Vishing 101 — Tell me baby, what’s your story?


I always get so very excited when we conduct a pentest that involves phone elicitation (aka vishing). For me, it’s a close second to creeping on people for OSINT (because nothing tops a good spy session).  When vishing, I’m certain to be the best version of myself, whichever one it happens to be that day, Kate, Sandy, Sidney, Beth or Danielle… the possibilities are endless.  I prepare myself for success through a little due diligence and the development of a character profile to create a solid story.

Who, what, when, where, why, how? Create a story and stick to it!

When it comes to blindly dialing into an organization in an effort to capture ‘flags’ of mission critical information, it can be really nerve-wracking. You’re entering a very unpredictable situation. The last thing you want is to be caught up the creek without a paddle, so to speak. What if the target asks you to verify yourself? How will you handle that? What if they don’t believe your pretext, how do you react? Do you give up? Absolutely not! Never be afraid of your opponent. They don’t know who the voice on the other end of the line truly belongs to, and the reality is, they rarely will. There have been times when a target absolutely wasn’t buying what I was selling from the get go, but through enough assurance, and the fact that I never changed my story, I was able to turn the call around for a successful compromise. If you stick to your story and have done enough research to adequately handle any curve-ball questions, you are far more likely to succeed.

I find that the best way for me to prepare is to sit down and mentally gather myself by spending some time becoming familiar with the character (yep I said character) that I’m going to play.

This is important for the following reason: psychologically, you have to have confidence in yourself. If you call in like you just took a ride on the hot mess express without a solid story, or don’t have an answer when the target asks who your boss is, no one will feel confident giving you any information, much less highly personalized details.

Confidence is critical in vishing scenarios, and this confidence should be based on “facts”– facts that you actually believe about “yourself,” the one you are playing. These facts should be prepared ahead of time. It helps to write them down. I usually dedicate an entire sheet of paper to my particular role. Think of it as the creation of a character profile. This character profile is your guide throughout the call. You can lists facts and details to help you get to know your particular character, especially if you’re playing one that is a stretch for you. Maybe he needs a new characteristic—a fabulous skill, a quirky attitude, something that will make the character come alive for you. How detailed you want your character sheet to be depends on what works best for you. What’s your name? Why are you calling? What permissions/authorities do you have? Who do you work for? What department do you work in? Why have you been locked out of your account? Why do you need the password? If they look you up in the active directory, why aren’t you there?

Sample character profile – your guide to creating a story

Below I’ve included a basic guide for creating a character profile. You can use this as a starting point, and make it more or less detailed, based on your personal preference.

    • Full name
    • Age
    • Present location
    • Company/positions/roles
    • Time you’ve been in current company/position/role
    • Mannerisms/speaking style/dialect
      (should match your role, an intern wouldn’t speak with the same authority as a C level executive)
    • Educational background/intelligence level
    • Flags you’re looking to obtain
    • Reason why you’re asking for the flags(data corruption in last system update etc)
    • How your character is involved in the story
    • Any objections you may encounter and potential explanations for them
    • Names that would be helpful to drop(gathered for OSINT)
    • Industry or company terminology that would establish social proof(from OSINT)
    • Additional information that would be helpful such as sample employee IDs, emails, etc.

In my professional vishing experience, I’ve found that overwhelming the subject with so much detail in an exhaustive “I’ve been doing this all day and I’m just desperate for help, I need this and here’s why, let’s just move this along” manner works really well. When you clearly identify yourself and what you want up front, chances are you can get in and out very quickly. However, this does not work 100% of the time as there are (hopefully) policies and protocols in place, which require an employee to verify a caller’s identity before giving out any information.When that happens, you should either have a sample employee ID, some personal identification information gathered from OSINT, or a really good story for why you don’t.Keeping that character profile in front of you for reference can be the difference between a success and a fail.

A chess player might tell you that knowledge is not the same as ability. This is a key lesson: all of the positional knowledge in the world is worth less than the ability to see one move ahead. Similarly, social engineers should prepared to combat “no” by thinking ahead to particular objections the target could potentially make and preparing appropriate responses.

A well-known principle of human behavior says that when we ask someone to do us a favor, we will be more successful if we provide a reason. A 1989 study by Harvard social psychologist Ellen Langer illustrated just this. People simply like to have reasons for what they do. Dr. Langer demonstrated this by asking a small favor of people waiting in line to use a library copy machine: “Excuse me, I have five pages. May I use the Xerox machine because I’m in a rush?” When asked this question, a whopping ninety-four percent of those asked let her skip ahead of them in line despite the fact that everyone standing in that line had to use the copy machine. This works incredibly well; be prepared to explain why you’re asking for the information, and if you’re questioned or met with an objection, be prepared to explain your way around it.

Like chess players, social engineers, must have a great opening. After all, the more advanced the opening, the stronger the game. Know your story and stick to it- even if you run into obstacles. It’s never too late to turn the game around! Until next time: be careful what information you give out over the phone because you never know when it might be a version of me on the other end!

Written by Jessssssssss