Pretexting

Social engineering Social engineering is a psychological manipulation tactic that leads to the unwilling or unknowing response of the target/victim. It is one of the top information security threats in the modern world, affecting organizations, business management, and industries. These attacks can also reach a broader scale. In other security attacks, a company that holds customer data might be breached. With social engineering attacks, both the company (specifically workers within the company) and the customer directly are susceptible to being targeted. Pretexting in the timeline of social engineering In cybersecurity, pretexting can be considered one of the earliest stages of evolution for social engineering. For example, while the social engineering attack known as phishing relies on modern items such as credit cards and mainly occurs in the electronic space, pretexting was and can be implemented without technology. Pretexting was one of the first examples of social engineering. Coined by the FBI in 1974, the concept of pretexting was often used to help in their investigations. In this phase, pretexting consisted of an attacker calling the victim simply asking for information. It is a non-electronic form of social engineering where the attacker creates a pretext where the user is manipulated into contacting the attacker first, versus the other way around. Typically, reverse engineering attacks involve the attacker advertising their services as a type of technical aid, establishing credibility. Then, the victim is tricked into contacting the attacker after seeing advertisements, without the attacker directly contacting the victim in the first place. Once an attacker successfully accomplishes a reverse social engineering attack, then a wide range of social engineering attacks can be established due to the falsified trust between the attacker and the victim (for example, the attacker can give the victim a harmful link and say that it is a solution to the victim's problem. Due to the connection between the attacker and the victim, the victim will be inclined to believe the attacker and click on the harmful link). == Social aspect ==

Pretexting was and continues to be seen as a useful tactic in social engineering attacks. According to researchers, this is because they don't rely on technology (such as hacking into computer systems or breaching technology). Pretexting can occur online, but it is more reliant on the user and the aspects of their personality the attacker can utilize to their advantage. Attacks that are more reliant on the user are harder to track and control, as each person responds to social engineering and pretexting attacks differently. Directly attacking a computer, however, can take less effort to solve, since computers relatively work in similar ways. are: Prized If the victim is "prized", it means that one has some type of information that the social engineer desires. Response to authority If the victim is submissive and compliant, then an attacker is more likely to be successful in the attack if a pretext is set where the victim thinks the attacker is posed as some type of authoritative figure. == Examples ==

Early pretexting (1970–1980s) The October 1984 article Switching centres and Operators detailed a common pretexting attack at the time. Attackers would often contact operators who specifically operated for deaf people using Teletypewriters. The logic was that these operators were often more patient than regular operators, so it was easier to manipulate and persuade them for the information the attacker desired. In general, socialbots are machine-operated fake social media profiles employed by social engineering attackers. On social media sites like Facebook, socialbots can be used to send mass friend requests in order to find as many potential victims as possible. In 2018, a fraudster impersonated entrepreneur Elon Musk on Twitter, altering their name and profile picture. They proceeded to initiate a deceptive giveaway scam, promising to multiply the cryptocurrency sent by users. Subsequently, the scammer retained the funds sent to them. This incident serves as an example of how pretexting was employed as a tactic in a social engineering attack. == Current education frameworks ==

Current education frameworks on the topic of social engineering fall in between two categories: awareness and training. Awareness is when the information about social engineering is presented to the intended party to inform them about the topic. Training is specifically teaching necessary skills that people will learn and use in case they are in a social engineering attack or can encounter one. up to 70% of information can be lost when it comes to social engineering training. In a research study on social engineering education in banks across the Asian Pacific, it was found that most frameworks only touched upon either awareness or training. Also, the only type of social engineering attack that was taught was phishing. By looking at and comparing the security policies on these banks' websites, the policies contain generalized language such as "malware" and "scams", while also missing the details behind the different types of social engineering attacks and examples of each one of those types. == See also ==