At Social-Engineer, LLC (SECOM), we define vishing as the practice of eliciting information or attempting to influence action over the telephone. With this in mind, I had a ton of fun my first week as a professional visher at SECOM. I got a bunch of compromises (which is the name we give to calls that end with the target giving us the information we’re tasked to get) too. I was not failing gloriously, I was succeeding! Chris Hadnagy, my boss, called us into a surprise meeting to congratulate us. This was also one of the first times that I genuinely enjoyed doing my job.
The second week, however, was not nearly as fun. We switched target groups and I, the once vish-annihilator, spent my week being annihilated. I was living in shutdown city. A shutdown is where the person being called refuses to supply the information we are calling for. As a direct result of that week, my attitude toward being shut down on a call changed. Now I am often more excited about failing gloriously with a good shutdown than I am about a good compromise, even though my compromise ratio remains relatively high. I’d like to share with you exactly what helped me change my perspective and why it matters.
Funnie
After my week of shutdowns, I decided to review some of my calls. I wanted to see what I could change to have a greater rate of success, AKA, get more compromises. As I was listening to the recorded version of one of my targets saying “ok hold on a… I need to make sure… I need… is…IS THIS FAKE?!?!” Something different happened. Instead of feeling beaten and ashamed, I guffawed. Full belly laugh.
Since then, I have had a multitude of shutdowns that have made me cackle after I hung up. Initially, being able to look back and find the humor in a call in which I had essentially failed was difficult. It takes a fair amount of ego suspension to be ok with being the loser in these situations. Admittedly it isn’t always enjoyable. I will confess that having a day where I am just getting shut down over and over again can be grating. But, the upside is the calls are hilarious when I listen to them later. Usually when that happens, I need to stop, take a break from vishing and work on something else. Reframing shutdowns doesn’t equate to wanting them to happen over and over again. Sometimes a shutdown means that the person you are talking to is trained or, at the very least, security minded.
What Made Me Laugh
-
- (Target singing into phone) “I passed the test, I passed the test, I’m proud of myself!”
- “Look here, I am never going to fall for your little social engineering scams or whatever, so you can take me OFF YOUR LIST AND STOP CALLING ME” (I seriously can’t wait to call him back)
- “Hey, Doug? Yeah. Lemme stop you there. I’ve got a lot on my plate right now and I really don’t have the time to go through this whole thing with you, so… why don’t you write down that I did a good job, and I didn’t give away any company secrets, and we can call it a pass. K?”
- “No. I recognize your voice. Uh-uh. Last year I gave you like my employee ID and whatever- No. I’m not falling for that again.” *click
I should point out that, no matter what the targets say to me, no matter how clearly they know they are being tested, I never break pretext. My pretext is what I tell the target about why I’m calling and I stay in character and on task until they end the call. I never know what is going to turn a call around, but I do know that saying “Yeah, you’re right! I’m fake!” won’t.
Failure
Having a fear of failure is fairly universal. I know when a lot of people start vishing they are afraid of failing. Being able to compromise a target is definitely a success for us as the visher, but let’s examine whether getting shut down is really a failure. I would argue that it is not.
If a target shuts you down, they are doing their job and they are protecting their company. So, what about when you start to get shut down at a much higher rate than you used to? Congratulations! You are SUCCEEDING at your job! Not only are you testing your client’s user base, but you are also training them to not fall for the tricks of malicious actors. And not only that, but obviously your targets are learning! Excellent! Now it’s time to switch up your tactics and see if they can avoid those new ones too!
Acting Skills Help Me Embrace Failing Gloriously
In a previous newsletter, I wrote about how my acting training has benefitted me in my current job as a visher and social engineer. I think it also helps me maintain a healthy attitude about being shut down too. My acting mentor used to say, “I will always prefer a glorious failure to a boring success.” That mindset has helped me take risks both on stage and in real life. To me, in vishing, a boring success would be only compromising the easy targets who are affable and happy to talk to me.
A glorious failure, persisting through a call and going for my flags even when the target is not having it, is much more interesting and fun! . Even when the target is clearly on to me and trying to catch me in the act, sometimes these calls can be turned around! While the target is trying to gather information from me, I can sometimes get some from them. And I have the advantage: I know what the flags I need are; they do not!
We Don’t Want Them to be Demoralized
After I had been vishing for a few months, my boss messaged me to see how it was going. This week had been going particularly well for me. “Great,” I replied, “I haven’t been shut down in days.” His response was a little surprising to me at the time. He said, “That’s great, but they have to win sometimes. We don’t want to them to be demoralized.” This really helped me reframe my whole job and think about what the trainable moments for adversarial simulation targets were.
The tricky part of the job is that, as a visher, I want that win; I want the compromise. But as a trainer, the ideal behavior for the target is to shut me down. It is what we are training them to do. For the client, having some wins illustrates the value of the service we are providing. Don’t misunderstand; we never want to just hand them shutdowns or let them win, but we do want them to be successful. When they shut us down and are rewarded for it, they are able to learn from the training and successfully shut down more sophisticated pretexts in the future.
Avoid the Negative
One of the sayings that gets tossed around a lot at SECOM is “think like the bad guys but be the good guys.” I can say with nearly 100% certainty that the bad guys don’t care about getting shut down. They are not looking at their call data to check on how high their compromise ratio is. They are actively pursuing their goals; get a credit card number, access a company’s internal systems, get that HIPAA info, etc. I doubt the bad guys are concerned with having failed on a single call, or on a dozen calls. Framing your Attacker Mindset this way will help you view shutdowns as only minor inconveniences.
There’s something else we adhere to at SECOM; we try to keep our vishing pretexts away from the negative side of things. So, things like threatening and the use of tactics which cause intense fear are out.
Having a healthy attitude about being shutdown can help keep us away from a “win at all costs” headspace which could cause one to venture into the negative. The positive side of a vishing shutdown – or a phishing, or even onsite shutdown – is that the target is displaying the desired behavior. To then slip into using a negative pretext, one that preys on our basest human fears and desires, would most likely be too punitive and perhaps without any kind of teachable moment. We never want to foster resentment towards the training programs, and we always want to leave our targets better for having talked to us.
Conclusion
Keep in mind that even when you are getting shutdown and it feels bad, this is a success for your client. When they get to win a little, they get to learn a lot. Hopefully, later on you will be able to listen to your calls again and some of them will be funny! And even if they aren’t, listening to them should offer you some good insight on how you can refine your attacks for greater effect. Remember, there is always another target, so don’t let being shutdown shut you down.
Written by: Curt Klump
Sources:
https://www.social-engineer.com/about/
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.com/social-engineer-team/christopher-hadnagy/
https://www.social-engineer.org/newsletter/acting-skills-helped-me-become-a-vishing-professional/
https://theamsbook.com/
Image:
https://www.theactuary.com/news/2015/03/2015/03/24/if-you-get-cold-called-about-investment-hang-says-fca