Pretexting Definition
Pretexting is a special type of attack that leverages social engineering to obtain specific bits of information such as passwords or personal information in order to conduct a cyberattack.
Pretexting usually involves a pretext that is able to convince the victim of the trustworthiness of the attacker who will pretend to be a qualified counterparty such as an executive of a company, a qualified investor, or an IT professional.
The most common pretexting techniques include:
- Phishing: these attacks usually involve emails or text messages and use pretexting to deceive the victim. Phishing attacks often involve a malware that is sent in the form of an attachment or as a link to be clicked on.
- Baiting: this specific type of pretexting technique usually involves an attractive promise such as the opportunity to obtain significant financial gains or to get some free goods. Baiting can either occur digitally on the internet or in the physical world. A good example of baiting in the physical world would be a usb flash drive being left on the floor with a catchy note or a trusted logo aimed at deceiving the victim so that a malware can be installed in a company’s computer.
- Scareware: this pretexting technique uses fear in the victims to drive behaviour. For example, the victim can be informed that the computer has a virus and needs to communicate passwords to obtain access to it.
- Vishing: this specific technique leverages phone calls to get the victim to give away personal information and to gain access to restricted services. Vishing attempts usually target the elderly and involve attackers pretending to be government officials or bank representatives.
- Smishing: this is similar to vishing, except it involves SMS messages rather than phone calls.