July 2, 2024 By Doug Bonderud 4 min read

Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.

While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.

What is pretexting?

Pretexting is the use of a fabricated story or narrative — a “pretext” — to develop a relationship with executives and gain their trust.

For example, C-suite members might be contacted by an attacker posing as a one-time acquaintance or prospective business partner. These encounters are designed to establish rapport between victim and attacker.

Consider the case of an “old acquaintance.” First, hackers find executive email addresses using public or corporate directories or conducting low-level compromise and reconnaissance on company networks. Next, they reach out to their target with a story about how they met at an industry conference or were introduced at a social gathering. Initial emails don’t contain any attempt at compromise — instead, they’re seemingly benign efforts that don’t register as worrisome.

Continued correspondence helps develop a rapport with executives until attackers send through a document or link with their message. While executives know the risks of clicking through on unsolicited requests, the power of pretexting makes it seem as though these links can be trusted.

According to the Verizon 2024 Data Breach Investigation Report, pretexting is now present in 25% of all business email compromise (BEC) attacks. While it can’t touch the 59% of attacks connected to ransomware, the sheer volume of ransomware attacks makes it easy to miss pretexting clues as executives and IT teams focus on early detection of ransomware extortion efforts.

The additive impact of pretexting

Pretexting isn’t enough to create compromise in isolation. Instead, it is used as part of larger compromise efforts to improve outcomes for attackers. Consider a one-time phishing attack. While executives might make the mistake of responding to emails or clicking on links, the damage done is relatively small-scale, especially if issues are immediately reported to IT.

However, a compromise campaign that combines pretexting, network reconnaissance and vulnerability exploitation can create an additive effect that sees attackers gaining basic network access and then using data supplied by executives to compromise sensitive or protected data.

The long-term timeframe of pretext efforts also reduces the chance that attackers are discovered before they act. Familiarity helps malicious actors fly under the radar. Given their rapport with executives — and since they’ve never asked for anything or taken any odd action — they can effectively hide in plain sight.

Consequences of executive compromise

There are several consequences of executive compromise, including:

Loss of data

Once attackers convince executives to click malicious links or download infected documents, they can capture usernames and passwords. Equipped with this information, malicious actors can access and steal sensitive data such as payroll documents, product spec sheets or financial statements.

Loss of money

Equipped with executive credentials, attackers can also impersonate executives and ask employees to take actions that cost companies money, such as transferring funds or making purchases.

Scammers may also convince CEOs or CFOs to take action on their behalf. For example, if the pretext involves a supposed entrepreneur building their own company, they may attempt to solicit “investment” from executives for their new business.

Loss of compliance

Compliance issues are also a concern with pretexting. If attackers are able to compromise data such as employee or customer information, enterprises may face penalties for non-compliance with regulations such as HIPPA, GDPR, CCPA or other compliance frameworks.

Three steps to reduce pretext risk

Pretext problems represent a growing risk because humans are naturally social creatures. While regular security training helps staff and C-suites spot odd behavior or strange requests, humans are predisposed to respond positively in social situations, creating the perfect opportunity for attackers.

A three-step approach can help prevent pretexting.

1. Subtract risks with solid email security

Reducing risk starts with the basics. Solid email security can filter out most phishing and pretext scams before they land in corporate inboxes by analyzing both the text and metadata of messages for common indicators of compromise.

2. Divide and conquer attacker efforts with regular training

Pretexting is an inherently human attack vector that exploits the social nature of work. While it’s impossible for C-suite members to eliminate their human instincts, it is possible for executives to divide and conquer attacker efforts with regular security training.

Consider a pretext email that’s part of a larger plan of attack. If cyber criminals can steal executive credentials, they can kick off a chain of events that leads to encrypted data and ransom demands. If, however, board members are trained to be suspicious of any unsolicited emails, no matter how benign, they can frustrate attacker efforts by removing a key link in the chain.

3. Multiply protective impact with AI

Pretexting helps attackers get a foot in the door. AI helps proactively address this risk.

For example, IBM SPSS Modeler Text Analytics makes it possible to process large volumes of unstructured text — such as emails — to extract key concepts and critical context. Armed with this information, companies are better prepared to pinpoint potential pretexts.

Businesses can enhance defense with the deployment of an AI Shield. This protective barrier combines IBM’s watsonx Assistant and the IBM Threat Intelligence platform to create a self-service email protection portal.

First, companies use watsonx to create an AI shield chatbot that allows users to report suspicious emails and prompts for specific parameters such as IP addresses, URLs or hashes. Once this data is entered, the chatbot connects with the IBM Threat Intelligence platform to analyze the output and inform the user. If the email is deemed safe, users can proceed. If not, they are advised to report the email to their SOC team.

Rewriting the story of risk

Pretexting adds a layer of misdirection to executive phishing efforts. If attackers can capture the trust of C-suite executives, they may be able to wreak havoc with little to no warning.

But pretexting isn’t predetermined. By implementing basic email hygiene, bringing executives up to speed and deploying AI tools, companies can flip the script and take control of the C-suite narrative.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today