A pretext is designed to convince a target to divulge information to an attacker. This information could include, but is not limited to, requests for company documents, user credentials, and personally identifiable information. A successful pretext convinces the target that a request is legitimate and the information being asked for is reasonable.

Inside the mind of cybercriminals

The more convincing the pretext is, the higher the chance of it succeeding. A pretext can be generic and used to target multiple people with no effort, or it can be tailored to a specific individual based on open-source reconnaissance. An attacker often tailors pretexts around current political and social affairs to connect with target users.

If an attacker does not use an effective pretext, this will fail to convince their target. For example, if an attacker were to target a company employee posing as a journalist, requesting user credentials to log into company portals as a ‘case study’ this will more than likely fail. Firstly, the request is not reasonable; a news journalist has no reason to be asking for user credentials to company portals. Secondly, the request is unexpected and will stand out as a threat to the individual on the receiving end.

After deciding on a convincing pretext, phishing is a common method used by cybercriminals to target and attack organisations through their employees. Cybercriminals continue to become more convincing in their approaches, enticing target users to divulge information or to execute malicious payloads on the workstations to compromise the network.

The success of phishing e-mails is dependent on the authenticity of the email. If an attacker crafts an e-mail with a solid pretext, which resonates with their target, it is more likely that the target will fall victim to the phishing attack. Of course, other factors also impact the success of a phishing attack, including technologies in use to prevent phishing emails and the email's authenticity.

So, what are examples of a pretext?

Credential harvesting

During the COVID-19 pandemic, a lot of organisations were switching e-mail services over to Microsoft365 (formerly known as Office365). Most users were working remotely, and e-mails were one of the main primary sources of information. Attackers can capitalise on such a situation as users could be expected to face problems with e-mails as the migration took place. A carefully crafted email can be used to ‘help employees reset their password’ or ‘complete the M365 migration phase by logging in with credentials’. As the target(s) will be familiar with the migration, such phishing emails can be successful due to the timing alone.

Collecting information

An attacker may want to collect personal information about users such as first name/last name, address, D.O.B, or employee ID. To gather the information they could spoof an email from HR personnel in the form of a quiz. Information on social media could give away an idea that can be used as part of the pretext. For example, if an organisation is going to be moving into a new building, an attacker may send out a ‘quiz’ with ‘cash prizes’ or to gather users’ opinions. If the email seemingly comes from a known HR personnel, and the situation is relatable, this may result in a successful attack.

Workstation compromise

Employees can be naturally very intrigued by hearing about their organisation in a newspaper article. An attacker can clone a website and plan a pretext around the organisation. This could be along the lines of ‘Organisation A suffers a massive data breach’ or ‘Organisation A is going into administration’. This type of title will get the target's attention. The objective of an attacker could be to embed a malicious payload which, upon execution can compromise the user’s workstation.

Understanding pretexting and protecting against phishing attacks

A pretext is a significant part of any phishing campaign. A convincing pretext can be adapted to topical situations and be influenced by an attacker’s reconnaissance. A strong reconnaissance piece will have a direct impact on the quality and believability of the pretext used. The goal is to trick the target into believing a ruse.

The number of users targeted, what is said in the email, who the email comes from, and what the expected action is, will all have a part to play in whether a pretext succeeds. On occasion, an attacker could have a weak pretext but find themselves targeting an organisation at the right time.

There are other things attackers consider when launching phishing campaigns, such as gathering the correct target lists, setting up infrastructure, and building web and email domains that are trusted. From an attacker’s point of view, the pretext is the most important part of the phishing campaign, so it is vital to understand that organisations are targeted with messages focused on human interaction and weaknesses.

How can you prepare for being targeted?

To be prepared for being a target of phishing attacks with a strong pretext you should look to understand who might be targeted within your organisation and through what channels. A Key Persons Assessment is a comprehensive review of the personal attack surface of key individuals and employees working for your organisation, as seen through the lens of an attacker. This approach replicates the process attackers are known to undergo when crafting pretexts and seeking fresh targets of intimidation, blackmail and coercion to exploit an organisation.

There are often many identifiable online indicators that point to an organisation, or its employees potentially being targeted in a cyberattack. These indicators can take many forms and it is not always possible to identify them through open source means alone. As well as identifying these external threats, a Digital Attack Surface Assessment (DASA) can help you to understand how online threats present themselves against your organisation.