Phishing’s Dangerous Sibling: Pretexting

Social engineering attacks occur when an attacker convinces employees to provide sensitive information by exploiting a user’s lack of knowledge, or “tricking” them into giving the information up. This can commonly be done via email phishing attacks, or more specifically business email compromise (BEC), which we’ve covered extensively in our Cyber Security Resource Center.

While being mindful of fraudulent emails, or broader phishing attacks as a whole, is an important part of any cyber security awareness strategy, there’s a graduated form of phishing that your district should be conscious of as well: pretexting.

Phishing attacks are all about presenting a sense of urgency in the moment, keeping the target from being able to adequately assess the validity of an attacker’s claims. Pretexting is more advanced, utilizing aspects of phishing and BEC, while engineering a situation over a period of time.Pretexting

For example, in a pretext attack on a K-12 organization, the attacker would reach out to a school employee pretending to be some representative of the school administrator. If the administrator’s email has been compromised, the attacker could even pretend to be the administrator. If this were a phishing attack, the communication would end there with an urgent call for payment credentials, but in a pretext attack, this initial email only sets the stage.

In this case, the email could point to a failed payment for some conference that members of the district are attending. Instead of requiring payment info immediately for some urgent reason (like a typical phishing attack), the attacker might request more information, such as a confirmation of dates and location. Generally, this interaction would go back-and-forth across multiple emails. The attacker would drop names and details that further reinforce credibility, until eventually asking the employee to give up private credentials.

This is what makes pretexting attacks so dangerous: the attacker lulls targets into a false sense of security. Defense against pretext attacks is similar to other forms of phishing: take time to review the communications you are receiving. Verify who the sender is and don’t hesitate to flag it for your IT Department if anything looks suspicious.

While the shear number of cyberthreats out there can be daunting, oftentimes the greatest way to protect your district is with a strong education. Visit our Cyber Security Resource Center for more informational items like this one.