July 2, 2024 By Doug Bonderud 4 min read

Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.

While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.

What is pretexting?

Pretexting is the use of a fabricated story or narrative — a “pretext” — to develop a relationship with executives and gain their trust.

For example, C-suite members might be contacted by an attacker posing as a one-time acquaintance or prospective business partner. These encounters are designed to establish rapport between victim and attacker.

Consider the case of an “old acquaintance.” First, hackers find executive email addresses using public or corporate directories or conducting low-level compromise and reconnaissance on company networks. Next, they reach out to their target with a story about how they met at an industry conference or were introduced at a social gathering. Initial emails don’t contain any attempt at compromise — instead, they’re seemingly benign efforts that don’t register as worrisome.

Continued correspondence helps develop a rapport with executives until attackers send through a document or link with their message. While executives know the risks of clicking through on unsolicited requests, the power of pretexting makes it seem as though these links can be trusted.

According to the Verizon 2024 Data Breach Investigation Report, pretexting is now present in 25% of all business email compromise (BEC) attacks. While it can’t touch the 59% of attacks connected to ransomware, the sheer volume of ransomware attacks makes it easy to miss pretexting clues as executives and IT teams focus on early detection of ransomware extortion efforts.

The additive impact of pretexting

Pretexting isn’t enough to create compromise in isolation. Instead, it is used as part of larger compromise efforts to improve outcomes for attackers. Consider a one-time phishing attack. While executives might make the mistake of responding to emails or clicking on links, the damage done is relatively small-scale, especially if issues are immediately reported to IT.

However, a compromise campaign that combines pretexting, network reconnaissance and vulnerability exploitation can create an additive effect that sees attackers gaining basic network access and then using data supplied by executives to compromise sensitive or protected data.

The long-term timeframe of pretext efforts also reduces the chance that attackers are discovered before they act. Familiarity helps malicious actors fly under the radar. Given their rapport with executives — and since they’ve never asked for anything or taken any odd action — they can effectively hide in plain sight.

Consequences of executive compromise

There are several consequences of executive compromise, including:

Loss of data

Once attackers convince executives to click malicious links or download infected documents, they can capture usernames and passwords. Equipped with this information, malicious actors can access and steal sensitive data such as payroll documents, product spec sheets or financial statements.

Loss of money

Equipped with executive credentials, attackers can also impersonate executives and ask employees to take actions that cost companies money, such as transferring funds or making purchases.

Scammers may also convince CEOs or CFOs to take action on their behalf. For example, if the pretext involves a supposed entrepreneur building their own company, they may attempt to solicit “investment” from executives for their new business.

Loss of compliance

Compliance issues are also a concern with pretexting. If attackers are able to compromise data such as employee or customer information, enterprises may face penalties for non-compliance with regulations such as HIPPA, GDPR, CCPA or other compliance frameworks.

Three steps to reduce pretext risk

Pretext problems represent a growing risk because humans are naturally social creatures. While regular security training helps staff and C-suites spot odd behavior or strange requests, humans are predisposed to respond positively in social situations, creating the perfect opportunity for attackers.

A three-step approach can help prevent pretexting.

1. Subtract risks with solid email security

Reducing risk starts with the basics. Solid email security can filter out most phishing and pretext scams before they land in corporate inboxes by analyzing both the text and metadata of messages for common indicators of compromise.

2. Divide and conquer attacker efforts with regular training

Pretexting is an inherently human attack vector that exploits the social nature of work. While it’s impossible for C-suite members to eliminate their human instincts, it is possible for executives to divide and conquer attacker efforts with regular security training.

Consider a pretext email that’s part of a larger plan of attack. If cyber criminals can steal executive credentials, they can kick off a chain of events that leads to encrypted data and ransom demands. If, however, board members are trained to be suspicious of any unsolicited emails, no matter how benign, they can frustrate attacker efforts by removing a key link in the chain.

3. Multiply protective impact with AI

Pretexting helps attackers get a foot in the door. AI helps proactively address this risk.

For example, IBM SPSS Modeler Text Analytics makes it possible to process large volumes of unstructured text — such as emails — to extract key concepts and critical context. Armed with this information, companies are better prepared to pinpoint potential pretexts.

Businesses can enhance defense with the deployment of an AI Shield. This protective barrier combines IBM’s watsonx Assistant and the IBM Threat Intelligence platform to create a self-service email protection portal.

First, companies use watsonx to create an AI shield chatbot that allows users to report suspicious emails and prompts for specific parameters such as IP addresses, URLs or hashes. Once this data is entered, the chatbot connects with the IBM Threat Intelligence platform to analyze the output and inform the user. If the email is deemed safe, users can proceed. If not, they are advised to report the email to their SOC team.

Rewriting the story of risk

Pretexting adds a layer of misdirection to executive phishing efforts. If attackers can capture the trust of C-suite executives, they may be able to wreak havoc with little to no warning.

But pretexting isn’t predetermined. By implementing basic email hygiene, bringing executives up to speed and deploying AI tools, companies can flip the script and take control of the C-suite narrative.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

Manage AI threats with the right technology architecture

4 min read - In an increasingly digital world, companies continuously face the threat of cyberattacks. Current advances in artificial intelligence (AI) promise significant improvements in detecting and defending against such threats.However, it is no secret that attackers are increasingly using AI. Cyber criminals leverage AI and machine learning to optimize and automate attacks. AI-driven malware can quickly adapt to new security measures and exploit vulnerabilities in real time. These AI tools enable cyber criminals to scale their attacks and employ highly complex methods…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today