GLBA Pretexting Rule – Guarding Customer Data Against Deceptive Practices

The Gramm-leach-Bliley Act (GLBA) sits at the heart of the financial industry. The law regulates financial institutions, banks, insurance companies, and other entities dealing with non-public financial information (NPI). The law aims to protect customers' data from current and emerging threats and ensures its confidentiality, integrity, and availability.

However, with all the robust security measures and access policies in place, cybersecurity incidents, such as data breaches, tend to occur. Pretexting is one of the most common reasons behind such incidents, even when optimal security measures are implemented. This may be why the GLBA provides added provisions for such security threats.

This blog briefly explores pretexting, its common examples, and the relevant provisions outlined under the GLBA.

Understanding Pretexting

The cybersecurity sphere considers humans as the weakest link, a notion based on many compelling reasons. Take, for instance, the most prominent trait that renders humans susceptible to risks is curiosity. Threat actors understand this human trait very well and frequently exploit it through enticing traps. Pretexting is one such common yet highly effective trap that tops the list.

Pretexting is the illicit practice of accessing someone’s confidential or sensitive information using false pretenses. The cybercriminal creates a compelling situation that entices victims to divulge information they should not really expose. This practice is often experienced at the enterprise level, where scammers aim to target clients’ sensitive data, such as credit card numbers, account information, social security numbers, etc.

The threat actor attempts to request information from the company by impersonating someone with authority, such as a CEO, who can access sensitive information. One common example of pretexting is pretending to be an email provider. The cybercriminal may send a fraudulent email to a user, requesting them to verify their password or change it under the false pretext of a potential data breach. Consequently, the cybercriminal swiftly steals the password when the user clicks the provided link in the email and attempts to change the password.

Canadian University Phishing Scam

In this incident, the university fell victim to a fraudulent scheme amounting to $11.8 million. The perpetrators, posing as construction contractors, engaged in pretexting by creating deceptive websites and emails. Exploiting a lack of verification measures, the university failed to authenticate the legitimacy of the communication with the supposed contractors. Compounding the issue, the responsibility for communication with the contractor was delegated to three lower-tier employees. As a consequence of the phishing email, the university unwittingly altered the banking details of the construction contractors, resulting in a significant financial loss of nearly $11.8 million.

Techniques of Pretexting Scams

There are several techniques that cybercriminals may leverage to conduct pretexting attacks, such as:

Impersonation

Impersonation is amongst the most common types of pretexting attacks. In this attack, the attackers assume the identity of someone the victim trusts, such as a friend or a family member, or someone who is assumed to have access to sensitive information, such as an office employee, tech support staff, etc.

Phishing

Phishing is an ideal example of a pretexting attack. Phishing attacks are designed to deceive individuals into disclosing personal information or clicking on links that could result in malware infections. Unlike typical phishing tactics, social engineering pretexting frequently uses a targeted spear phishing approach, aiming to establish and prolong a connection over an extended duration.

Baiting

As the name suggests, baiting is luring or trapping an individual by making an attractive promise of a reward, such as a fraudulent refund or cash prize. When incorporated into a pretexting scheme, the scammer devises a scenario to instill confidence and a sense of security in the victim, encouraging them to take the bait. Usually, this type of attack helps the attacker steal credentials or sensitive information. This may include clicking a link or a URL in an email.

GLBA Pretexting Rule

GLBA Pretexting Rule has been designed to counter scammer attacks. GLBA prohibits the collection of information under false pretenses. The law stipulates that an individual must not obtain or try to obtain a customer’s NPI via false statements, fraudulent statements, or by falsely assuming the identity of a representative, an employee, or a customer. The law further prohibits individuals from intentionally forging or counterfeiting any documents to obtain customer information. The law goes on to penalize individuals with a fine, imprisonment, or both if the individual is found to be knowingly and intentionally attempting to violate the Pretexting Rule.

Best Practices to Prevent Pretexting Risks

The law provides no recommendations or guidelines for preventing or overcoming pretexting threats. However, there are certain best practices that financial institutions may consider to prevent such attacks and protect the integrity, confidentiality, availability, and accessibility of customers’ data. These practices may include;

Staff Training

As pretexting manipulates individuals into compromising their own security, providing training to employees on recognizing and responding to pretexting scams can contribute to safeguarding an organization. Employee training should be a priority for every organization managing sensitive information, such as financial data. Employee training should encompass protocols for managing sensitive information, organizational policies, and procedures. This training should also incorporate guidelines regarding access to information, aiding employees in distinguishing between authorized and unauthorized individuals.

Robust Authentication and Authorization Process

It is crucial for organizations to establish and implement a robust authentication and authorization process to ensure that only verified individuals can access sensitive data or accounts. Moreover, the organization must create and implement strict access policies and controls to ensure that authorized individuals can access customer data. It is recommended to strive for role-based access control (RBAC) policy and minimize access to only what is required.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC is an email authentication protocol designed to counteract spoofing by verifying whether an email originates from the claimed domain. In cases of spoofing email, the system can automatically redirect the email to a spam folder or delete it. This practice can be implemented to deter pretexting scams.

Streamline GLBA Compliance with Securiti PrivacyOps

Securiti PrivacyOps, an extension of the Data Command Center, enables financial institutions to streamline their GLBA compliance requirements with unified intelligence around data and automated controls.

Schedule a demo to see PrivacyOps in action.