It all adds up: Pretexting in executive compromise


Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.

While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.

What is pretexting?

Pretexting is the use of a fabricated story or narrative — a “pretext” — to develop a relationship with executives and gain their trust.

For example, C-suite members might be contacted by an attacker posing as a one-time acquaintance or prospective business partner. These encounters are designed to establish rapport between victim and attacker.

Consider the case of an “old acquaintance.” First, hackers find executive email addresses using public or corporate directories or conducting low-level compromise and reconnaissance on company networks. Next, they reach out to their target with a story about how they met at an industry conference or were introduced at a social gathering. Initial emails don’t contain any attempt at compromise — instead, they’re seemingly benign efforts that don’t register as worrisome.

Continued correspondence helps develop a rapport with executives until attackers send through a document or link with their message. While executives know the risks of clicking through on unsolicited requests, the power of pretexting makes it seem as though these links can be trusted.

According to the Verizon 2024 Data Breach Investigation Report, pretexting is now present in 25% of all business email compromise (BEC) attacks. While it can’t touch the 59% of attacks connected to ransomware, the sheer volume of ransomware attacks makes it easy to miss pretexting clues as executives and IT teams focus on early detection of ransomware extortion efforts.

The additive impact of pretexting

Pretexting isn’t enough to create compromise in isolation. Instead, it is used as part of larger compromise efforts to improve outcomes for attackers. Consider a one-time phishing attack. While executives might make the mistake of responding to emails or clicking on links, the damage done is relatively small-scale, especially if issues are immediately reported to IT.

However, a compromise campaign that combines pretexting, network reconnaissance and vulnerability exploitation can create an additive effect that sees attackers gaining basic network access and then using data supplied by executives to compromise sensitive or protected data.

The long-term timeframe of pretext efforts also reduces the chance that attackers are discovered before they act. Familiarity helps malicious actors fly under the radar. Given their rapport with executives — and since they’ve never asked for anything or taken any odd action — they can effectively hide in plain sight.

Consequences of executive compromise

There are several consequences of executive compromise, including:

Loss of data

Once attackers convince executives to click malicious links or download infected documents, they can capture usernames and passwords. Equipped with this information, malicious actors can access and steal sensitive data such as payroll documents, product spec sheets or financial statements.

Loss of money

Equipped with executive credentials, attackers can also impersonate executives and ask employees to take actions that cost companies money, such as transferring funds or making purchases.

Scammers may also convince CEOs or CFOs to take action on their behalf. For example, if the pretext involves a supposed entrepreneur building their own company, they may attempt to solicit “investment” from executives for their new business.

Loss of compliance

Compliance issues are also a concern with pretexting. If attackers are able to compromise data such as employee or customer information, enterprises may face penalties for non-compliance with regulations such as HIPPA, GDPR, CCPA or other compliance frameworks.

Three steps to reduce pretext risk

Pretext problems represent a growing risk because humans are naturally social creatures. While regular security training helps staff and C-suites spot odd behavior or strange requests, humans are predisposed to respond positively in social situations, creating the perfect opportunity for attackers.

A three-step approach can help prevent pretexting.

1. Subtract risks with solid email security

Reducing risk starts with the basics. Solid email security can filter out most phishing and pretext scams before they land in corporate inboxes by analyzing both the text and metadata of messages for common indicators of compromise.

2. Divide and conquer attacker efforts with regular training

Pretexting is an inherently human attack vector that exploits the social nature of work. While it’s impossible for C-suite members to eliminate their human instincts, it is possible for executives to divide and conquer attacker efforts with regular security training.

Consider a pretext email that’s part of a larger plan of attack. If cyber criminals can steal executive credentials, they can kick off a chain of events that leads to encrypted data and ransom demands. If, however, board members are trained to be suspicious of any unsolicited emails, no matter how benign, they can frustrate attacker efforts by removing a key link in the chain.

3. Multiply protective impact with AI

Pretexting helps attackers get a foot in the door. AI helps proactively address this risk.

For example, IBM SPSS Modeler Text Analytics makes it possible to process large volumes of unstructured text — such as emails — to extract key concepts and critical context. Armed with this information, companies are better prepared to pinpoint potential pretexts.

Businesses can enhance defense with the deployment of an AI Shield. This protective barrier combines IBM’s watsonx Assistant and the IBM Threat Intelligence platform to create a self-service email protection portal.

First, companies use watsonx to create an AI shield chatbot that allows users to report suspicious emails and prompts for specific parameters such as IP addresses, URLs or hashes. Once this data is entered, the chatbot connects with the IBM Threat Intelligence platform to analyze the output and inform the user. If the email is deemed safe, users can proceed. If not, they are advised to report the email to their SOC team.

Rewriting the story of risk

Pretexting adds a layer of misdirection to executive phishing efforts. If attackers can capture the trust of C-suite executives, they may be able to wreak havoc with little to no warning.

But pretexting isn’t predetermined. By implementing basic email hygiene, bringing executives up to speed and deploying AI tools, companies can flip the script and take control of the C-suite narrative.

The post It all adds up: Pretexting in executive compromise appeared first on Security Intelligence.