How to Prevent Pretexting Attacks
What is Pretexting?
Pretexting is some other form of social engineering where hackers attempt to create a good pretext, or a fictional scenario, which they can use to attempt to rob their targets of their private data. Pretexting usually takes the form of a scammer assuming a fake identity to acquire specific info from their victims. They usually act like they need their victims to confirm their identity by giving them the data the attackers want.
How does it happen?
Pretexters usually impersonate co-workers, authorities, banks, clergy, insurance investigators, or some other official institutions or businesses. Essentially anyone who might have some kind of authority or a right-to-know over the target. The attacker only needs to prepare answers to questions that might be asked by their victim. Usually, all they need is the right tone and some improvisational skills to fool most people.
Pretexting attacks are often used to attain both sensitive and non-sensitive data. Last year, for example, a group of scammers pretended to be representatives from modeling agencies and escort services. They fabricated fake backgrounds and interview questions to convince women and teenage girls send them nude pictures of themselves. Afterward, they sold those pictures to pornographic businesses for money.
The key ingredient of social engineering is trust. The scammers must inspire trust in their victims, otherwise, they will most likely fail. A good pretext is a critical part of building trust. If the attacker's alias, story, or identity has gaping holes or lacks credibility or even just the perception of credibility, the victim will most likely figure it out.
How to defend yourself against pretexting.
Like any other good defense, you must be proactive instead of reactive. If, for example, you get an e-mail from someone saying that a maintenance worker will show up at your place, contact the sender's company, not the sender themselves. Give them a call and make sure that they really are sending someone. If you are home when they show up, demand to speak to their superior, instead of just taking their word for it. Ask them for the company's corporate number and their supervisor's name, so that you can call them to confirm the identity of the person at your home.
The same goes for online websites, especially anything that wants your credit card or pay-pal. Always go for the source, because that's where pretexting falls apart the hardest.