Pick Your Vishing Avatar - Security Boulevard

Pick Your Vishing Avatar

This newsletter is unique because we have two writers this month: Curt and Shelby. Over the past two years of working together, we have analyzed our approaches to vishing and the rapport building techniques that we each naturally lean towards. We have done this so we can better understand our own strengths, as well as learn from one another. You will probably identify more with one of our approaches than the other. We are bringing our observations into one place for you to read and share your thoughts with us. And maybe they even help you pick your vishing avatar…

Shelby: Vishing Prep

As I begin writing, I see Curt’s notes on his vishing setup procedure. The chaos of the notes alone causes my anxiety to rise. However, I remind myself to breathe, the same reminder I give myself each time I begin a new vishing campaign.

I have my handwritten pretext notes set out before me, complete with colorful highlights and doodles. All my client notes are neatly organized across my monitors. I have also thought through most potential conversation stoppers and have an idea of how I will respond to them. I’ve already checked my caller ID settings three times to make sure they are correct and have probably made a test call. I repeat my alias to myself a couple of times and mentally prep by reading the first sentence of my pretext. It doesn’t matter that I have made thousands of vishing calls, I still get nervous. Coffee before a new vishing campaign is now forbidden. It’s decaffeinated tea or nothing as I make my first call.

Curt: Vishing Prep

As I write this, I am watching group chat messages from Shelby as she begins work on a new campaign. The last one read “I’m excited for this to be over.”

I step into my home office and for the 312th day in a row I think “man… I gotta clean my desk.” I smile and make the pinchy-fingers gesture at my geriatric dog; he stares back blankly. Today I’ve woken up early (earlier than 8 minutes before my vishing starts) and am going out to buy coffee and a breakfast sandwich – Yay! That sandwich is 100% getting eaten at 11:03 AM when it is ice cold and I finally remember that I have it.

I am back in my office by 9 AM (I have forgone cleaning my desk) and saying a virtual “good morning” to my coworkers. After this, I go to my weekly task list and start dividing up call amounts. Doing this helps me make an equal number of calls each day – gotta have even data collection!

While I do this I am thinking about our current pretexts. Which do I want to use? Is there one I Which haven’t used recently? Which one have I used too much? I’m gonna use a multifactor authentication error pretext. I review it quickly and make sure the version I am using is correct for this client. WAIT. I forgot to check my email and IM messages – hold on. OK, communications done, pretext reviewed, I just have to set my spoof numbers into my caller ID and hit save. Aaaaand hit save again. And make pinchy-fingers at the dog again. Time to open my target list and start looking for an area code that catches my eye.
pick your vishing avatar

Different Approaches

Clearly, the two of us have extremely different approaches to… well, life. We share one commonality that is key to this newsletter, though; we are both successful vishers. As we dive into the technicalities of our approaches, let’s start by breaking down each of our natural focuses, and look at how this shapes us as vishers.

Curt: People Focused

I am a people focused person.I like interacting with people. Starting and maintaining conversations is easy for me. Most people perceive me as disarming and non-threatening.

I go into vishing calls knowing that I have a pretext I will employ at some point. At first, I tend to chat and joke around with the targets. But mostly I know that all I have to do is have a conversation with a person and be open to (or willing to create) opportunities to nudge the conversation to where I need it to go. I try to make that conversation sound fresh, brand new, and unrehearsed every time. I am confident the call will go where I need it to go, and I don’t stress out about it, I just let them talk. Because of my natural approach, techniques like ego-suspension and non-judgmental validation work well for me.

Shelby: Task Focused

If you are task-focused, like me, you tend to focus more on the goal of your task rather than the people involved. This doesn’t mean that you don’t care about people, or that you disregard them. Rather, it helps define the way you like to communicate. For me, being task-focused while vishing means that I want to start and end the call as quickly as possible while obtaining my objective. This also means that sometimes I assume others see things through the same task-focused lens that I do. I naturally feel like they want all the details of why I am calling and to how long it will take. This makes me lean towards techniques such as artificial time constraints, as well as using amygdala hijacking to my advantage.

About half of the time, my assumptions are correct. The other half are people who tend to be “people-focused”, like Curt. As a visher, this means I need to be able to adjust my own approach to match that of my target.

Favorite Vishing Techniques

Being able to adjust your approach or step outside of your comfort zone is extremely important as a professional visher. If you’re not a professional visher, you can still benefit from understanding how to utilize these tactics in your day-to-day conversations. We’re going to do something fun next. We will each give a story about how we apply a technique that we both love; ego suspension. Then, Curt will break down one of Shelby’s favorite techniques. It’s a technique he doesn’t naturally lean towards using. He’ll explain how he stepped outside of his comfort zone to implement it. Then, Shelby will do the same, but with one of Curt’s favorite techniques.

Ego Suspension—Curt: Everybody Like to Help a Dumb Guy

Playing stupid has gotten me far in a lot of cases. Paired with an assistance theme, pretending that I am just completely incapable of understanding how a system works, or how to fix a problem that I’m having, has frequently allowed me to obtain extremely sensitive information.

Recently, I was able to contact the same tech support person over the course of three different calls. My pretext was that I was away from my computer and forgot to change my password before I went on vacation. In each of the three calls, I pretended to be incapable of understanding how any of the remote password reset options worked and was calling back because I needed additional help. By the third call, I had built enough rapport with this tech support agent that he took mercy on me, generated a temporary password and provided me with it over the phone. Along the way, I also learned how this organization’s password reset options worked, and I could now elicit password reset information from other targets. This was possible because I was willing to play dumb and ask for help.

A warning: when I am leaning hard on this tactic, my calls tend to be very chaotic and messy. Shelby has said to me “I have no idea how you are even able to get the information you get.” This is on purpose. I am using the mess and confusion in the hopes that my target will not only pity me but will also possibly give me additional information that I didn’t even know I needed.

Ego Suspension—Shelby: People Love to Help a Tiny Person

You’ve heard us say it before, you’ll hear us say it again; social engineering is not a politically correct field. We play to the biases that exist around us. I love doing exactly this, which, to be fair, generally requires the use of ego suspension. Biases even extend to vishing work. I am a petite female with the voice to match. Think for a minute what this might mean for the types of pretexts I choose. While authority pretexts can be extremely effective, not everyone’s biases allow them to buy in to the fact that I am the authority.

I remember one vishing call where I decided to use an authority pretext that rooted me in the company IT’s department. The target was an older male who had IT experience. Within the first 30 seconds of the call, I could tell that he was not responding to me as an authority. His responses to me were short, assertive, and his tone seemed very skeptical. As he started questioning me in an attempt to poke holes in my pretext, I realized that stubbornly holding to my “authority” on the subject would only result in a shutdown.

I decided to employ ego suspension and switch my tactics, flipping to an assistance theme. I took a deep breath and sighed, purposefully stumbled over my next words, and told him how confused and overwhelmed I was with this task. I started asking him questions and for his help. He then very kindly helped me troubleshoot my problem, spilling information the entire time.

Curt: Artificial Time Restraints

When I started at SECOM, one of the first pretexts I used was an HR survey and I always ended my intro with “…it’s just two quick questions and should only take a minute of your time.” And it worked! I was lethal with that pretext! I put the artificial time constraint in there because I had read a bunch of vishing theory during my hiring process and this technique stood out as a good idea – and one that I had never considered before.

When the campaign year closed, that pretext was retired and we moved on to new ones. Without the principles of rapport so fresh in my mind, I often forgot to utilize an artificial time constraint. I’m people-focused so the length of a task isn’t usually the first concern that pops into my head when someone needs my help. I wasn’t struggling with the new pretexts, but none were nearly as effective as my old favorite, the HR survey.

When Shelby and I started working on the vishing day of the SERA course for Social Engineer, LLC’s training, she wrote a section on artificial time constraints, and I was reminded how powerful a tool they are. Deciding to implement them again, I then had the following interaction more than once:

“…it’s a pretty easy process and should only take a couple minutes.”
“Uhhhh… I have a meeting in 15 minutes, is it going to take longer than that?”
“Oh man… if it takes even half that time something has gone seriously wrong.”

BOOM! Instant rapport!

Letting them know that not only do I think our conversation won’t take long, but also that I don’t want it to take a long time makes them more comfortable with me, and more willing to tell me that sweet information I need for a compromise.

Shelby: Non-Judgmental Validation

I am also a huge fan of the HR survey-based pretext Curt described above. On one of those calls, I sensed that the person I was speaking to was slightly hesitant, not wanting to say the wrong thing and get in trouble. In this moment I remembered: “Channel your inner Curt.” This is something I’ve started saying to myself when I am stuck in my own vishing rhythm. Sometimes I need a reminder to step outside of my go-to tactics and implement one that will help me out in the specific situation I’m in. In this case, it was non-judgmental validation. By telling the target that I understood their viewpoint and appreciated their feedback, it opened an outpouring of thoughts and information from them. In this, I was able to obtain the information I had been searching for.

Conclusion

If you find yourself getting stuck in a cycle of communication that may not always be effective, take a step back and analyze the conversation on your side. Are there new rapport building techniques that you could implement? Chances are, yes! We all have different approaches to conversation, life, and work. Stepping back and evaluating your tendencies may prove more beneficial than you could have imagined. If you try any new techniques that are outside of your normal comfort zone, reach out to us! We would love to hear your experiences and insights.

Written by: Shelby Dacko and Curt Klump

Sources:
https://www.social-engineer.org/framework/psychological-principles/instant-rapport/
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.org/framework/influencing-others/pretexting/
https://leadershipstrength.com/2020/12/the-four-disc-styles-of-leadership-communication/
https://www.linkedin.com/pulse/building-rapport-like-fbi-agent-harry-hoover
https://time.com/98473/top-10-fbi-behavioral-unit-techniques-for-building-rapport-with-anyone/
https://www.healthline.com/health/stress/amygdala-hijack#overview
https://www.social-engineer.com/human-hacking-conference-year-beta/

Images:
https://americancollectors.com/wp-content/uploads/join-our-family-agents-support.jpg
https://mk0h360connecth0vd5d.kinstacdn.com/wp-content/uploads/2019/11/hassan-ouajbir-IYU_YmMRm7s-unsplash-1024×683.jpg

*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by Social-Engineer. Read the original post at: https://www.social-engineer.org/newsletter/pick-your-vishing-avatar/