What Is Pretexting? (& 7 Actions To Protect Your Organization)

Business leaders know that social engineering attacks are on the rise. These attacks, in which people with bad intentions manipulate users into taking actions that will provide access to information or networks, take many forms. 

One social engineering tactic is pretexting. Wondering what it is and how it works?

I can help. I work at Kelser Corporation, an IT service provider and we are often asked to explain different social engineering tactics. (Don’t worry, I’m not going to try to sell you on working with us. My mission is to explain pretexting so that your organization doesn’t become a victim.)

In this article, I’ll explain what pretexting is, who is targeted, what it looks like, how to spot it and how to protect yourself from it. 

After reading this article, you’ll have a full understanding of pretexting, how it can compromise your data, and actions you can take to minimize your risk. 

What Is Pretexting? 

A paper published by Iowa State University in 2009, defines pretexting as a fictional scenario designed to convince someone to give up valuable information, such as a password. 

It goes on to say, “The most common example of a pretexting attack is when someone calls an employee and pretends to be someone in power, such as the CEO or on the information technology team. The attacker convinces the victim that the scenario is true and collects information that is sought.”  

In other words, the perpetrator creates a scenario that they hope is convincing enough to get a user to take immediate action that provides access to sensitive information without confirming the identity of the person making the request.

Who Is Targeted In Pretexting Schemes?  

Anyone can be the victim of a pretexting scheme. While it is more common for a business or financial institution to be targeted, personal information (such as a bank account, credit card, or social security  number,) is equally enticing information for criminals to access. 

What Does Pretexting Look Like? 

While pretexting scams can happen in person, most occur via telephone or email, which provides easier “cover” for the perpetrator. Impersonating someone in-person is a much bigger challenge than trying to imitate them via telephone or email. 

In most pretexting cases, the person initiating the attack often pretends to be a senior member of the organization, a reporter, a customer, a co-worker, or a co-worker’s family member. 

You can be sure the perpetrator has done their homework. They can usually access enough information from a company website or social media site to make their story sound realistic. As a result, when the victim asks for identifying information, the perpetrator can drop enough names and details that the story seems to add up.

Eventually, the perpetrator provides enough information that the victim provides the sensitive information being requested (and may even believe that the perpetrator already has access to it).  

How To Spot Pretexting

For the reasons mentioned above, pretexting attacks most often occur via telephone or email. (In some cases the perpetrator even goes so far as to mimic the email address or telephone number of a legitimate person.)

It may appear as an email link request for bank information to “verify” a paycheck, deposit prize winnings, or even something as innocuous as depositing money collected from colleagues into your account so you can purchase a group gift. 

In-person pretexting attacks could be carried out by someone who shows up at your door unexpectedly and needs to come inside to check your electricity or your internet service. Or, someone who is “delivering a pizza” to someone at your workplace. 

Always verify when something unexpected happens. Rather than just providing access, make sure the request is legitimate. 

Pretexting can be difficult to spot, so keep your guard up and develop policies and procedures that require secondary checks and balances before authorizing things like large money transfers or access to sensitive information.

7 Actions To Guard Against Pretexting 

So now you know what pretexting is. You are probably wondering how you can guard against becoming a victim. Here are 7 actions you can take (and you’ve already done the first one!)

1.  Be Aware That Pretexting Can Happen To Anyone.

On a personal level, always have your guard up when someone asks for personal information. 

If you receive a phone call or email (especially from someone claiming to represent your bank or a government agency like the Social Security Administration or Internal Revenue Service), tell the person on the other end that you will reach out directly to the organization they claim to represent. 

Use published, verified contact information to contact the organization from your personal device. Don’t use a number or email address provided by the person who contacts you initially (because that could easily be fake contact information they are providing to lure you back into their trap). 

2. Ask Questions.

Trust (but verify)!

Always independently verify something unexpected (whether it’s via an email or someone appearing in person at your door). Ask why they need the information or the access they are requesting. Be helpful, but suspicious. Ask for identification

3. Don’t Share Important Information Via Email, Phone, or Text.

I hope it goes without saying, but don’t share important information via social media either!

4. Know And Understand Your Company’s Policies.

Ideally, requests for large money transfers and other significant actions will require authorization from more than one person.

If your organization doesn’t have security policies in place, implement them now to protect against pretexting and other social engineering scams.  

5. Stop And Take The Time To Think Before Responding To Requests.

We all want to be helpful especially when a request comes from a senior staff member. 

But, when someone contacts you with an urgent request to take immediate action, let the alarm bells sound.

The few minutes that it will take to double-check the authenticity of a request should not dissuade you and while it might seem inconvenient to the requestor, they will ultimately be glad you did your due diligence to protect the company. 

6. Keep In Mind The Old Adage...

If it sounds too good to be true, it probably is. 

7. Offer Cybersecurity Awareness Training To Employees.

When employees know the threats, they will have security top of mind.

Wondering what to include? Read this related article:  3 Topics All Cybersecurity Awareness Training Must Include.

Next Steps To Protect Yourself From Pretexting

In this article, we’ve talked about what pretexting is, who it targets, what it looks like, and how to spot it. 

We’ve also identified 7 ways you can protect against becoming a victim of pretexting. This knowledge will help you protect your organization’s IT infrastructure and your sensitive data.

At Kelser, we provide solutions that help customers keep their IT infrastructure secure, available, and efficient. 

We know that managed IT services aren’t right for every organization, so we publish articles like this to ensure that business leaders have the information they need to keep their organizations safe from cyber threats like phishing. 

Concerned about cyber threats?  Read this article:  Top 3 Cybersecurity Threats For Small Businesses (& How To Stay Safe).