The goal of pretexting is to gather information that can be used to access systems, steal identities, or commit fraud. This information can include passwords, social security numbers, bank account details, or other personal data.
For example, when you get a fake call from the CRA saying you need to pay a fee, the scammer may say the last few digits of your SIN number. The scammer pretending to be a CRA agent, having your phone number, SIN, and any other information is “pretexting”. They hope that by creating a believable story, you’ll give them information they can sell on the black market or use to access your financial accounts.
As a non-security professional you’ll rarely see the term pretexting. It may come up in your security awareness training, but most importantly knowing what pretexting is can help you identify when pretexting is happening to you.
Pretexting will be used by a cyber criminal in any social engineering scenario. When you receive a phone call, see someone you don’t recognize at the office, or get texts from a brand you could be experiencing pretexting.
Now that you understand what pretexting is, let’s learn how to spot it before the cyber criminal can get to your personal information. Here are some key red flags that could mean something is pretexting:
One of the most famous cases that serves as an example of pretexting is the MGM attack from 2023. The cyber attack led to week-long issues for room keys and virtual gambling machines, completely disrupting the operations of the entertainment giant.
The attack was claimed to have begun after a cyber criminal found information about an employee on LinkedIn and called the Help Desk using the found information to impersonate the employee. The attacker gave enough information and built enough trust (pretexting) to convince the IT Desk employee to give them access to an account. They used this access to detonate ransomware and demand ransom.
Pretexting is a sophisticated and manipulative tactic used by cybercriminals to gain access to sensitive information. By understanding what pretexting is, where it is likely to occur, and how to recognize the signs, you can better protect yourself and your organization from falling victim to these deceptive schemes. Stay informed about related terms and always practice caution when dealing with unsolicited requests for information. Awareness and vigilance are your best defences against pretexting and other forms of social engineering attacks.