Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.
While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.
What is pretexting?
Pretexting is the use of a fabricated story or narrative — a “pretext” — to develop a relationship with executives and gain their trust.
For example, C-suite members might be contacted by an attacker posing as a one-time acquaintance or prospective business partner. These encounters are designed to establish rapport between victim and attacker.
Consider the case of an “old acquaintance.” First, hackers find executive email addresses using public or corporate directories or conducting low-level compromise and reconnaissance on company networks. Next, they reach out to their target with a story about how they met at an industry conference or were introduced at a social gathering. Initial emails don’t contain any attempt at compromise — instead, they’re seemingly benign efforts that don’t register as worrisome.
Continued correspondence helps develop a rapport with executives until attackers send through a document or link with their message. While executives know the risks of clicking through on unsolicited requests, the power of pretexting makes it seem as though these links can be trusted.
According to the Verizon 2024 Data Breach Investigation Report, pretexting is now present in 25% of all business email compromise (BEC) attacks. While it can’t touch the 59% ..
Support the originator by clicking the read the rest link below.
