Secondary Categories: 02-Initial Access, 02-Information Gathering
Vishing is also known as voice phishing and is the practice of eliciting information or attempting to influence action via the telephone. The goal is to obtain valuable information, contributing to the direct compromise of a target.
There are a lot of things attackers can do such as:
- Spoofing their number
- Use Artificial Intelligence based software to mimic authentic voices.
Targets
Depending on targeted company and the context of the call it may vary who the target is⦠Its important to generally gather the following information if possible:
- Email address,
- Manager name/contact information,
- Company hierarchy information,
- Direct phone numbers,
- Employee titles and/or IDβs,
- Addresses,
- Social Security numbers,
- User credentials, or
- Any information about the technology or processes a company uses.
Conducting the Call
Depending on the call we can use technical jargon to convince the employee to suppy simple information like company ID, badge, First Name, Last Nmae, Job Title, or even social security number. There are several good tactics to attempt when making the call.
- Deliberate False Statement: Telling the victim an email address that is obviously wrong and letting them correct you with the right email address.
- Influencing Emotions: Stating that you really need help or making the victim feel sympathy for you and ultimately convincing them to help you you provide the infromation that you need.
- Trading Services: By offering to IT services to the victim in order to obtain user credentials.
- Mumble Technique: When the call center agent ask questions it maybe possible to mumble an answer in hopes they accept it and move on without verifying
Building Rapport
The key to any vishing call is to build rapport with the victim on the end of the phone so they can begin to trust you and is more willing to offer the information you need in return. There are a few ways that can build rapport with a victim:
- Establishing Artificial Time Constraints: Exclaiming to the victim that this will only take a moment
- Accommodating Non verbals: Communicating in a relaxed, friendly, and non-threatening conversation.
- The Way You Project You Voice: Its important to be concise of the rhythm, speed, volume, and pitch when talking to the target.
- Sympathy or Assistance: People like to be helped so eliciting your experience or asking for their experience may help.
- Ego Suspension: This means to not correct them or share you βgreaterβ knowledge, but instead saying βI donβt knowβ or just listening attentively when the target speaks
- Validate Others: Show the target that you like them first. Usually people who show that they value or respect the person by giving the person their time and attention.
- How? Why? When?: Asking these questions to a target can convince them to divulge more information
- Share Information: Share a little bit of info in hopes that the target will also share some info until you build up enough to divulge more info.
- Gift Giving: Give the target a gift that is of value to the target in hopes to retrieve info.
Resources:
Also Check Out:
- PLACEHOLDER