Social-Engineer, LLC (SECOM) actively works with financial institutions to test and give guidance on their employees’ resilience against phone phishing, or vishing attacks. These are extremely successful engagements in every way. We will discuss two main institutions. One has opted to use SECOM’s levelized vishing program. The structure of this program tests employees against various levels of sophistication based on their performance. When a person defends against a test in one level, we promote them to the next, more difficult, level in the coming weeks. The other institution requested the calls to go into a call center and to use the SECOM analysts’ skills to convince the employee that the call was legitimate.
Pretexts and Flags
When SECOM works with a client, we learn what the client’s biggest threats are and discuss how we can responsibly replicate those. We also want to learn what the sensitive data is that our clients are looking to protect. Sometimes this data comes in individual, seemingly harmless, pieces, but when put together it can create a much more vulnerable picture. Other times, the data might be a big and direct ask, such as a password. We refer to the data as flags.
We use the described threats to construct a story, also known as a pretext, that we will use when calling the employees. SECOM ensures that these pretexts will work seamlessly with the sensitive data, so the requests won’t appear to be out of place.
The two institutions have similar goals which include better educating employees against these types of malicious actors and keeping their sensitive data safe. The methods by which we get there are also similar. The institutions give us a list of names and phone numbers or, in the case of the call center, just one phone number.
Calling Institution 1
The first institution gave SECOM names, phone numbers and job titles. It is also the one that uses levelized vishing. All employees start out at Level 1, the simplest level. SECOM uses a number of agreed-upon pretexts, and the analysts work to ensure we use them equally. The client chooses the pretexts and data to show them their vulnerabilities and risk. During the campaign, SECOM calls thousands of employees, ensuring a proper data set.
Flags We Try to Obtain
Some of the flags that SECOM tries to obtain may include a username and password. While most people understand the risk of telling a caller these flags, SECOM is still successful at eliciting this highly sensitive data from employees. This is where the pretext and the skill of the analyst comes into play. One example might be that the analyst will call as an internal IT employee, looking to perform some simple checks before an upcoming workstation upgrade. The analyst may ask to confirm the username and then ask the employee to “confirm” two security questions. The analyst does not have access to the questions, so confidence and positive affirmation skills will come into play to elicit this information. Lastly, the analyst may offer to complete the upgrade for the employee outside of work hours to not cause interruptions.
At this point in the conversation, the SECOM analyst has built rapport and trust with the employee. As a result, the employee is not skeptical of the request. The employee genuinely believes they are speaking with one of their own company’s IT staff and surely wants the upgrade to go smoothly and not have any impact on their workday. Once the password is provided, the SECOM analyst will give additional positive reinforcement, thank the employee for being helpful and graciously end the call.
Calling Institution 2
This institution gave SECOM a single phone number into a call center. The number is similar to what a bank or credit card customer may see on the back of their card. Each time, the employee wanted to validate the SECOM analyst as a customer of the institution, and it was up to the skill of the analyst to move to the pretext. The pretext would again refer to an upcoming IT upgrade and the need to do some validation checks of equipment including the workstation and phone system. This institution allowed SECOM to arm itself with an additional weapon, a branded web site with a familiar-looking login screen. The advantage to using a web site is that while the financial institution may not own the URL, the employee will often feel more comfortable entering information into the site than speaking it over the phone.
Switching Directions and Offering Reassurance
The guidance that is given always includes “Never give your password to anyone over the phone” making the pretext of asking for a password more difficult at times. When faced with this objection from an employee, the SECOM analyst may switch directions and reassure the employee that this is a safe request from a trusted ally and an alternative is to go to a familiar-looking web site. SECOM will tell the employee that after they log in, the web site can do all the necessary checks with no information being shared over the phone.
Some employees will see this as a safe alternative as they are still following the guidance of never giving sensitive information over the phone. However, as the web site is owned and controlled by SECOM, all data could also be captured by SECOM. Whether data is captured or not is always included in the scope of work between the institution and SECOM.
Defending Against SECOM
The best way to defend against the attacks described here is through verification. Both institutions have their own internal verification methods, and they offer frequent training and updates for all employees to remind them of these methods. One of the institutions has a PIN system that all employees have access to. One employee generates a PIN, and the other can verify it. If two attempts at this verification fail, the employees are instructed to politely end the call.
The second institution relies on verification of the caller’s name and internal identification number, which all employees have access to. If the caller’s identification number cannot be verified, employees are instructed to end the call. But what if the malicious actor were to obtain a valid employee name and identification number? That is a risk this client has chosen to accept as part of the engagement’s scope.
Working with You
This article has described the similarities and differences between two of SECOM’s financial institution clients. SECOM can do similar things to improve your defense against these types of social engineering attacks and will customize the pretexts, the flags, and the scope to meet your needs.
At Social-Engineer LLC, our purpose is to bring education and awareness to all users of technology. For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit: