GIVEAWAY
Win the ultimate AI security check with a free pentest giveaway!
GIVEAWAY
Win the ultimate AI security check with a free pentest giveaway!

Understanding Your Digital Risk Profile: Introduction to Pretexting

The 2024 Verizon Data Breach Investigations Report highlights a significant trend in the realm of cybersecurity threats: an increase in social engineering attacks, especially Business Email Compromise (BEC), which account for nearly one-fourth of all financially motivated attacks.

Central to these social engineering attacks is the tactic of phishing attacks, where attackers fabricate scenarios to deceive and manipulate individuals into sharing sensitive information. This trend indicates a shift in cybercriminal strategies, moving from conventional hacking to more subtle, psychology-based approaches.

The report also highlights that despite the commonality of technical exploits, methods like stolen credentials and phishing are becoming more prevalent. This trend is further compounded by attackers' use of Open Source Intelligence (OSINT) to plan their attacks meticulously.

Below, we'll take a look at how this shift affects your organization's digital risk profile, emphasizing the importance of understanding what information about your organization is publicly available and how attackers can use it against you.

Overview of a digital risk profile

Attack-Surface-Graphic-Cybersecurity-Services-Cobalt

An organization's digital risk profile is a comprehensive assessment of its vulnerability to cyber threats. 

A risk profile often includes various aspects such as:

  • network security
  • data protection
  • employee awareness
  • effectiveness of response strategies

It's a dynamic blueprint reflecting the changing nature of cyber risks and the organization's ability to adapt and respond.

A well-rounded digital risk profile considers not only the technical defenses in place but also the human elements that can either strengthen or weaken the overall security posture. It's about understanding where your organization stands in the face of potential cyber threats and how well-prepared you are to mitigate them.

A key element in assessing digital risk is understanding the tactics used by cybercriminals, such as pretexting.

What is pretexting?

Pretexting is a sophisticated form of social engineering where attackers create a fabricated scenario or pretext to obtain sensitive information. 

In a manner comparable to the reconnaissance phase of a pentest, pretexting involves gathering intelligence about potential targets to pinpoint vulnerabilities and selecting the most effective attack vector. Unlike direct hacking methods, pretexting targets the human element of security. It focuses on crafting a believable story or situation to manipulate individuals into divulging confidential data, bypassing technical security measures.

This tactic relies heavily on psychological manipulation, often involving detailed background research on the target to make the social engineering attempt as convincing as possible. It's a method that exploits trust and authority, playing on the natural human tendency to be helpful or compliant in certain situations.

Using OSINT for pretexting

In the context of pretexting, OSINT is an important method for attackers to gather necessary background information. Attackers use OSINT to gather publicly available information about their targets, which can include details about the company's structure, employee roles, and even personal information found on social media or other online platforms.

This gathered intelligence is then used to tailor the social engineering attack, making it more personalized and, therefore, more effective. 

For instance, knowing a target's job role, recent activities, or professional connections can help an attacker pose convincingly as a colleague, a superior, or an external partner. This level of customization makes pretexting a particularly insidious and effective form of social engineering, as it leverages real information to create scenarios that are difficult to distinguish from legitimate interactions.

Understanding your organization's digital risk profile, the nature of pretexting, and the role of OSINT in these attacks is essential for developing a comprehensive cybersecurity strategy. This knowledge helps not only identify potential vulnerabilities but also train employees to recognize and respond to such sophisticated social engineering tactics.

How attacks use pretexting: common targets of pretexting scams

Today, sophisticated forms of social engineering involve attackers using open source intelligence to gather detailed information about their targets. This intelligence is then used to craft believable scenarios to manipulate individuals into revealing sensitive information or granting unauthorized access. Let's explore the common targets of pretexting and how attackers use the information they gather.

Network information

Attackers often target information related to an organization's network infrastructure. This includes details about hosting services, network devices, and internet-connected devices. They may also engage in domain enumeration to identify all the subdomains associated with the organization's domain name. 

By understanding the network layout, attackers can craft scenarios that exploit specific network vulnerabilities or impersonate network administrators to gain trust.

Application information

Information about the applications used by an organization is another common target. Attackers look for details on development technologies, website information, and even internal application code.

Access to this kind of information can help attackers understand the technical environment of the target organization, enabling them to tailor their social engineering attacks to exploit known vulnerabilities or to trick employees into revealing further sensitive application-related information.

Human-based information

Social network information, compromised credentials, and email lists are prime targets for attackers using pretexting. By gathering information about employees' roles, their professional networks, and personal details available on social media, attackers can convincingly impersonate colleagues or business partners. 

Compromised credentials can be used directly for unauthorized access or as part of a broader social engineering strategy.


Cloud information

Misconfigurations and disclosures from cloud providers are also targeted. Attackers may look for improperly secured data storage, unpatched vulnerabilities, or misconfigured access controls in cloud environments.

This information allows them to exploit weaknesses in cloud infrastructure or to pose as cloud service providers convincingly in social engineering attacks.

Physical location information

Finally, attackers may gather information about an organization's physical locations, such as building layouts and badge information. This type of information can be used in physical pretexting scenarios, where attackers attempt to gain physical access to facilities by posing as staff, maintenance personnel, or external contractors.

Attackers use a variety of information gathered through OSINT to conduct pretexting attacks. By understanding the types of information that are commonly targeted, organizations can better protect themselves by securing their data, educating their employees, and implementing robust verification processes to counter these sophisticated social engineering tactics.

Practices to protect your company from pretexting

As phishing remains a predominant method for cyber attackers to breach companies, it's crucial for businesses to adopt a multifaceted approach to security. This approach should encompass both technical measures and human-centric strategies to effectively combat pretext phishing.

Information sharing policies

A fundamental step is to establish robust information sharing policies. These policies should clearly define what information can be shared and with whom. It's essential that these guidelines are applicable not just to full-time staff but also to contractors and any other individuals who have access to sensitive company information. 

A key component of these policies should be a verification process for sharing sensitive data, ensuring that such information is only disclosed following strict protocols.

Security awareness training

While having strong security policies is essential, their effectiveness hinges on how well employees understand and adhere to them. This is where security awareness training becomes vital. Regular training sessions, ideally on an annual basis, should be conducted to educate employees about the nuances of security policies, with a special focus on recognizing and responding to phishing, vishing, and other social engineering attempts. 

This human-led approach is critical in building a resilient defense against the increasingly sophisticated nature of social engineering attacks.

Limiting data access

Controlling access to sensitive data is another crucial strategy. Access should be limited to only those individuals who require it for their specific job roles. This not only minimizes the risk of internal data breaches but also reduces the potential damage in case an employee's credentials are compromised. Furthermore, access to sensitive data should also require strong authentication practices.

Addressing physical social engineering

Physical security measures are equally important. Organizations should be vigilant about physical social engineering attempts where attackers may try to gain physical access to facilities or sensitive areas. Regular training on security protocols for physical access and visitor verification can significantly reduce this risk.

Clear reporting procedures

Finally, establishing clear and straightforward reporting procedures for any suspicious activities or potential breaches is essential. Employees should know exactly whom to contact and how to report if they suspect a phishing attempt or any other security threat. This prompt reporting can be crucial in mitigating the impact of an attack.

By implementing these practices, companies can strengthen their defenses against pretext phishing, protecting both their digital and physical assets from sophisticated cyber threats.

Digital Risk Assessment: Key strategy in countering pretexting

In the face of evolving cyber threats, particularly pretexting, conducting a thorough Digital Risk Assessment (DRA) is crucial for organizations. Cobalt's DRA services are designed to comprehensively evaluate and mitigate the risks associated with digital operations, including those arising from sophisticated social engineering tactics.

Digital Risk Assessments and Attack Surface Management services

Cobalt's DRA services delve deep into an organization's digital infrastructure, scrutinizing various aspects such as network security, application vulnerabilities, and potential human-factor risks. This assessment is complemented by Attack Surface Management (ASM), which continuously monitors and manages the organization's digital footprint, identifying and addressing new vulnerabilities as they emerge.

Case studies: Learning from real incidents

To better understand the real-world implications of this trend, let's transition to examining some illustrative case studies. These examples will shed light on how pretexting plays out in actual scenarios and the profound impact it can have on organizations, further emphasizing the need for a robust digital risk management strategy.

The MGM attack and the 23andMe incident highlight how pretexting can lead to significant breaches and underscore the critical role of DRA in identifying and mitigating such risks.

The MGM Attack: In this incident, an IT help desk employee was deceived through pretexting, leading to a significant security breach. This case highlights the need for robust training and awareness programs as part of the DRA process. By understanding how employees can be targeted and manipulated, organizations can implement more effective training and protocols to prevent such incidents.

23andMe Incident: This case involved leaked credentials, which were then used for lateral movement across the network, compromising multiple accounts. It underscores the importance of monitoring and managing credentials and access rights as part of a DRA. Cobalt's services would focus on identifying such vulnerabilities and implementing measures to prevent credential leaks and unauthorized access.

Reducing risks from OSINT

A key component of Cobalt's DRA is the reduction of risks associated with OSINT. By understanding what information is publicly available about the organization and its employees, Cobalt's services help in devising strategies to minimize the exposure and potential misuse of this information in pretexting attacks.

As we evolve our cybersecurity strategies, the transition from Digital Risk Assessments (DRA) to comprehensive Attack Surface Management (ASM) is a crucial step in lowering digital risk. This progression reflects a deeper understanding of the nature of cyber threats, where the focus extends beyond the immediate risks of pretexting to encompass the broader spectrum of potential vulnerabilities.

ASM represents a proactive, continuous approach to cybersecurity, aligning perfectly with the needs of Pentesting as a Service (PtaaS) models like those offered by Cobalt. In this model, regular and thorough assessments of an organization's digital footprint are conducted, ensuring that new vulnerabilities are quickly identified and addressed. This approach is particularly effective in the context of pretexting, as it allows for the constant monitoring and updating of security measures in response to the ever-evolving tactics of cybercriminals.

Frost & Sullivan Brand Protection Report

Back to Blog
About Ernest Li
10+ years experience in threat intelligence, threat detection, threat research, and security operations with a Masters degree from the University of Oxford. More By Ernest Li