Ever heard of pretexting? And no, we’re not talking about when you first carefully draft a risky text message before sending it! Pretexting is a sneaky and highly effective form of social engineering that attackers use to dupe people into sharing their personal information.
If you spend a lot of time on the internet, you’ve probably encountered it in some form many times before. Suspicious texts, calls, and emails trying to trick you into sharing your data have become an all-too-common part of our daily lives. Some of these attempts may seem silly, obvious, and easy to dismiss, but a growing number of attackers are learning to create more sophisticated and convincing stories.
We’re all still susceptible to becoming a victim of social engineering, including pretexting, so it’s important to understand how this tactic works in order to stay secure.
What is pretexting?
Pretexting is a type of social engineering attack that involves a criminal creating a story, or pretext, that manipulates their target into sharing personal data like passwords, credit cards, and logins.
The attacker will come up with a scenario beforehand that seems believable and can exploit your trust in a person, company, or service.
For instance, maybe the automatic payment for your streaming service failed to go through so a customer service rep is following up, or your bank is giving you a call to investigate unusual activity on your account. These scenarios being real isn’t completely outside the realm of possibility and they can be more believable if the attacker casts themself in the story as a character you can trust.
These scams can vary – an attacker may limit the scope to one target, or cast a wide net hoping a few people take the bait. For example, they might research one target online beforehand, or use data they’ve obtained through a data breach to create a customized scenario. Or they might create a general scenario and send it to many people, via email or text message, hoping that it will be accurate and relevant enough to at least some of them.
How do you protect yourself from pretexting?
There’s one important skill you can develop to avoid pretexting scams: awareness. If you know pretexting is a possibility and stay up to date with common techniques, you’ll have the best possible chance of spotting a phony story.
Here are some other steps you can take to prevent an attack:
- Stop and assess. If you’re being targeted, there’s always time to pause for a moment and assess the situation, regardless of what an attacker might say. Being pressured to make a decision, like sharing sensitive data, is a common pretexting tactic.
- Question everything. How were you contacted? Are you being asked to share private information? Does it seem too good to be true?
- Always verify. If you’re unsure, there’s no harm in doing a little bit of research on the source. like calling a company to confirm details or emailing someone directly. For example, if someone is claiming to be a rep from your bank, you can always hang up, call the bank’s official number and ask them to verify what you just read or heard. Follow your gut – if it turns out to be legitimate, you only spent a few extra minutes being safe.
- Stay on top of updates. Do your best to keep your devices, apps, and other software up to date. If automatic updates are an option, turn them on.
- Use two-factor authentication. If you’re given the option, turn on two-factor authentication (2FA) to add a second layer of security to your accounts. This extra verification method means that even in the worst case scenario, if a pretexting attack is successful and someone else has your password, they won’t be able to sign in to your accounts unless they also have access to the place where you store your verification codes.
Add more protection with a password manager
Adopting a password manager like 1Password is another great way to protect yourself against pretexting and other kinds of social engineering.
For example, most password managers will save the relevant website URL alongside your username and password – that way, it knows when to offer to autofill your credentials. Now, imagine a criminal sent you an email with a link to a fake website that looked authentic at first glance. you would immediately notice that your password manager wasn’t offering to autofill your username and password. Taking a closer look at the URL, you would realize that you were on a fake site, alerting you to an attack.
In addition, a password manager like 1Password has built-in protection with Watchtower that will:
- Tell you where you can enable two-factor authentication.
- Notify you if any of your passwords have appeared in a data breach.
- Alert you to weak or reused passwords.
- Alert you to security problems with the websites you use so you can keep all your accounts safe.
Knowing is half the battle
We’re all human with natural tendencies to trust other people, cooperate with authorities, or make a quick decision when put under pressure. It can be overwhelming to consider all of the potential online threats, including the many stories that a criminal might concoct for a social engineering scam. But you can keep it simple. If you educate yourself, stay alert, and take advantage of the right tools, being secure online really is possible.