Pretexting: definition, dangers, and defense strategies

Your phone rings. A person from your “bank” calls you and says he has some urgent information. He tells you your name, surname, some other detail about you and asks you to “verify it’s you” by telling your credit card numbers. Seems legit because they already know some of your information?

That is precisely what pretexting scammers depend on.

So what is pretexting, what are the dangers of it, and is there a way to defend oneself?

What is pretexting?

Pretexting is a form of social engineering when a scammer creates a story (a pretext, as the name suggests) to deceive you, so you disclose sensitive information that the social hacker can then manipulate for malicious purposes.

Usually, a criminal will introduce himself as a representative from the authoritative organization, your client, a co-worker, or another person you’d trust.

Learn to recognize – How do scammers build trust?

The first goal for the criminal is to build rapport and establish trust. Usually, they provide some information about you so that you believe they already have all of it – they just need to “verify” you.

Typical example – the delivery man

The person says he’s a deliveryman from FedX and has a package for you. But here comes a pretext – “ ah, the address on the box was damaged during transportation and is now illegible.” The “delivery man” tells your name and surname written on the box and asks you to specify the address. You trust him, and he obtains your address.

Scammers gather data about you from hacker forums on the Dark Web. (That is where your data goes for sale after a leak.)

The information might include your name, surname, email address, password, phone number, date of birth, last four digits of your credit card, etc.

Of course, keep in mind that scammers might also use public information from your social media.

What is the difference between phishing and pretexting?

Both phishing and pretexting are social engineering attacks. Phishing is commonly email-based and requires urgent action (f. e. changing a password, clicking on a link, etc.).

Pretexting, contrarily, is mainly done via phone and involves impersonation. This attack is dangerous for individuals and companies – scammers use pretexting to obtain commercially valuable information through human error.

Defense against pretexting scams: extra vigilance

In order to avoid pretexting attacks users need to be extra vigilant. Scammers will always try to exploit human psychology, so you have to be cautious.

Here are 9 tips that should help avoid becoming a victim of this scam:

1. Always ask the name and surname of a person who calls you.
2. Ask a caller to send you an email from the official organization. They should have email addresses with legit suffixes, for instance, [email protected].
3. If something seems suspicious, always hang up the phone and call the organization directly to verify if the person who phoned you actually works there.
4. Ensure there is no personal information online (on social media) which could be used against you.
5. Google yourself and see what information is publicly accessible about you. Critically review and delete any personal information that you think shouldn’t be accessible to everyone.
6. If a client or a business partner is calling you to ask for sensitive data, tell them you will call them back via a official and trusted number.
7. Never reuse your passwords on multiple websites. If it gets leaked and stored in a popular hacker forum, it’s likely for a hacker to try it on other websites.
8. Ensure that your employees use official signatures on their emails. In case you received one without it, double-check the sender.
9. Periodically train your employees about the existence of social engineering attacks, password hygiene, and cybersecurity literacy.

The best advice is to be always skeptical and suspicious. Extra vigilance can only help. It lets you protect not only yourself but the data of your company, too.