Vishing – or Voice Phishing – is a social engineering assessment focused on calling target users to obtain sensitive information or access. With the more personal approach over the phone, this human attack vector is even more effective than phishing, its email-equivalent. Employees most engaged with the public, such as bank tellers and help desk employees, can be particularly susceptible.
In simulating this type targeted vishing pretext attack, Rhino Security Labs provides an unmatched level of depth and customization. Starting with information gathering, we leverage a range of public sources to better understand the company and developing a pretext scenario based on client details. Using these custom scripts, our expert social engineers finally engage the targets and document the subsequent details.
Pretext calling is the act of an attacker calling a target and pretending to be someone else to persuade them into revealing sensitive information. The attacker may use credentials obtained from a successful vishing attempt to impersonate individuals within a corporation or to gain access to privileged company resources. Due to the success of these personal connections, hackers are utilizing vishing more each year.
This voice-calling process is incredibly useful in real-world scenarios. An efficient vehicle for coercion, vishing it creates an instant human connection that an attacker can exploit in real-time. Unlike more traditional phishing, which can sometimes work as a veritable ‘dragnet,’ a voice-call alternative involves targeting specific individuals or positions within an organization. Often, these roles are public-facing, such as helpdesk employees or various customer service associates.
Vishing engagements are helpful for exposing how a malicious actor might use direct phone calls to elicit information from your employees. By identifying the level of risk – and educating users appropriately – this human-specific threat can be mitigated.
1 – Reconnaissance
Information gathering is a critical phase of social engineering and often determines the success of the rest of the assessment. Using a ‘black box’ approach, our security experts perform in-depth research to extract information on the target company.
2 – Create Pretext Scenarios and Payloads
Once we have fully enumerated the target, the focus turns to crafting the payload. These specifics include identifying departments, user roles, and associated pretext scenarios. These details ensure each user is researched thoroughly for the most successful, targeted engagements.
3 – Engage Targets
Using carefully structured tactics and pretext, Rhino Security Labs’ security analysts engage employees directly via Vishing phone calls. Depending on the location of the targets and local laws, phone recording may be available, available to client focals with similar documentation.
4 – Assessment Reporting and Debrief
After completing the campaign and aggregating results, a final report is delivered, providing both executive summary and specific details. Remediation steps and training guides are also provided, guiding the client in resolving the training and policy issues identified.
5 – Optional: Employee Education
As an optional addition, Rhino Security Labs provides user training sessions for client employees. Whether hosted in a recorded online webinar or an in-house training session, Rhino Security provides quality security awareness training by the same experts who performed the original engagement.
Contact us to learn how vishing is being used in your industry. Rhino Security Labs utilizes a structured series of steps in social engineering campaigns for structured, repeatable assessments. This step-by-step format ensures consistency in key areas, while providing flexibility in the specific pretext and scenarios created. This customization helps ensure a successful, effective engagement.