Pretexting

Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext.[1] In its history, pretexting has been described as the first stage of social engineering, and has been used by the FBI to aid in investigations.[2] A specific example of pretexting is reverse social engineering, in which the attacker tricks the victim into contacting the attacker first.

A reason for pretexting's prevalence among social engineering attacks is its reliance on manipulating the human mind in order to gain access to the information the attacker wants, versus manipulating a technological system. When looking for victims, attackers can watch out for a variety of characteristics, such as ability to trust, low perception of threat, response to authority, and susceptibility to react with fear or excitement in different situations.[3][4] Throughout history, pretexting attacks have increased in complexity, having evolved from manipulating operators over the phone in the 1900s to the Hewlett Packard scandal in the 2000s, which involved the use of social security numbers, phones, and banks.[5] Current education frameworks on social engineering are used in organizations, although researchers in academia have suggested possible improvements to those frameworks.[6]

  1. ^ Greitzer, F. L.; Strozer, J. R.; Cohen, S.; Moore, A. P.; Mundie, D.; Cowley, J. (May 2014). "Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits". 2014 IEEE Security and Privacy Workshops. pp. 236–250. doi:10.1109/SPW.2014.39. ISBN 978-1-4799-5103-1. S2CID 15493684.
  2. ^ Wang, Zuoguang; Sun, Limin; Zhu, Hongsong (2020). "Defining Social Engineering in Cybersecurity". IEEE Access. 8: 85094–85115. doi:10.1109/ACCESS.2020.2992807. ISSN 2169-3536. S2CID 218676466.
  3. ^ Steinmetz, Kevin F. (2020-09-07). "The Identification of a Model Victim for Social Engineering: A Qualitative Analysis". Victims & Offenders. 16 (4): 540–564. doi:10.1080/15564886.2020.1818658. ISSN 1556-4886. S2CID 225195664.
  4. ^ Algarni, Abdullah (June 2019). "What Message Characteristics Make Social Engineering Successful on Facebook: The Role of Central Route, Peripheral Route, and Perceived Risk". Information. 10 (6): 211. doi:10.3390/info10060211.
  5. ^ Paradise, Abigail; Shabtai, Asaf; Puzis, Rami (2019-09-01). "Detecting Organization-Targeted Socialbots by Monitoring Social Network Profiles". Networks and Spatial Economics. 19 (3): 731–761. doi:10.1007/s11067-018-9406-1. ISSN 1572-9427. S2CID 158163902.
  6. ^ Ivaturi, Koteswara; Janczewski, Lech (2013-10-01). "Social Engineering Preparedness of Online Banks: An Asia-Pacific Perspective". Journal of Global Information Technology Management. 16 (4): 21–46. doi:10.1080/1097198X.2013.10845647. ISSN 1097-198X. S2CID 154032226.