the techniques used by attackers. New-school security awareness training can create a culture of security within your organization by ensuring that employees are constantly on the lookout for suspicious behavior.
CSO has the story: https://www.cso.com.au/article/648201/how-defraud-company-just-ask/