Pretexting - Types and Prevention Methods

What is Pretexting?

“Your bank account has been dormant for very long. Share bank information to activate now”. Does this message or its meaning sound familiar to you? 

If yes then understand that someone is trying to make you a prey of pretexting, a most common social engineering method. It existed way before the internet. It’s just the launch of the internet has made it more frequent and common. In the UK, blagging was the term used for such acts. Most commonly, tabloids used to take the help of this fooling technique to throw dirt on famous personalities.

Let’s explain it more specifically now.

In this technique, fraudsters send provoking or Call To Action sort of text to create a sense of emergency or seriousness at the receiver end so that they become bound to share crucial information. As the attacker comes up with a pretext/story to lure the victim, the name is given as a pretexting attack. 

To be precise, the criminal tries to convery himself as a legitimate persona, showing that his deeds are for prospective victims, but the same is not the truth.

Types of Pretexting

Fraudsters have many ways to fool people, and therefore, pretexting also has numerous types. We present its popular methodologies next.

• Tailgating
  

Often known as piggybacking too, it is a type of pretexting targeting the security of the victim/resource. Its most common example can be taken from movies. You must’ve seen many scenes wherein a person, willing to gain forced entry to a house/company, disguises as someone trusted, like a delivery person, an electrician, a plumber, or even an employee. This is tailgating pretexting. 

It goes like this: an illegal resource/authority keeps an eye on the verified/authorized resources so that the right opportunity to enter into a restricted facility/resource can be grabbed. Its aim is to break the access control system and gain access to a secure resource/premise. 

When it comes to software/application, pretexting meaning is pretty much similar. It’s just, in place of a person, a corrupted software/app acts like trusted resources here.

• Impersonation
  

The term itself means imitating others’ behavior and manners. It’s very famous amongst the pretexters as it’s easy and drives impressive results. 

In this pretexting method, the fraudster pretends to be someone whom the victim attacks the most to access a system. Depending upon the situation, s/he could be the employee, relative, boss, or friend of the victim and tries to know the email, bank password, or other critical information.

This technique is very famous and has been a reason behind many notorious attacks. For instance, Ubiquiti Networks faced it in 2015 and ended up losing $46.7 million because of an impersonation-based pretexting attack. But, impersonation was not the only means used to fool the employee. Email spoofing was also used. SIM swap scan is mostly taken place by this pretexting methodology. 

• Piggybacking
  

This category of pretexting targets the network. In this type, hackers use an already active session, initiated by a legitimate user, to gain access to controlled channels. The victim piggybacks the hacker to a trusted resource, which the hacker is not able to access. When it comes to wireless channels, piggybacking is illegal. 

The technique is done using free network access and can restrict the data flow for verified users. IT piggybacking and Wi-Fi piggybacking are the two most common types of piggybacking.

• Baiting
  

Considered most commonly as the Trojan Horse, baiting takes the help of the media and tries to get the advantage of the victim’s curiosity/greed. Though it seems very similar to phishing, it’s not exactly the same thing as baiting benefits the victim, at times, while phishing is always harmful. 

For instance, some baiting incidents may involve offering free music or movies to the target, provided asked details are offered. It exists both in the digital and physical world.

• Vishing and Smishing
  

When phishing happens through voice/phone, it’s known as Vishing attack. In this pretexting technique, attackers try to fetch critical information over the phone. It exists in situations where there is a glitch in the voice transaction identification technique. 

To sound authentic and genuine, scammers take ill advantage of advanced VoIP facilities such as IVR, AI-voices, and caller ID. 

When text is only involved for fooling, it’s known as smishing - smishing definition.

• Scareware
  

As the name suggests, scareware is a type of malware fostering fear in the victim. It emphasizes that malicious resource is downloaded or purchased. Hackers will use multiple counterfeit pop-ups to change the mind of the possible target while using this method. Spotting scareware is easier than ever as its presence will reduce the system performance and make it unresponsive frequently.

• Pretexting vs phishing 
  

As both these are types of social engineering, it’s obvious to consider them identical. But, they are different as phishing is email-based while pretexting is phone/text-based.

Phishing creates urgency and forces victims to take immediate action. Pretexting is impersonation-based and takes the advantage of human negligence, fear, and error. However, both lead to massive damage if not appropriate actions are taken-up. 

Pretexting Examples 

Pretexting is more common than one can ever imagine. If we monitor closely, we’ll be able to figure out many real-time examples.

• Your friend needs your help 
  

A impersonation tactics for spear phishing, it creates a sense of urgency or chaos by telling the victim that someone they love or care about is in danger. 

CEO fraud is a common type of this pretexting technique wherein a hacker claims to be a senior to create pressure on the employees to take immediate actions.

• A surprise is waiting for you 
  

With such a pretext, the scammer lures the victim into ill-motivation by utilizing the human’s weaknesses towards free gifts and surprise. We all become curious to know what’s that supposed and this is what proves useful for hackers. If the victim gets convinced, a hacker can ask for some token amount or credit card details to claim the gift or unbox the surprise and it is the beginning of a never-ending hassle. 

• Your credit card is expiring! Click here to renew 
  

This is a very common pretexting example. As we all know credit cards are the most widely used means of transaction, pretexters take their help to fetch sensitive details. 

Pretext and U.S. law

As it involves deceiving, data theft, and money stealing, pretexting is not a legal action in the US. Regardless of the domain, attempting to pretext is an unlawful act and the US has many laws. Gramm-Leach-Bliley Act of 1999 states that it, in any form, is a punishable offense, and organizations regulating as per this law are bound to educate employees about pretexting while enforcing adequate prevention methods. The law is applicable to financial institutes. 

There is one pretexting-specific law in the US. It came into being in 2006 and is known as the Telephone Records and Privacy Protection Act. Telecom companies and the data they maintain are in the purview of this 

How to Prevent Pretexting?

Pretexting is here to create nuisance beyond one's imagination. If not handled diligently, one can end up losing a lot of worth and reputation because of it. As it exists in many types and forms, its early detection and effective remedy can be too overwhelming for a few. However, the good news is it can be prevented greatly with the right approach and a bit more awareness. 

Below, we enlist some of the most viable ways to have a defense mechanism against pretexting.

DMARC

It is a free tech specification that utilizes SPF and DKIM to prevent email-based compromise, spoof attacks, and phishing. While it’s effective, understand that its reach is limited and can be too exhaustive at times as a complex maintenance mechanism works behind it. 

AI-Based Email Analysis

The incompetency issues of DMARC can be addressed skillfully with the help of AI-based email analysis. As it’s a modern approach capable of detecting any suspicious activities aiming to conduct a successful pretexting attack. As the technology is utterly advanced, it’s easy to spot anomalies in email traffic, cousin domains, and name spoofing incidences. The addition of NLP empowers this technology a lot more and reduces the failure rate. 

Educating The Users 

Education is the best tool against any kind of hassles and dangers. Carrying forward the same philosophy, we suggest organizations educate employees and clients about pretexting. 

Using case studies and real-time examples, try to impart education related to how pretexting seems and related harms. Talk about email spoofing and cousin domains as much as you can. 

Also, you may consider Wallarm’s pretexting strategy to handle it at your end. 

API Security - Wallarm offers highly automated API security strategies that promise end-to-end protection. As its API protection is activated from the very stage of API publication, vulnerability projection is better from the beginning. The API security approach of Wallarm is independent of the API type. All the leading API varieties like SOAP, REST, and many more are compatible with it.

Bot Protection - The risks with the bot and their implementation are reduced hugely with the modern bot protection strategy of Wallarm that can safeguard access resources such as API and mobile apps. The bot traffic is monitored through and through to keep the account takeover or other bot-related risks at bay.

DDoS Protection - Pretexting incidents involving DDoS attacks can be failed with the top-notch DDoS protection strategy of Wallarm. Blocking of malicious attacks is done continuously so that there is higher uptime and zero negative impact on the performance. 

Wallarm’s DDoS protection - It is highly capable and can easily defend cloud-native and on-premise resources. Client-side protection- Wallarm enables enterprises to reduce the pretexting possibilities on the client-side by granting full authority to outsource JavaScript codes. Better visibility is provided so that hidden supply chain risks, data breaches, and other notorious client-side vulnerabilities can be under control.

API Threat Prevention - By bringing the most viable API threat prevention techniques like API Discovery, Cloud WAF, and Automated Incident Response, Wallarm keeps the used APIs safe and secure at each lifecycle stage. 

Protection against Pretexting by Wallarm 

‍Using Wallarm solutions, you get end-to-end protection against all kinds of pretexting attacks. The API security service provider is equipped enough to offer all-around API and application security so that pretexting can’t harm them. The extensive periphery of the Wallarm security approach covers web applications, microservices, and API.