Pretexting: A Growing Threat That Avoids Phishing’s Obvious Tells

Phishing attacks on businesses create an ongoing threat of data compromise, which is why so many companies invest in phishing awareness training. That training has made more employees aware of phishing strategies such as time pressure and a sense of impending negative consequences, which show up in fake urgent requests from the boss to buy gift cards so they aren’t embarrassed at an event.

As more recipients get wise to these tactics, attackers are adopting another strategy: pretexting. Pretexting builds trust with a combination of impersonation and fake stories designed to get victims to share data or take another harmful action — and pretexting represents more than half of social engineering incidents in the latest Verizon Data Breach Investigations Report (DBIR).

Pretexting Incidents
Source: Verizon, 2023 Data Breach Investigations Report

In this article, we’ll look at the elements of pretexting that make it so effective, the potential consequences of a successful pretexting attack, and how to help employees identify the signs of  pretexting in emails and other communications.

Pretexting versus phishing

Pretexting is a type of social engineering that exploits people’s desire and/or professional responsibility to be helpful and solve problems. The DBIR notes that business email compromise (BEC) attacks often rely on pretexting by combining impersonation with manipulation to drive the attackers’ desired outcome. That outcome is usually money (the median loss is now $50,000 according to the DBIR), but attackers may also be after sensitive information or the login credentials that will allow them to infiltrate a company’s internal systems, where they can steal data, eavesdrop on email conversations, and launch ransomware attacks.

If pretexting sounds a lot like phishing so far, it is. Where it differs is in the delivery details. Phishing messages contain links to fake sites that capture login and payment data or attachments that kick off ransomware attacks. Email security software is getting better at detecting these links and attachments and flagging or quarantining the messages that contain them, and phishing awareness training is helping recipients spot red flags so they can report the messages to IT. However, pretexting can also take place over the phone, via text, and through social media.

Pretexting does its damage strictly through the power of the written message. IBM notes that pretexting’s core elements are a character (the scammer, posing as someone known to the recipient) and a situation (a dilemma they’re asking the recipient to help them resolve). For example, a known vendor emails with an urgent message about a past-due invoice that they need paid right away to a new account so they can cover their payroll this month. By leveraging the recipient’s relationship with someone the attacker has researched—a manager, executive, customer, co-worker, or vendor—criminals can bypass most email security tools and reach their targets.

When pretexting attacks succeed

Pretexting attacks can lead to invoice fraud or payroll diversion, and those losses can be difficult or impossible to recover. Pretexting can also lead to data exposure that leads to customer identity theft and card-not-present fraud. Customers are likely to turn away from companies that allow fraud with their data. In ClearSale’s most recent international survey of online shopper attitudes about ecommerce, fraud, and CX, 83% said they wouldn’t return to a site that allowed fraud involving their cards. This high rate of attrition can increase the cost to acquire customers while decreasing marketing ROI and customer lifetime value.

Data breaches can also lead to expensive penalties for noncompliance with GDPR, HIPAA, and other privacy regulations. For example, GDPR fines can reach as much as 20 million euros or 4% of global net sales from the past fiscal year.

Pretexting campaigns can also lead to ransomware attacks. The 2023 DBIR found that while the number of ransomware incidents didn’t change much from last year to this year, ransom amounts more than doubled, from an average of $1 million per attack to roughly $2.5 million. Paying a ransom obviously affects a company’s bottom line in the short term. It can also make it harder and more expensive for the company to maintain cybersecurity insurance coverage going forward.

Pretexting prevention practices

Protecting an organization against pretexting attacks requires a layered approach that includes preventing attack messages from reaching employees, making employees aware of how pretexting works, and implementing practices that make attacks less likely to succeed even if a recipient engages with a pretexting message.

Preventive tools include implementing DMARC (domain-based message authentication, reporting and conformance) to detect and block email messages sent from spoofed or hijacked domains. Adding AI-based email security to detect malicious messages based on changes in the content and tone of conversations with known senders. Traditional email security is rules-based and looks for known bad domains, links, and attachments—none of which may be present in a pretexting attack.

Awareness training should be ongoing and should ideally use real examples of pretexting messages detected by the company’s AI email security solution. Understanding how attackers use pretexts to build and then manipulate relationships is critical. Training should also include a reporting mechanism that employees can use when they have concerns about a message.

Other best practices can help prevent pretexting incidents or reduce their severity. Regular patching and updating of all software and operating systems as needed, to help prevent exploitation by pretexting attacks designed to target software vulnerabilities. Companies can also create a protocol that all employees must follow to verify requests for payments over a certain amount, data and credential sharing, and any requests for payroll or invoice account changes.

Finally, it’s critical to keep up with threat evolution. The increase in pretexting attacks is just the latest version of email-based threats to businesses. Keeping an eye on the space, and updating awareness training and best practices accordingly, is the key to keeping company data, funds, and customer relationships safe.