top of page

Social Engineering: Pretexting | Part 3

As in the last blog we got to know that social engineering comes in many forms. So today in this blog we will be looking into Pretexting.

What is Pretexting?

It is a practice of presenting yourself as someone else so the victim will provide you with his personal and confidential information.

In pretexting an attacker focuses on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information.

It forms the foundation of any social engineering attack.

For example, we have all received emails claiming that we have inherited a small fortune, but in order to claim it, we need to either provide some kind of information or click on a link.

The chances of a person falling for this are very less, as the pretext is very poor.

Now let's assume that you always purchase online from Amazon, and now you receive an email from Amazon stating that there is a package that cannot be delivered due to missing information.

This becomes more believable as the pretext is more solid.

To perform this attack we need to do some work or say homework.

Conducting proper information gathering on your target is critical to building a believable pretext.

Let's say you are doing penetration testing for some company. And at a point, you have to perform social engineering attack.

Some of the things that you would consider are company size, locations, number of employees, emails, employee information, and so on.

You would also look at what is available from a technological standpoint, such as public-facing web servers, VPNs, and email servers.

Now after gathering the information we can start defining success criteria for each pretext.

For example, if the target organization does not have offices spread across the country, the chance of success of posing as an employee is low, as the employees are probably well-known.

However, if the organization has a large presence that spans multiple countries, you have a higher success rate of posing as an employee from a department in another location.

Pretexting attack can be performed to gain both sensitive and non-sensitive information.

One of the most important part of social engineering is trust. If you cannot build trust you can never succeed in social engineering.

A solid pretext is an essential part of building trust.

If your pretext has some holes or it lacks credibility or some mistakes like spelling mistakes, something said which is not done by a company like you send a mail from some Educational company about conducting parties in pubs or bars the target will most likely catch on.

Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around you and can disarm their suspicions or doubts and open up the doors, so to speak.

In the next article, we will be learning about the most common social engineering technique which is Phishing.

136 views0 comments
bottom of page