Pretexters are more likely to target companies than individuals, because companies generally have larger bank accounts. It’s hard to find details of successful attacks, as companies aren’t likely to admit they’ve been scammed. VTRAC’s Chris Tappin and Simon Ezard, writing for CSO Australia, describe a pretexting technique they call the Spiked Punch, in which the scammers impersonate a vendor that a company sends payments to regularly. Using information gleaned from public sources and social media profiles, they can convince accounts payable personnel at the target company to change the bank account information for vendors in their files, and manage to snag quite a bit of cash before anyone realizes.
In another example, Ubiquiti Networks, a manufacturer of networking equipment, lost nearly $40 million dollars due to an impersonation scam. The pretexters sent messages to Ubiquiti employees pretending to be corporate executives and requested millions of dollars be sent to various bank accounts; one of the techniques used was “lookalike URLs” — the scammers had registered a URL that was only one letter different from Ubiquiti’s and sent their emails from that domain.
Pretexting and phishing
Spoofing an email address is a key part of phishing, and many phishing attempts are built around pretexting scenarios; for instance, an attacker could email an HR rep with attached malware designed look like a job-seeker’s resume. The targeted variety of phishing, known as spear phishing, which aims to snare a specific high-value victim, generally leads to a pretexting attack, in which a high-level executive is tricked into believing that they’re communicating with someone else in the company or at a partner company, with the ultimate goal being to convince the victim to make a large transfer of money. (Deepfakes are starting to be seen used in this capacity.)
