Pretexting Samples

8.4 Pretexting Samples

As described in the introduction (to this section) price, pretexting is putting someone in a familiar situation to get them to divulge information. Let us see some examples in the next slides.

8.4.1 Sample

Let’s say we want to target someone in the general area of an outage that will affect them. If we go to Google and run a search, like the one showed in the next screenshot, we will get outages posted on different websites.

Once opened, we see that there will be power outages in specific areas.

Knowing this, we can open Google Maps and take a look at the area, the address and eventually find the owner of one of the locations. So, in 15 minutes or less, we will have enough information to construct our pretexting attack. So, let us create our script.

The following is an example of what our conversation may look like:

Hello Mr. Gerhard, My name is John Townsend from Southern California Edison and need to speak with you about some upcoming changes in your area. First I need to verify some information from you to validate that you are the right person I should be speaking with, you know you can never be too careful these days. First can you repeat your name and address for me? Great! That much I have correct! Now can you tell me the last 6 digits of your Social Security Number? Note that I’m not asking for your whole SSN, just the last 6 so we can ensure it is you without having all the numbers. Getting close now Mr. Gerhard, just a couple more questions. What is the state you were born in?
May I have your Date of Birth?
And do you use Oxygen or any other medical equipment that requires your power to always be on?
Excellent Thanks! We at SoCal Edison thank you for your patronage and want to inform you that you are going to be
having a community power outage on June 27th from 9am to 6pm. We want to ensure that you are aware of this if
you need to make any arrangements for a cool place to go, or to ensure that any medical equipment is sufficiently
accounted for power wise as this outage will be prolonged.
I want to thank you for your time today, Mr. Gerhard, and thanks again for being a SoCal Edison Customer…..Have a
Great Day!!

So, in a relatively short amount of time, we have constructed a believable story and found a suitable victim. So what did or did not we get? Well, note that we did not ask for the full Social Security Number, but we did get the last 6 numbers, plus the state in which the person was born.

Every state has a set of prefixes, that is used for Social Security Numbers. Now, all we have to do is reference that list and we will obtain the full SSN! Here is a list. As you can see, a little bit of internet searching and some creative thinking, is all we need to try and find unwitting victims.

Now keep in mind that this is illegal since the adoption of the Gramm-Leach-Bliley Act of 1999, which makes it illegal to: • Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution.

• Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.

• Use forged, counterfeit, lost, or stolen documents to get
customer information from a financial institution or directly
from a customer of a financial institution.
 
• Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent ...

Governments are familiar with these scams, but it is not always easy to find and prosecute scammers. Therefore, we have to rely on the victim education, to ensure that they are not taken advantage of in these types of scenarios.