What Does a Vishing Simulation Look Like?
Though society has, these days, moved firmly into the digital age where emails, texts, and the online world dominate both communication and cyber-attack vectors, it might not occur to people—or organizations—that some scams are still perpetuated over the phone in what’s called a vishing attack.
One way to secure yourself against this threat is to have a vishing social engineering exercise performed by a qualified penetration test team, like ours at Schellman.
To help you understand more about what this operation would look like if you were to have your organization tested in this way, we’re going to first overview the medium and technique before providing insight into the progression of our vishing social engineering process.
What is Vishing?
Though vishing is defined as just “voice-based phishing,” these attacks are generally delivered over the phone. Here’s an example—an attacker calls a company's help desk to change an employee’s contact information before then calling again to reset the password using the new information. Such an attack might result in the criminal taking over an account at that organization.
That may sound implausibly simple, but it isn’t when you consider that attackers don’t just call out of the blue—they would likely first use some kind of social engineering to develop trust, just as we would at Schellman if we were simulating this kind of attack.
Schellman’s Vishing Exercise Process
But doing the necessary research to put together a convincing campaign in order to test your organization is only one component of our vishing exercise process—what follows is a detailed breakdown of the entire thing, from start to finish.
1. Scoping
The first and most important part of a vishing exercise is defining the goals and expectations for the exercise, which will first involve identifying potential targets in your:
- People: Vishing testing is meant to reveal the security vulnerabilities in your people, so we’ll need to know who we’re allowed to interact with—one way to determine this is to identify those whose identity would be considered critical if captured.
- Processes: Your scope will also include processes that are critical to phone interactions—e.g., the processes that are used to verify phone callers, or others that would be considered critical if bypassed or exploited.
- Technology: The technology available to the person on the other end of the phone is also of interest to us. Can the person’s workstation connect back to our exploitation infrastructure? Can they transfer us to another person?
Once you identify your targets in scope, the last—but no less important component—of this phase will be determining the phone numbers and dial options that your testers can call during the simulation.
(E.g., if your general helpline is being tested, we like to define the “options” that can be selected when in the “lobby” or “parking lot” of your phone system, as this helps to define success indicators during reporting as well.)
2. Reconnaissance
With your scope and phone numbers defined, the penetration testers can then begin gathering as much information as they can from open-source intelligence. This research—often called social engineering—enables your testers to create a more convincing purpose or backstory that we call a “pretext” when they start making calls.
3. Testing
Once they’ve gathered sufficient detail, testers will begin to probe your phone system using simple phone calls to explore:
- Dial options
- Hold times
- Hold messages
- Any other details that can be valuable during a conversation
These initial, short, and benign interactions with your employees—a process that will be repeated and refined over time—will allow testers to gain more information to further supplement their created pretexts before their calls/the attack attempt more direct exploitation using increasingly sophisticated techniques like impersonation and audio effects.
Schellman’s Policy of “Do No Harm”Something else of note—whether it’s vishing or another type of social engineering being performed, we at Schellman keep a policy of “do no harm” when running these campaigns.
Because we understand that we’re interacting with people, not computers, and we take that very seriously, we do not attempt to illicit fear or dread into the “target’s” life. It’s our code to never be the reason somebody has a bad day—that each person needs to either feel nothing or better after talking with us. Please know that we consider ourselves guests on your phone lines and manners are first and foremost. |
4. Reporting
After the vishing exercise ends, our testers will prepare a deliverable containing details of our:
- Meticulously tracked calls;
- Notes on the interactions; and
- The steps we took to create data points for subsequent calls.
We know that a report is only as good as the kind of action it spurs, and so we guarantee our diligence in quantifying and defining indicators of success for testing so that you receive the most valuable insight possible—insight beyond the typical advice of “more training” yielded in most social engineering tests.
Get Started in Protecting Yourself Against Vishing
Humans are socialized to implicitly trust the individual on the other end of the phone, but to maintain the security of your organization, all incoming calls should be treated as malicious—that means training all team members to be hyper-skeptical of incoming callers who refuse to verify themselves first, and to hang up if anything seems suspicious.
Not only should employees be taught how to recognize a vishing attack, but they should be protected against shooting themselves in the foot accidentally because everyone has been fooled at one point or another. Mechanisms can and should be in place to help your team avoid any action without first verifying the person on the other end of the call, and a vishing exercise can help confirm both that those mechanisms are effective and where your team needs more assistance.
Now that you understand a bit more that process, you may be interested in moving forward with a vishing exercise, and Schellman may be the right team to partner with—contact us today to learn more about our credentials.
However, if you’re not sure this is the right security exercise for you, make sure to check out our content regarding other exercises that may be more suitable to your organizational needs:
About Dan Groner
Dan is a Senior Penetration Tester at Schellman based in Washington. Prior to joining the firm, Dan held roles as a Core Pen Tester and Security Consultant, where he gained experience in various types of penetration testing, including those necessary for compliance initiatives. Now at Schellman, he remains focused on helping organizations discover vulnerabilities and delivering remediation and quantifiable solutions to ensure positive security refinement for clients.