"Are you there? This is urgent." No links. No attachments. Just a simple pretext.
Phishing attacks do not always use malicious links or attachments to steal information about you. Have you ever received an email from someone who appears to be your co-worker asking if you are available? Has someone informed you out of the blue that you are entitled to heaps of cash? There are a whole bunch of attacks built around nothing more than a greeting with a simple scenario like the aforementioned. This is called a pretext.
Pretexting is a form of social engineering used by cyber criminals to steal sensitive information from victims through their engagement with a convincing story. The aim is for the victim to trust the story and provide information or access to a certain service. It is used against individuals and their companies; attackers may investigate victims' backgrounds to make the scenario sound as credible as possible. This often results in the attacker impersonating a co-worker, a representative of a company known to the victim, or an authority figure.
In this post we will introduce some commonly used pretexts in emails to show how the attackers can approach victims with a made-up story.
The attackers asks “Are you available?” They are checking whether the victim can be useful to them right that instant. If you are not available, they will just contact someone else. If you say you are available, the attacker will follow up with another email containing a financial request. It could be instructions to purchase something, redirect a payment, or give access to some funds. Below are two examples of this type of pretexts.
One of the most common tactics is to impersonate a colleague or authority in need of help. This makes the victim act faster and forget to take a closer look at the message. We often see emails like this coming from the CEO. Such authority forces the recipient to pay attention to the message, making them extremely effective.
The first two examples represent similar messages asking for help changing banking information. These messages seem to come from colleagues and do not seem suspicious at first glance. In the third example, the message, written in Finnish, comes from an authority informing the victim about an unpaid invoice. What makes this even more convincing is that the attacker specifies a person who has advised them to contact the victim specifically.
Proposing a business idea is a common way for attackers to approach companies. Such messages are generally short and sweet. The attackers want the victims to answer the email for additional information about the proposal. This is how victims confirm their email addresses to attackers. After the response, the attackers can continue the conversation with malicious intent.
Almost all messages involving a large sum of money are malicious. Usually, all these pretexts follow the same pattern: someone has passed away, and something must be done with their funds. In the first example, localized to Norwegian, the attacker impersonates a lawyer informing that a relative of the victim has passed away. Now, they want to release the funds of the relative but need the help of the victim to do so. Impersonating a lawyer makes the email seem more trustworthy and gives a false sense of legitimacy. In another example the attacker appears as a widow with a large sum of money. The attacker wants to hand over the money to the victim and asks for a response. The aim of these pretexts is to obtain the victim's banking information.
In this example, the attacker explains about a surprise they are planning for employees. For the surprise to succeed, they need the help of the victim. This one asks for the personal email address of the victim. The attacker also ensures that the victim will not inform any colleagues about this request or the upcoming surprise. We also see cases where the attacker asks to be guided to the best person with the matter if it is not the victim. This way the attackers can expand their list of contacts.
The key for the pretext to work is to convince the victim that the attacker is who they say they are. The more specific the pretext is, the more believable it is. If the victim is tricked and they respond to the email, it will start a dynamic conversation with the attacker. As said earlier, often these pretexts follow with instructions to make a purchase or to transfer money. For this to work, the attacker must be prepared to continue the fictional scenario credibly. At this point, the story easily begins to have some cracks from which the victim can conclude something is wrong.
When in doubt, check for these suspicious signs:
In the below example, we can see an unfortunate situation on how the pretext almost was completed. This chain began with a simple request to help with a money transfer. The attacker posed as the victim’s colleague and referred to a well-known lawyer and a law firm. These factors made the message much more convincing and easier to fall for. This conversation almost ended with a transfer of 2 million EUR. Luckily, the victim got suspicious and did not progress with the payment. If you are interested in this specific case, read this post.
As we can see from the above examples, pretexts are extremely common, and their content varies greatly. These are harder to spot because of their harmless appearance.
Here’s a few tips to stay off the hook:
We are seeing what experts have predicted: The fighting in Ukraine contains an unprecedented cyber dimension. Fallout is seeping into inboxes around the world. Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Also learn how to equip your employees with the awareness training that will protect your company from phishing scams.