Sherlocked Security – Vishing / Phone-Based Phishing
Simulating Social Engineering Attacks via Telephony to Test User Response and Security Awareness
1. Statement of Work (SOW)
Service Name: Vishing / Phone-Based Phishing
Client Type: Organizations with Customer Support Teams, Remote Workforce, Organizations Using Phone-Based Authentication
Service Model: Social Engineering Simulation + Phone-based Attack Simulation + Risk Assessment
Compliance Coverage: GDPR, SOC 2, PCI-DSS, ISO 27001, NIST 800-53
Testing Areas:
- Phone Phishing Attack Simulation
- Social Engineering via Phone
- Elicitation of Sensitive Information (Passwords, PII)
- Phishing Attack on IVR Systems
- User and Call Center Agent Security Awareness
2. Our Approach
[Reconnaissance] → [Target Identification] → [Phone-Based Phishing Attack Simulation] → [Social Engineering via Phone] → [IVR & Call Center Security Testing] → [Report Generation & Recommendations]
3. Methodology
[Target Profiling] → [Phone Phishing Campaign Setup] → [Phone Attack Execution] → [Voice Phishing & Impersonation] → [Security Awareness Testing] → [Findings Report]
4. Deliverables to the Client
- Vishing Attack Simulation Results
- Security Awareness Score for Employees
- Phone Phishing Elicitation Report (Sensitive Information Gained)
- IVR System Vulnerability Report
- Call Center Agent Security Testing Results
- Recommendations for Improved Social Engineering Defenses
- Remediation Plan for User Education & Awareness
5. What We Need from You (Client Requirements)
- List of target phone numbers (employees or customer service agents) for simulated attacks
- Access to IVR systems, if applicable
- Information on any authentication processes involving phone calls (e.g., PIN codes, security questions)
- Call center scripts or security protocols for testing
- NDA and scope confirmation
6. Tools & Technology Stack
- Vishing Campaign Tools: SpoonFed, PhishLine, PhoneSweep
- VoIP Systems for Phishing: Asterisk, Twilio
- Social Engineering Tools: Social-Engineer Toolkit (SET)
- IVR Testing Tools: IVR Script Testing Tools, Asterisk Dialplan Simulator
- Phishing Email Follow-Up: Mailgun, Gophish
7. Engagement Lifecycle
1. Pre-Engagement & Target Profiling → 2. Phone Phishing Simulation Setup → 3. Attack Execution → 4. Elicitation & Data Gathering → 5. Awareness Assessment → 6. Reporting & Recommendations → 7. Post-Engagement User Education
8. Why Sherlocked Security?
| Feature | Sherlocked Advantage |
|---|---|
| Realistic Social Engineering Attacks | Execute phone-based phishing (vishing) campaigns that mimic real-world scenarios, leveraging voice impersonation and psychological manipulation techniques. |
| IVR System Testing | Test the security of IVR systems to ensure that automated voice response systems do not leak sensitive information through poor security design. |
| Employee Security Awareness | Assess how employees or call center agents handle social engineering via phone, including their ability to recognize phishing attempts. |
| Detailed Reporting & Recommendations | Provide actionable findings to improve employee awareness, IVR security, and overall defense against vishing and related social engineering attacks. |
9. Real-World Case Studies
Bank Call Center Vishing Attack
Issue: Attackers impersonated bank representatives over the phone, asking customers to verify their account information due to a “security breach.”
Impact: Several customers provided sensitive account information, leading to fraudulent transactions.
Fix: Call center agents were retrained on security protocols, and the bank implemented an automated phone number verification process to reduce the risk of vishing.
Phishing via IVR System in Telecom
Issue: Attackers leveraged a weak IVR system to simulate legitimate telecommunication customer service, tricking customers into providing PIN codes and personal information.
Impact: Customer accounts were compromised, and fraudulent services were added.
Fix: The IVR system was redesigned to include better authentication mechanisms, and regular security testing was introduced to ensure robust defenses.
10. SOP – Standard Operating Procedure
-
Target Identification & Profiling
- Identify employees or customers who will be targeted based on the scope (e.g., call center agents, customer support).
- Analyze the public-facing information available to attackers (e.g., employee names, phone numbers, job roles).
-
Phone Phishing Attack Setup
- Use VoIP systems (e.g., Asterisk, Twilio) to create realistic phone call simulations.
- Craft convincing social engineering scripts to impersonate trusted entities (e.g., banks, IT departments, government officials).
- Set up spoofed caller ID to match the organization’s phone numbers or trusted third-party services.
-
Phone-Based Attack Execution
- Initiate phone calls to targets using automated systems or human callers posing as trusted organizations or representatives.
- Elicit sensitive information from employees or customers, such as passwords, account numbers, or security question answers.
- Test employees’ ability to identify and report phishing attempts during the call.
-
IVR Security Testing
- Test IVR (Interactive Voice Response) systems for weaknesses, such as improperly secured verification steps or low-effort security questions.
- Simulate scenarios where customers are asked to input personal information into an IVR system (e.g., PIN numbers, account numbers).
-
Security Awareness Assessment
- Measure employee or customer awareness of phone-based phishing techniques.
- Evaluate the response of individuals to impersonation attempts, such as asking for personal information or credentials.
- Test escalation protocols for reporting suspicious calls.
-
Reporting & Recommendations
- Generate a detailed report outlining the results of the attack simulation, including information elicited during the phone calls.
- Provide actionable recommendations for improving defenses, including employee training, better security protocols for phone authentication, and IVR system upgrades.
- Suggest implementing more secure customer verification practices (e.g., call-back verification, PIN, or out-of-band verification).
11. Vishing / Phone-Based Phishing Checklist
1. Social Engineering & Script Design
- Design realistic vishing scripts that closely mimic actual scenarios (e.g., IT helpdesk, customer service, bank calls).
- Use psychological manipulation techniques, such as urgency or fear, to trick targets into revealing sensitive information.
- Implement caller ID spoofing to make the call appear legitimate.
2. Phishing Call Execution
- Use VoIP systems (e.g., Twilio, Asterisk) to initiate automated phone calls or manually conducted attacks.
- Attempt to extract sensitive data from the target, including usernames, passwords, PII, or financial information.
- Ensure calls are sufficiently convincing to avoid immediate suspicion (e.g., use proper voice impersonation).
3. IVR System Security Testing
- Test for common weaknesses in IVR systems that could allow attackers to bypass authentication.
- Ensure the system does not provide too much information to callers without proper validation.
- Test the response to invalid input and ensure security questions or verification processes are not easily guessable.
4. Security Awareness & Response Testing
- Assess the security awareness of employees or customers by analyzing how they respond to social engineering phone attempts.
- Evaluate whether employees follow correct escalation protocols when suspicious calls occur.
- Test whether employees verify phone calls via out-of-band communication or follow proper authentication procedures.
5. Reporting & Remediation
- Document the results of the vishing attack, detailing any sensitive information extracted.
- Provide remediation recommendations, including strengthening phone authentication procedures, training employees on social engineering tactics, and improving call center security protocols.
- Suggest implementing technology such as caller ID verification or multi-factor authentication via phone for higher-risk systems.