Pretexting is a social engineering technique that’s used by hackers, spammers, and pranksters to assume and exploit the trust of an individual. It’s been defined as the act of taking on an identity (usually those of a trusted person, such as a customer service representative) for the purpose of gaining information or participation in a situation.

Techniques include presenting as someone else via phone call, email, instant message, or other means where with this impersonation they have more success than if they don’t adopt an identifiable role. There are generally these types:

• Identifying themselves as someone else from their target company to gain information about them (e.g., to find out their password)
• Identifying themselves as someone else via social engineering by referring to them as a trusted and identified individual
• Confirming the identity of another person and acting on that perceived identity; for example, having an employee use a phishing email and passing it on to the client without approval. The former requires that there are two people talking to each other. 
• The latter would require only one person because it limited the impersonation to just one person.

Pretexting has also been used in arrangement with phishing attacks. The attacker poses as the legitimate account holder and asks for information that is easily available, such as account credentials. The attacker then obtains those credentials from a phishing website and uses them to gain access to the victim’s account.

Pretexting can also be used in email spoofing to manipulate an email address. This is an easy trick for most email clients to be cheated because a fake name/address can be achieved with a simple Ctrl-W shortcut (wrench icon) on Mac OS X or Ctrl-F shortcut (find on page or find icon) on Windows XP. The user is tricked into thinking the message is from a real person and responding to it. The message can then be modified to have the victim transfer money, buy goods online, or send more communications back to the attacker.

Impact of Pretexting:

Pretexting is often used in conjunction with phishing attacks. The pretext poses as a legitimate customer of the target organization and attempts to obtain information about them such as their account credentials and passwords, information on their employees, financial records, etc., through fraudulent email messages or phone calls. This is followed up with an attempt by the attacker to acquire those credentials via malware placed on their computers or the social engineering of an employee.

Key Points:

• Customers are encouraged to visit a fake website against their better judgment; In an email, customers are encouraged to click on a link or open an attachment that they should not open. 
• This can be accomplished by making the email look like it’s from “someone they know, rather than a stranger. When customers enter their credentials into the site, they may be redirected to another website, which can steal any information entered on the first website. 
• Customer data is stolen through cross-site scripting (XSS) attacks, where malicious scripts are placed in otherwise legitimate web pages and then run automatically when the page loads in the customer’s browser. 
• The most common XSS attacks involve inserting JavaScript code into otherwise benign HTML pages, such as the code shown here: <SCRIPT SRC=http://www?> <!– The attacker’s script will get loaded here –><HTML></html> This attack is carried out because many browsers don’t execute JavaScript unless it comes from an approved source, and because some users think the code looks suspicious and so may turn off JavaScript completely.

Countermeasures:

Social engineering is typically used by criminals in the process of stealing passwords, account information, and other sensitive data. This can be detected by monitoring employees’ usage of IT resources. This includes:

• Real-time observation/monitoring 
• Suspicious behavior/inconsistencies
• Analysis of common search words.
• Audit trails/log review.

Pretexting has been used as part of a fraudulent sales pitch for products such as stock shares and reduced-rate mortgages.

• Entering Credit Card Information
• Requesting PIN of CC
• Requesting Balance of CC

Conclusion: 

Pretexting is a serious form of social engineering that uses trust as a weapon. Attackers often use credentials to gain access to an individual’s personal information, and from there, they are able to commit actions against the victim’s financial and social well-being. One can never rely on the sense of trust rather than the sense of what one sees or hears.