I am currently a full-time social engineering pentesting professional with Social-Engineer, LLC (SECOM). My specialization is vishing services. If vishing is a new word for you, let me help. The Social Engineering Framework defines vishing as the “practice of eliciting information or attempting to influence action over the telephone.” Our readers often ask whether acting skills and classes would benefit their social engineering career. So, for this newsletter, I wanted to share how acting skills helped me become a vishing professional.
Acting Skills and Training
I’m not originally from the InfoSec world. My background is in construction, music, and, most importantly, acting. Playing in bands and working in customer’s houses – these both helped me get used to having conversations with strangers. Acting, though, is where I really learned to be present; to assess the other person, and respond to what they were telling me, not only with their words but also their nonverbal communication. My acting training and experience also taught me how to understand the goals of the character I was playing, and the strategies that they would use in the pursuit of those goals. From hundreds of stage performances, and hours in rehearsal, I know that even scripted events don’t always go to plan. Sometimes finding a way to get back on track is the most fun part.
This is how my acting skills helped me become a vishing professional. The tools I’ve learned have been invaluable to me on the thousands of vishing calls I’ve made. My ability to be comfortable talking to strangers has been a huge help to my vishing. I have a remarkably high discomfort threshold, and I don’t feel awkward initiating contact and talking to unknown people. I also maintain my comfort level. Even when it’s time for me to ask them for the information flags I need.
Playing Objectives
Every vishing call has an objective. But I would argue that many of our day-to-day conversations have an objective as well. In broad terms, we want people to listen to us, see our point of view, and do what we are asking. In some instances, we even try to offer some information in the hopes that they’ll reciprocate.
Early on in most actors’ careers we learn that the pursuit of our characters objective is not only what makes a scene compelling, but also what makes it believable. And for me that kind of believability is vital to my success when I am using a pretext.
Occasionally I make the mistake of assuming the target I am calling won’t answer their phone, and I go into the call without much preparation. Then, when they do answer, I’m unfocused because I haven’t taken a moment to remind myself of who I’m calling and what I’m calling about. In these instances, the targets pick right up on my lack of focus because it doesn’t fit with the character I’m playing in the moment. Sometimes I can find a way to pivot and regain my composure – “Oh, sorry! I thought you were a voicemail message for a second” – but often these calls result in me being shutdown by the caller.
Objectives Plus Character
Designing a character and playing an objective – the pursuit of a character’s goals and desires – are acting holdovers that are essential to my success in vishing and impersonation. It’s easier and more natural to stay within the pretext when I’m an IT or HR rep and the pretext IS my objective, rather than calling as some pentester whose objective is to get flags. The former makes building rapport and asking questions easy. The latter would make me sound a little (or a lot) suspicious. The key is making choices about who the character I’m pretexting is and what their goals are.
For vishing I need a character that can easily answer some simple questions about themselves such as their:
-
- name
- job title
- manager’s name
- location
- fake credentials
- employee ID
- email address
If I’m pretexting as an intern, being able to talk about where I go to college and what my major is has proved to be useful too.
This is different from the more intensive character work I would do for a play or a movie. The characters I design as a visher need to be somewhat flexible so I can adjust their personalities to suit the comfort levels of my target. I also want them to be somewhat forgettable (trust me, as an actor I NEVER EVER wanted that) so that when our interaction ends, they won’t think back on it too much. These choices help me seem like a real person and, hopefully, will provide a good enough answer to simple verification questions.
My Character Needs to Know “Why”
The other details I need to be clear on are my “whys” for the flags. Why doesn’t my character have access to the information I am asking for and why do they need it? Most of the time, the more difficult flags will be addressed by the pretext: often our pretexts will be built around these flags. Sometimes the smaller flags might need a quick, separate explanation. Maybe an email address is a flag I can get, although probably not one of the bigger items I can go for, but I might need a second piece of information to resolve a call as a compromise.
If I decide that my character would prefer to only be on the phone for more urgent issues, then any “following up” they’d need to do would clearly be through email. “If I need to follow up with you at all I’ll just email you, cool? What’s your email address?” Because I understand my character’s internal motivations, the reason for asking for the flag is natural, easy, and obvious.
This is also how my “attacker mindset” works. I stay in character, I stay on pretext, and I keep pursuing my objective the way I would in a scene. The active listening skills and the ability to stay present and in the moment that I learned on stage and in rehearsal keep me sharp. These skills also allow me to ask every question my character would ask. Every question – including the ones that get me the flags I’m looking for. And this is what makes me hard to defend against without security training. I sound like a person who is legitimately pursuing my stated pretext goals, because the character I’m playing is. And that character knows all the reasons he’s asking you for sensitive information.
Non-Verbals
It’s somewhat counterintuitive, but our voices also have non-verbal qualities. The rhythm, speed, volume and pitch (RSVP) of our voices can communicate as much as the words we speak. Acting training primed me for non-verbal training. More specifically, the way we train non-verbals in acting is a little more touchy-feely, whereas how we train non-verbals for social engineers is more technical and academic. In acting training, or even in rehearsal, we focus on listening to subtext and feeling our scene-partner’s “energy,” and responding to what they are “giving you.” Which, in more technical terms, translates to “observe their non-verbals – including their RSVP – and use those observations to respond in a way that serves your objectives.”
Non-Verbals and the Actor-Way
The “actor-way” is how I originally learned non-verbal observation and is still primarily how I process things in the moment. But now I have also gone through SECOM’s Advanced Practical Social Engineering, Paul Ekman’s microexpression training, and trained with Joe Navarro at our Human Hacking Conference (HHC). This lets me stop and examine what I saw whenever something hits me in my more instinctive/intuitive actor brain – “Was that a bad sign? He leaned back and narrowed his eyes slightly… yeah, that’s distancing and a slight version of an eye block, not great.” In vishing though, there are non-verbal cues that you hear, rather than see.
Very early on in my career, I noticed a sharp drop in some people’s volume when they would give me a piece of information that I was looking for. This let me know that they were probably uncomfortable giving out that information and that I should try to put them at ease before I went after any of the other tidbits I was looking for.
Non-Verbals and Vocal RSVP
Instead of the target’s body language clueing me in to their emotional state, their vocal RSVP will clue me in to their comfort level and can often provide information to help me assess them. If they have short, clipped answers and sound somewhat impatient, I will get straight to the pretext, because they are probably more of a task-focused person who will appreciate me getting to the point.
On the other hand, if my target seems like they are happy to hear from me and willing to joke around and small talk a little, I will assume that they are more of a people-person and I will shift my tactics to suit them. Being able to shift your RSVP on a call is a relatively easy way to mimic a target. People like people who are like them – adopting someone’s rate and rhythm of speech can help build rapport.
Exit Stage Left
These are only a few examples of how acting skills helped me become a vishing professional. Some other points are too complicated to explain, and others are too abstract or instinctual. Luckily, all of these can be learned with some reading and, more importantly, some practice. I would love to recommend a slew of books to give you a wealth of acting knowledge, but the only book that ever gave me a palpable bump in my craft is Impro by Keith Johnstone the “Father of Improv.” Because Impro teaches spontaneity, Daniel Isler from Dreamlab Technologies, Fr1endlyRATs SE team, has called it the book that teaches how to be a social engineer (and you should read this one too).
As far as practice goes, improv classes will teach you how to trust your impulses and act on them in the moment. I would also recommend some scene study or text classes as well. Those will give you some experience working with character design and how strategies can change during the pursuit of objectives.
You can also learn about vishing techniques from myself and my co-worker Shelby Dacko at the HHC in March. The HHC will also feature the amazing Stephanie Paul and Britney Caldwell. Both of these remarkable ladies have experience in acting and coaching. Their workshops will enlighten you to the value of acting skills in communication. Acting skills helped me become a vishing professional and they can help you too.
Wrtitten by Curt Klump
Sources:
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.com/training-courses/advanced-practical-social-engineering-training/
https://www.paulekman.com/about/paul-ekman/
https://www.jnforensics.com/
https://www.humanhackingconference.com/
https://www.goodreads.com/book/show/306940.Impro
https://twitter.com/Fr1endlyRATs
https://www.wiley.com/en-us/Social+Engineering%3A+The+Science+of+Human+Hacking%2C+2nd+Edition-p-9781119433750