Cybercriminals continuously modify to match the “market”: namely you, their targets. Scams cycle in popularity based on their effectiveness with current trends. With “new” remote workforce, we are experiencing a resurgence in pretexting. The lack of personal interaction is making it easier for cybercriminals to impersonate coworkers and company representatives in order to steal your money and your private information.
What is it?
Pretext means false motive. Pretexting is defined as the practice of presenting oneself as someone else in order to gain private information. A scammer attempts to build a connection in one of two ways: impersonate someone you know, such as a coworker, or fabricate an identity of a worker from a trusted company. No matter the means, their end goal is to steal your private information. Unlike a hacker who goes in the back door to steal without you knowing, a good pretext scam has you willingly give them what they want.
A cybercriminal contacts HR impersonating a worker. They inform HR that their bank account information has changed and they need to update the information for their direct deposit. Without proper verification, HR begins sending paychecks to a criminal.
An IT representative calls you saying there have been small breaches on company computers. He needs to remotely access your computer to ensure all cybersecurity protocols are in place on your company device. Since everyone is working remotely, he can’t have you bring your device in, which is normal procedure, so this is the next best option. You give him your IP address and he has access to control your computer. You see random windows beginning to pop up and realize too late he is stealing your information.
How does this scam work?
A successful pretexting scam is built on trust. The scammer represents themselves in a legitimate way, gains your trust and then asks for the information they are looking for. Believing you are talking to a real representative, you give over your information willingly. The scammer takes their time researching the target (you) which allows them to build a persona that will have the most chance of success. Some tools of successful pretexting include:
- Connecting with target over similar interests
- Keep the scam simple – no complicated reasons or requests
- Create a trusted character
- Ask for target’s information under the guise of verification
- Uses logical conclusions or follow through for the target
How is it being used?
The scam is built on luring you into trusting through impersonation. Cybercriminals use just enough information to make you think they are legitimate so you willingly provide them information. The recent Facebook challenge is a great example. In support of high school seniors who are not getting a normal graduation, people were challenged to post their own graduation pictures. The Better Business Bureau warned this was an opportunity for cyber criminals to find personal information about your high school, age, and school mascot to be used against you. Read more here
An employee in the finance department received a request to transfer a large sum of money to a vendor. Thinking it was from a legitimate client, they authorized the transfer without verification. It was later discovered that the request came from a cybercriminal impersonating the client.
Defend yourself and your company:
- Limit the personal information you post on social media
- Remember that these scams involve researching the target. The more information you willingly post, the easier it is for them to create a character that will connect with you
- Go to the source
- If a representative from a company contacts you either in person, on the phone or via email, verify their identity directly with the company. If someone shows up at your house, find the corporate company’s phone number and call from your personal phone. It may seem rude and take longer, but you could be protecting yourself from a scam.
- Never give out personal information
- Real company representatives will never ask you for your password, full account numbers or credit card numbers. General conversations that steer in a direction asking too many personal questions about your family and job should be a red flag. You can decline answering in a polite way while not giving away information.
- Protect your organization
- Do not give out company information, even if the requester appears to be from within the company. Know your company’s procedures for how they communicate when there is an issue, or they need information from you.
Get a copy of our checklist to share with friends, family and coworkers