If you’ve read our past joint newsletter, you know that Curt and I (Shelby) approach vishing in a way that is almost opposite of each other. But even though our vishing styles are almost always diametrically opposed, the results that Shelby and I (Curt) get are not dissimilar.
Curt has taken the lead on a really cool project, which helps us sharpen our vishing skills. As part of our internal training, we listen to each other’s vishing calls that I (Curt) have picked out beforehand. These are calls that we, the operations team, have made using our current pretexts. After we listen to the calls, we take a little time to pick the calls apart. We listen for what worked, what could have gone better, and most importantly which influence and rapport building techniques were used.
This allows us all to be better at not only identifying these techniques when they’re used, but to become better at intentionally utilizing them as well. And (my favorite part) it lets me (Shelby) steal everyone else’s ways of implementing these techniques. So today, we thought we would take a look at a real call that I made and break down those techniques together. Let’s start with the first 30 seconds of the call. This interaction is between “Tara” (T:), our target, and “Marie” (M:), our visher. Names and certain sentences have been edited/shortened for privacy and brevity.
The Vishing Call Begins
T: Hi, this is Tara, how can I help you?
M: Hi Tara this is Marie, I’m calling with (company name) IT, how are you doing today?
T: I’m good, how are you?
M: I’m doing good, thanks so much for asking! You’re the first person to ask me that today so I really appreciate it.
T: *laughing* Yeah!
M: I won’t take more than two minutes of your time here. We are in the process of moving employees over to a Virtual Desktop Infrastructure, and what we are doing is just getting certain departments set up with that today, just following up on that email we sent out a few weeks ago… I’ve spoken to a few of your coworkers already, and it’s your turn! Do you have a moment to assist me with that?
Social Engineering Techniques – Authority
Ok, so the first technique I (Curt) see here is “Authority,” which is almost a freebie. We use it on most calls just by impersonating a specific department’s personnel in our pretext. Authority is the right to exercise the power or influence over another person. As an influence technique, I am trying to exercise power or influence over the person I’m talking to. In this case “I’m from IT. I’m calling to do IT things that the IT department is doing for the company.” This is authority because IT personnel have certain expertise and access within said company that other departments do not.
Social Engineering Techniques – Liking
The next one that stands out to me (Shelby) is more subtle, it’s “liking.” I thanked her and told her (with a little laugh) that she was the first person to ask me how I was today and expressed how much I appreciated it. She also laughed in her reply. I felt like we had a little bit of a bond after this moment.
Social Engineering Techniques – Artificial Time Restraint
No one wants to spend an indefinite amount of time talking to a stranger on the phone. Using an Artificial Time Constraint at the beginning of the call answers the question, “how long will this take?” which they are definitely asking themselves. Shelby employs this perfectly when she said, “I won’t take more than two minutes of your time.” Two minutes is a believable amount of time, and it is not as casually vague as, “I’ll just be a moment.” Now to clarify a point, Shelby also asked “do you have a moment…” This is not an Artificial Time Constraint on its own, but here it does reinforce the one she already laid out. The time constraint is artificial, because she had no intention of actually sticking to the two-minute limit. It’s just there to ease the target’s mind.
Social Engineering Techniques – Social Proof
Social Proof is a “psychological phenomenon that occurs in social situations when people are unable to determine the appropriate mode of behavior. It is easy if you see others acting or talking a certain way, to assume that is appropriate.” I (Shelby) see this being used to influence Tara when I said, “I’ve spoken to a few of your coworkers already…!” I used this hoping that she would think her coworkers had already conformed to my requests. Then, she would feel it was ok for her to do the same.
That was a lot of social engineering techniques packed into 30 seconds! Let’s look at the next part of that call and see if it pays off.
The Vishing Call Resumes
T: Yeah!
M: Let me look up your file to see what we have to do for you. What’s your User ID?
T: *provides User ID*.
M: Ok perfect we just need to set up a couple of security questions… so these are all preexisting ones that you’ve done in the past… *lists possible questions*
T: We can do favorite color and mother’s maiden name.
M: Ok perfect. I do have to input the answers on my end. What would you like me to set those as?
T: Rainbow for my favorite color.
M: That is crazy you say that! I actually always say that, and people look at me like I’m crazy, but I swear it is!”
T: That’s the best color!
M: I agree! *Both laugh* I’ve never heard anyone say that before! Ok love that, love that answer. Ok and then mother’s maiden name?
T: Smith.
Social Engineering Techniques – The Payoff
Here we can see how the previous legwork of using those social engineering techniques is paying off. Now I (Shelby) was able to just start asking for her User ID and security question answers, and she replied without even thinking of it. Once she answered the User ID question, she was committed. She had already answered one question, so what was the harm of continuing? I do see one technique utilized in this section… liking. Again! People like people who are like themselves. I aligned myself with her by saying I had the same favorite color. It’s interesting that this worked because it was a unique answer. So, saying, “me too!” could have backfired if I hadn’t had enough rapport built. But obviously, there was enough trust there to get me further instead of breaking that trust.
OK, Shelby, I (Curt) need to point out that when you said “rainbow” is also your favorite color, you went somewhat beyond liking in this case. There is an element of tribalism – you essentially established that you and your target were part of a very small, very exclusive tribe. Her neurotransmitters must have been going berserk. I bet she would have given you her password if you asked.
The Vishing Call – Wrap Up
Let’s see how this call wraps up:
M: Ok perfect, so it looks like that’s all set up. Now it will take a while to just upload all your apps and everything that you use into that VDI once you start it up. I can do that for you now in the background, I would just need your password so it’s up to you if you would rather do that manually or have me do it for you…
T: Um, is it easier for you to do it?
M: It is easier. It just depends on whatever you’re comfortable with.
T: Ok what password do I give you?
M: It is the one you log in with.
T: Ok yeah, I can just give that to you.
S: Ok, whenever you’re ready.
T: *spells password*
Another Social Engineering Technique – Reciprocity
Oh. She did give up her password! And another really cool technique happened here: reciprocity. “I can do X for you, if you can do Y for me.” Shelby offers to set the VDI up completely for her target giving her almost nothing to have to do besides log in, but to do that she needs a system password. What makes it ultra-effective here is that what Shelby was offering would realistically be more work for her, she gave off the feeling that it is no big deal. On top of that she left the password as the target’s choice. It’s not something she needed to reveal within the structure of the pretext. It was just an additional step, a little favor, she could do for her. Again, no big deal either way, very disarming.
It’s interesting to me that even though she said, “yeah I can just give that to you,” I (Shelby) still had to prompt her to actually provide it. I would guess that’s because giving out our passwords is something we’re told not to do from a young age. It’s like crossing the street, right? We know we have to look both ways first. We know we’re not supposed to give out our passwords. But again, by doing the legwork, by leaning on social engineering techniques, and by making it seem like providing that password was her choice, she was comfortable enough to do so.
Social Engineering Techniques – In Review
This call was around 3 minutes and 30 seconds long. In that call we identified five specific social engineering techniques that were explicitly utilized.
It is interesting, we usually use these joint articles to illustrate how different Shelby and I (Curt) are from each other, style wise, but still similar in results. Yet, I use this pretext in a nearly identical way.
What Curt just said could partially be because I (Shelby) stole his password grabbing technique… but that will be our secret. I love being able to break down calls like this and identify the social engineering techniques used (and steal them from my colleagues). Let us know what techniques you saw, and what you might try using in conversations!
At Social Engineer LLC, our purpose is to bring education and awareness to all users of technology. For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:
https://www.Social-Engineer.com/Managed-Services/
Written by: Shelby Dacko and Curt Klump
Images:
Image by studiogstock on Freepik
Image by studio4rt on Freepik