Pretexting attacks, many launched through Business Email Compromise (BEC), have nearly doubled in 2023 according to the Verizon 2023 Data Breach Investigations Report. First, the costs: Based on 16,312 data security investigations that found 5,199 confirmed breaches in the past year, Verizon determined that 74% of all breaches involved human actions, and 97% of breaches were financially motivated. Business Email Compromise attacks accounted for more than half of the attacks Verizon documented, with a median of $50,000 stolen per attack.

For more intrusive system compromise attacks, more than 95% of attacks resulted in business losses between $1 and  $2.25 million. Training employees to recognize and thwart these attacks is far less expensive than the remediation and recovery that may be needed after a successful attack. Employees need to know what pretexting is, how it works and how to respond to it.

What Is Pretexting?

Pretexting is a form of phishing where the criminal gains the trust of an employee by pretending to be a vendor, business partner or coworker. Some examples of pretexting include the following:

1. An IT team member contacts an employee and asks them to download software to perform system maintenance.
2. A senior leader or executive contacts an employee and asks them to buy gift cards for a client or a company promotion, then asks for the gift card codes so they can be distributed immediately.
3. A client asks for a regular delivery to be routed to a new address.
4. A vendor asks for credit card information to resolve a payment problem.
5. A bank employee asks for account access to resolve a problem.
6. A coworker sends a text that reads, "Let me know if you get this text."

All of these are real-world examples of pretexting scams. The criminal creates a pretext, a scenario that asks the targeted employee to take action personally. This can include downloading malware or programs that allow remote access to devices, providing logins or providing two-factor authentication codes.

Criminals who use pretexting scams have varying degrees of sophistication. Text-based scams tend to be the most common and least sophisticated. Pretexting scams that involve email may include convincing duplicates of company, client or business email templates or websites, as well as return addresses that are virtually indistinguishable from legitimate emails. The criminal attempts to gain trust, relying on the employee's desire to be helpful or resolve a business problem.

These attacks are rising in frequency because they are successful. Most employees have been trained to ignore requests from strangers and to go directly to websites instead of clicking on links in emails. What these employees often are not prepared for is a criminal who wants to communicate with them directly. The pretext catches them off guard. A criminal would never call and pretend to be a client, or text and pretend to be a CEO, would they?

How to Stop Pretexting Attacks

Businesses of every size must include pretexting awareness as part of cyber security employee training. Employees with access to company finances, customer and employee data or system credentials should be the top priority for this training, but it must extend to every member of the workforce to be effective. If criminals believe they can steal thousands of dollars from your company, they will probe every possible weakness to try and get a foothold in your organization.

It is equally critical to train remote and hybrid employees who spend only part of their time in the office. This has emerged as a significant training gap in many organizations, and it is a ripe target for pretexting. At a minimum, you must continually remind employees that you will never text them asking for a response or to purchase anything. Establish protocols for times when IT must work with employees remotely. Make sure employees know who the IT staff are and provide a mechanism to verify that they are speaking with a coworker rather than a criminal. Provide an email address for a staff member who is always available in case an employee needs to verify an IT request.

Be wary of what you share online about your company and its people. Criminals will mine your About and Staff pages for names, emails and titles that they can use for pretexting. They will read your press releases to learn about your vendors and clients. Unprotected digital assets, including site code and images, can be used to create spoofed versions of your website or company emails to trick employees.

As with other social engineering scams, a skeptical employee can be the best defense. Employees should be continually reminded to stop and think if an interaction seems strange and to verify any unusual requests with a trusted co-worker by voice or in person.

Protect Now will help you stop pretexting, phishing and other social engineering attacks with our CSI Protection Certification program, designed for the specific needs of small- and mid-sized businesses and available via in-person seminars, virtual seminars or eLearning. Contact us online to learn more, or call us at 1-800-658-8311.