Pretexting - Is a form of social engineering where one individual deceives another in order to obtain information.
So I wanted to make an article that covers that old social engineering tool to acquire information. Some of you may not know it by it's actual name but definitely familiar with the practice. This is the art of deceiving someone in order to obtain information which can be used both legally and illegally.
Have you ever received a weird phone call or e-mail from lets say your bank but it really wasn't your bank. They were letting you know that for what ever particular reason it would be in your best interest to let them know your user name and password for your benefit? Then not much longer from there you had strange transactions coming from your account? Yep, someone lied about their identity in order to convince you to hand over your financial information. This is a direct violation of the Right To Financial Privacy Act.
The Right to Financial Privacy Act put in place strict penalties on anyone trying to obtain bank information illegally without a subpoena, warrant, or clients written permission. Getting that written permission under false pretenses is illegal.
Pretexting can also be used illegally in forms of corporate espionage. I remember hearing one example when someone called a CEO's front office and asked if he could be redirected to one of the head secretaries. Since he did his research he knew a little about the CEO so when he was redirected he told the head secretary that Mr. CEO had redirected him to her in order to get some sensitive information really quick. Because the company hadn't put in solid security practices and it seemed like he knew the CEO. She handed the information over.
USING A PRETEXT LEGALLY
So.. Not stealing bank information or sensitive business information. What CAN I possibly get from this? Well, you can confirm someone is where they say they are or get more up to date address details on where they are actually staying. Maybe get a better phone number to contact them that isn't listed in a database.
So lets say you're setting up surveillance on a house and you want to know if your target is actually there. You can accomplish this in a variety of ways. Each requiring research and the ability to be believable so you don't get busted. You can approach the house as a "salesman" or even someone looking for a "lost dog" to see if your target is actually home. You can call numbers associated with your target from a burner phone to gather information on their whereabouts.
In all actuality, the possibilities with it are endless. I always love hearing stories of good pretexts out there. If you have any, please share.