A “pretexting” crime occurs when the thief has done some research on their victim and uses that information to get them to release more information. For instance, the thief could use information about the person’s family, schedules, or daily habits to obtain their credit card number, driver’s license number, or social security number.
The thief creates a “pretext” that they need more information from the victim. These crimes are referred to as pretexting. They might call the person and say they have won a contest and need their social security number. These scams and fraud schemes usually aim to accomplish identity theft through the information obtained during the conversation.
In voice transactions, pretexting exploits a weakness in identification techniques. Since physical identification is impossible, companies must use alternative methods to identify their clients. Most of these alternative methods require verification of personal information, such as residence, date of birth, mother’s maiden name, or account number. A pretexter can obtain all this information from social networking sites or dumpster diving.
What Are the Legal Penalties for Pretexting Crimes?
Consumer fraud is illegal and may lead to various penalties. These can include misdemeanor or felony charges for criminal fraud, which are punishable by fines or jail time. In addition, the victim often ends up suing the defendant for damages, especially if the defendant has caused them losses. In some cases, a defamation suit may also be involved if the person’s information was used incorrectly without their permission.
How Can Pretexting Crimes Be Prevented?
Pretexting crimes can be prevented by taking several steps. Always follow these steps when speaking with a party on the phone:
- Check for credentials
- Verify the identity of the person you are talking to
- If they cannot provide a direct line to call back, they may be pretexting
- Look up the contact information for the person or company that the person represents; if you cannot find it, you may wish to cease communicating with them.
- Consider the information you post on the Internet and realize strangers could see it. Be wary when you talk with someone you don’t know in real life (e.g., Facebook friends, people in chat, those who call you). Although they may have built up some trust, they are still strangers.
- Ask yourself why someone is asking for the information. Do not answer if you do not feel comfortable doing so.
- Don’t reveal personal, financial, or other sensitive information over the phone or the Internet.
- Make sure it’s in a secure location, such as the offices of your bank, if you’re meeting in person.
- Remember that IT department employees will not ask for passwords or usernames over the phone or via email.
Again, if you are unsure about the identity or background of someone asking for your information, do not provide it. By doing so, you can prevent many legal conflicts in the future.
What Is Phishing?
Phishing can be considered pretexting by email. In a sense, both terms refer to situations where victims are persuaded to hand over valuable information. This is done by communicating under a false pretext, potentially posing as a trustworthy source.
What’s the difference between phishing and pretexting? As phishing is done only via email, pretexting relies entirely on emotional manipulation to gain information, while phishing might rely on more technical means like malware.
Phishing targets an individual or group of people within a company or department. It contains information that is relevant to the recipient and may even appear to come from another area of the organization (such as Accounting or IT); this increases the likelihood that recipients will open and respond.
In clone phishing, an existing email that’s legitimate is copied and resent with alterations (such as a link to a bogus site and an attachment with malware). As long as the original email is known to be real, and the cloned one appears to be an updated or recent version of the original, people will believe it to be real and will open it.
Management and senior executives are targeted in an attack known as “whaling.” These emails may appear to be a customer complaint, legal document, subpoena, or other messages likely to be opened by the recipient.
Many of the items listed above are sent in emails with links to other websites or attachments that need to be opened. The sites included in links within the message can be quite elaborate in mimicking a legitimate site. In some cases, a copycat site will have a similar URL to the real company’s site, and the person operating it may have even used website tools to promote the site in search engine results, so it appears to be the real company when you search for it.
Some government websites have also been copied, charging fees for services that are free to citizens and asking for excessive amounts for licenses, passports, and other items. Copycat sites may also request information on an insecure site (i.e., not HTTPS).
What Is Tailgating?
Tailgating is similar to physical phishing. Fraudsters pose in real life as someone else to gain access to restricted or confidential areas where they can access valuable information. Tailgating pretexting attacks might be perpetrated by someone pretending to be a friendly food delivery person when they are really a cybercriminal trying to access the devices inside.
What Is Smishing?
Phishing via SMS, or text message, is called smishing. Since texting is a more intimate type of communication, pretexting attackers can use this avenue to reach out to victims – since victims might believe only trusted individuals would have their phone number.
What Is Vishing?
The word vishing combines the words voice and phishing, meaning phishing over the phone. In a pretexting attack, fraudsters may spoof, or fake, caller IDs or use deepfakes to convince victims they are a trusted source, ultimately getting them to divulge valuable information over the phone.
What Is Impersonation?
The impersonation technique is at the core of all pretexting attacks because fraudsters use different identities to pull off their attacks, posing as everyone from CEOs to police officers or insurance agents. If the pretexting attacker has researched the victims, so little suspicion is raised about their legitimacy, the impersonation is strongest.
Pretexting Attack Examples
Pretexting attacks aren’t a new type of cyberthreat. In the mid-2000s, they allegedly spied on celebrities’ voicemails, posing as tech support. Nowadays, pretexting attacks are more common against companies than individuals. Here are some examples:
- Hewlett-Packard hired private investigators in 2006 to determine if board members were leaking news to the media. To do this, the private investigators posed as board members and obtained call records from telephone companies.
- Ubiquiti Networks Inc. transferred $39.1 million to a scammer posing as an employee. This is also called a CEO fraud scam.
- Over $9 million was transferred by MacEwan University in 2017 to a fraudster posing as a vendor and requesting staff members update their payment details via email.
Should I Hire a Lawyer for Help with Pretexting Crimes?
Pretexting catches many people off guard, which can lead to a wide range of legal conflicts and disputes. You may wish to hire a fraud lawyer if you feel that you have been affected by a pretexting scheme.
An attorney near you can provide you with legal advice and representation if you need to file a lawsuit or press charges. Your attorney can also explain the differences in state laws regarding pretexting.