, , , , ,

How to Design and Execute Effective Social Engineering Attacks by Phone

| John Malone

John Malone is a penetration tester for Black Hills Information Security. He regularly performs external, internal, and social engineering-based assessments. His favorite tools are confidence and charisma.

How to Design and Execute Effective Social Engineering Attacks by Phone

When most people think of a hacker, they probably imagine someone in a hoodie on a computer, basking in the light of a green-on-black terminal. While (somewhat) true, many people don’t directly associate phone-based attacks as something that hackers typically do. But say that a hacker picks up their phone, calls a victim, and convinces them to run a malicious binary or click a link. What is this called? I’ll tell you. It’s known as social engineering, and it is a very reliable way of compromising systems when used by a competent attacker.

Social engineering is the manipulation of individuals into divulging confidential information, granting unauthorized access, or performing actions that benefit the attacker, all without the victim realizing they are being tricked. Unlike traditional hacking, which focuses on exploiting technical vulnerabilities, social engineering targets the human element. And believe me: there is no blanket patch for the human populace.

In this blog, we’ll explore the different phases of a social engineering penetration test. We will examine how to craft and deliver a successful social engineering attack. Involved in this effort will be a focus on how to perform reconnaissance, design an effective ruse, and then deliver it to your target. Whether you’re a penetration tester or someone seeking to understand how attackers think, mastering social engineering can provide you with a valuable means of attack and defense.

One other bit here that I’d like to share… I am not joking when I say CONFIDENCE IS KING. With a strong enough delivery, appeal to certain emotions, and solid foundational knowledge about your target, you will be able to convince people of just about anything. Having confidence during the entirety of the social engineering process is what will help channel a great test.

Without further ado, let’s dive into my personal social engineering playbook.

Pre-Engagement: Laying the Foundation

Before you even think about picking up the phone to call targets, you’ll hold a Rules of Engagement call with your client to make sure that you’re covered and given adequate permission. A successful social engineering campaign starts with clear boundaries and solid intel. As an ethical hacker, you will need to thoroughly understand and respect those boundaries while performing your assessment. However, I also believe that it is worth challenging your clients when they present a scope that is overly restrictive.

For example, if I am ever told to only call the help desk, I will generally pivot into a discussion about the other employees and how calling them should be considered to make the test as real as possible.

With that said, I’ve included a brief description of how this part of the engagement tends to unfold below.

Business Capture

You’ve captured a new client, perhaps through networking, a cold call, or even a warm lead that arrived in your inbox. Congrats. This is a good time to discuss pricing and arrange to have relevant engagement paperwork signed. Now that you’ve got someone interested in your services, you need to set up some time for the ROE call.

Rules of Engagement (ROE) Call

Kick things off with a call to your client. Define the scope, targets, and what’s off-limits. This isn’t just a formality—it’s your legal and ethical guardrail.

Pro tip: Consider taking notes during this call and passing them out after the call to avoid any “he said, she said” later.

Here is a simple outline for how a call can potentially go:

  1. Exchange Information
    1. Contact information
    2. Emails
    3. Project timelines
  2. Begin asking questions. Some examples are included below:
    1. Can you please describe the work environment I’ll be calling into?
    2. Are there any blackout times for testing?
    3. Who is in scope for our calls? Why?
    4. Is anyone explicitly out of scope? Why?
    5. Do our call targets use caller ID?
    6. Have your employees received social engineering training before?
    7. Any particular ruses you want me to try using?
    8. Will I be provided with a directory of staff members?
  3. End the call and send out minutes to all attendees.

By following these steps, you can help ensure your client receives a fantastic experience.

ROE Follow-Up Email

Summarize the call in writing and get sign-off. Clarity here prevents headaches down the line when someone inevitably asks, “Wait, were you allowed to do that?”

Scope Reminder (If Necessary)

Everybody’s busy. Some more so than others. With that said, your client may need a gentle nudge if any details are still foggy. Provide great service and give them a reminder about anything you might need, such as an employee directory. The more you know about your targets (names, titles, numbers), the more convincing your ruses will be. No directory? No problem. We’ll get creative as we do some recon.

Tooling Up: Call Spoofing Essentials

Spoofing your caller ID is usually non-negotiable. Below I’ve included some apps that I tend to use on engagements that make this process easy:

Spoof Card: Simple, effective, and lets you mask your number to one of your choosing if you have an older account. Newer accounts are now required to pick from a pool of “allowed” numbers.

Other Spoofing Tools (Trace Bust/BluffMyCall/etc): Other phone spoofing solutions exist on the internet and can be used to select numbers that Spoof Card can’t or dial numbers that Spoof Card refuses to call. Sometimes you’ll need to switch services mid engagement if one service encounters issues.

Burner App: Available for iOS and Android, this app allows you to register one or more phone numbers and use them as burners, or temporary phone numbers that can be canceled at a later time and are not associated with your regular phone line. This is great for attacks that may require someone to call you back. You can also utilize this if you are using one of the other above spoofing services and want your target to call you back. You can do this by simply telling them that you’ll be out of office and that they can call you back on your cell phone—just make sure you give them the burner number and not your real one 😊.

I highly recommend calling yourself with whatever service you decide to use first. That way you can get accustomed to the tools and operate smoothly during your test.

Reconnaissance: The Art of Knowing Your Prey

As with any test involving recon efforts, you’re going to see me refer to two types of reconnaissance from here on out—those being passive and active reconnaissance.

Passive reconnaissance refers to interacting with a target without directly touching it. In this case, you’re going to call employees. However, we don’t want our phone reaching out to anyone just yet.

Active reconnaissance refers to sourcing information in a way that involves interacting with our target. In the case of a social engineering engagement, this often takes the form of making calls into the organization, often through a number posted on the internet.

The information you gather during both types of reconnaissance can provide information that will help you make believable ruses.

Let’s first dig in with passive recon.

Passive Recon: Digging Without Being Seen

The first measure I’ll invoke during a test is almost always Google Dorking. For those who may be unaware, Google Dorking refers to a technique that involves entering unique search parameters into Google in order to provide highly fine-tuned results. These results may be employee usernames and email addresses or sensitive documents. It all depends on the type of search used. Below, I’ve listed some sample Google Dorks that you can use that tend to turn up some pretty interesting results.

intext:”@example.com” email` (leaked employee emails)

This Dork will regularly pull email addresses of all kinds. You’ll usually see things like [email protected]. However, you may also see indicators such as:

By paying attention to how our discovered usernames are structured, we can safely make the assumption that all other employees likely have similar username naming conventions.

With this observation in mind, you can use other tools such as Gather Contacts (https://github.com/clr2of8/GatherContacts) to rapidly gather names of employees that belong to the organization. These names can then be morphed to resemble typical username format and later tested against services like Microsoft 365 or other systems to see if they might be valid.

Trust me, you’re going to want usernames if you plan on going after external assets, VPNs, or cloud environments like Microsoft 365. Make sure to do your due diligence during testing and thoroughly explore this step.

intext:”@example.com” password (careless leaks)

This Dork might bag you a few interesting things. It could retrieve files where the word “password” is used. This can pull employee handbooks from HR, which tend to be a treasure trove of information and can be used as ruses on their own. The Dork can also pull login portals that use the word “password”. This can help you rapidly discover external assets that you may be able to access after compromising a user.

intext:”@example.com” “employee handbook”

As previously mentioned, but this search is a bit more narrow. You can also just try “handbook”.

intext:”@example.com” IT

Sometimes people are happy to post information about their help desk on the public-facing internet. Queries like “IT,” “service desk,” “helpdesk,” or “help desk” can quickly pull out valuable data.

Google Image/Maps Search

Search for the company’s building or employee badges on both Image and Maps. Sometimes you’ll find pictures that contain valuable information such as how office space is shaped—which can influence how quickly detections spread from social engineering efforts that are detected.

You may also observe employee badges and other valuable information that can be used to add authenticity to your story (Example: You call and, as part of a ruse, say something like, “Sorry I’m calling mid-day. Wanted to do it earlier but the parking garage was full.” This creates the image of a caller who is located in the same building as the recipient and may help elicit further trust.)

Contact Information Websites (ZoomInfo and hunter.io)

A vast number of data broker websites exist that can offer up contact information from employees. When conducting a blind social engineering test, the client may not give you access to phone numbers and websites.

Social Media Sweep

Social media is great, and sometimes people just love to overshare. I’ve included some notes about trends I’ve spotted out in the wild that tend to enhance ruses.

LinkedIn: Useful for finding employees. Even more useful is finding employees who are new. People who are new can be called and reasonably fed a ruse that something was missed during their onboarding process. This may help the new employee trust you during your ruse delivery.

X (previously known as Twitter): Check the company’s account, followers, and posts. Upcoming events (e.g., a charity run) can inspire timely ruses involving community events. Also, if you’re able to establish proof that a follower may also be a customer, you may be able to safely impersonate a known third party. A word of advice though, I generally won’t go down a rabbit hole like this as the time is usually not worth the payoff unless you are truly out of options.

Microsoft Self-Service Password Reset (SSPR)

Visit https://aka.ms/sspr and plug in a target’s username. If the organization allows for users to reset their own password, you’ll get the option to reset credentials yourself. These options can usually leak really interesting information that only an insider or trusted party would have access to. Some examples are shown below along with ruses that tend to work well to gain trust:

  1. The last two digits of mobile numbers, usually shared in the format of (**##) or (********##). You can incorporate this information into a ruse as such (for the below example, we are calling someone on their office number who had 25 listed as their last two digits in Microsoft’s SSPR):
    1. “Hi, this is Don from the IT Security Team. Calling to discuss an important matter as it looks like your account may be compromised by an outside party. I’m going to read you three sets of numbers to confirm your identity, where the correct number reflects the two last numbers of your cell phone. Please tell me which of the following numbers to complete the security check. Those numbers are 15, 25, 87.”
    2. *Target confirms 25*
    3. “Great, now read me the entire number so I can ensure we have a proper match.”
    4. *Target reads tester full phone number, which is entered into SSPR*
    5. *Tester Resets Password*
  2. A readable authentication number that the user would need to plug into their device. Upon entering it, you will be able to reset their password. For this example, we will assume SSPR is showing us the number 56 while we are on a call.
    1. “Hi, this is Don from the IT Security Team. Calling to discuss an important matter as it looks like your account may be compromised by an outside party. As such, I’m going to guide you through a quick password and authenticator reset so we can ensure you are properly locked down. First, I’m going to give you a security number that our security team has assigned to you for the reset to take place. Please open up your authenticator app and enter 56.
    2. *Employee enters 56.*
    3. *Tester resets password.*
  3. Microsoft SSPR can also display security questions belonging to the target user. During a social engineering call, this can be leveraged in the following way:
    1. “Hi, this is Don from the IT Security Team. Calling to discuss an important matter as it looks like your account may be compromised by an outside party. Due to the sensitive nature of this call and what we will be discussing, I will be reading you some security questions that you set up when you were first hired at our firm. Your first question is, “What was your mother’s maiden name?
    2. *Employee answers and tester continues reading security questions.*
    3. *Tester resets password.*

It is important to note that the above ruses are exceptionally powerful when posing as a member of management or as an IT Help Desk employee. When combined with call spoofing, it is easy to see how information obtained passively can further empower social engineering efforts.

Active Recon: Warming Up the Lines

Now it’s time to make some calls. These calls are designed to elicit additional information and can also serve as a nice “warm-up” for the calls made with the intent to compromise someone.

Generally when I start these, I’ll begin by calling into a phone number found through passive recon. I’ll then try to find phone numbers for the following departments:

  • Human Resources: Social engineering these employees can give you delicious secrets and direct employee phone numbers—you can even try compromising their contact information to see if it gives you anything (more on this later).
  • IT Help Desk: Depending on the environment of the organization you are attacking, you might need to social engineer these fine folks to get into an account. Good to note where they are. Additionally, getting their phone number makes it easier to spoof their direct line.

Below are some examples of active recon ruses that can be used to try and source this information.

  • HR Number: “Hi, I’m an employee who forgot my ID number. Is this HR?”
  • Help Desk Number: “I forgot my password; is this the right place to call for help with my computer?”
  • Random Numbers: Dial extensions and play confused: “I need help with my password/changing my contact information in my employee file.”

The employees will likely try to help assist you and direct you to the right place. You will always want to ask for the direct number if they transfer you.

This step can help you build your own list of numbers as well as find some that may not be public knowledge.

Ruse Design: The Heart of the Hustle

After gathering information, you’ll need to put it together to develop a ruse that meets the following criteria (in my humble opinion):

  1. Makes Sense for the Environment. Don’t generate a ruse around impersonating an Assistant Director of Finance if there is nobody with the Assistant Director of Finance title in the organization.
  2. Embraces the Mundane.People tend to not question things that are everyday occurrences. Everybody forgets a password. Everybody gets a new phone. Everybody needs help with something. Everybody has a busy task that needs to be completed quickly.
  3. Conveys the following emotions or feelings:
    1. Authority: Pose as someone with clout (IT, HR) or urgency (a VIP customer). People hesitate to challenge power.
    2. Immediacy: Make it quick (“This’ll take two minutes”) or critical (“Your account’s compromised!”).
    3. Sympathy: Tug heartstrings—play a crying baby sound from YouTube and sigh, “I’m swamped at home, please help.”
    4. Best Interest: Frame it as a win for them. Example: “We need to update your payroll info so you get paid on time. So, let’s start off with confirming your employee ID number.”

After you’ve gathered some ruses for yourself, run them past your point of contact for your engagement so that you can get permission to use them. An engagement where everyone is on the same page is always better than dealing with chaos later.

Example Ruses

As part of this section, I’ve detailed some ruses that I find to be particularly effective within corporate environments. Unlike the ruses briefly shown in the Active Recon section above, these are designed to attack and compromise users.

  1. Compromise: Manager Contact Hijack
    1. Target: HR
    2. Sample Script:
      1. “Hi, this is [Manager Name] from [Department]. I got a new number—can you update my contact info?”
      2. *HR rep confirms*
      3. *Tester provides burner phone number and ends call*
    3. Goal: Redirect received cell phone calls to your burner phone. This can allow the tester to potentially receive calls meant for this party during the penetration test. Calling those people back may allow further social engineering attacks to be made against staff.
  2. Compromise: Employee Check-In
    1. Target: Employees
    2. Sample Script:
      1. “Hello (Employee Name), Blake from the IT Security Team. We found your password on the dark web. We need about five minutes of your time to address this as the password appears tied to company assets. Let’s verify your security questions—takes two minutes.”
      2. *Employee Confirms*
      3. *Tester Retrieves Security Questions from Microsoft 365 and Reads to Target*
      4. *Password Reset*
      5. *Additional coaching provided to bypass MFA*
    3. Goal: Harvest reset answers, then log in or reset MFA.

A well-constructed ruse can help you gather what you need quickly, but how do you stay off the radar?

Staying Stealthy: Dodging Suspicion

If you’re not careful, you can potentially raise suspicion during your calls. If this happens, you increase the likelihood of employees talking amongst themselves or trying to call the IT Help Desk to report the calls.

I’ve included some tips below that I use during my tests to help keep suspicion to a minimum.

  1. If you are looking to gather information but things aren’t going so well, offer to call the target back at a later time while remaining confident in your delivery. You want your target to see you as in charge of the interaction. If they do, they will likely wait for you to call them back or await an email. You can also reduce the likelihood of being called back by spoofing your calls from a general phone number for the organization you are targeting and not using a direct line. This may help stall the target if they decide to take additional action.
    1. Example: “How about I give you a call back later? I’ve got a meeting coming up here in 15 minutes anyway and I need to prepare for it.”
  2. When reaching out to the IT Help Desk, consider using a name that sounds like a real employee name but isn’t. For example, if you are calling somewhere and want to see what the criteria are for resetting a help desk password, you can provide the name Jeff McDaniel instead of Jeff McDaniels. The intent behind this is to give the IT Help Desk a reason to not open up a service ticket in response to your call, as the employee who receives the ticket will have their suspicion raised.
    1. Example: “Hi this is Jeff McDaniel calling—I forgot my password and need to get it reset. What can I give you to authorize this?”
      1. Important Note: Note in the above example that we are staying in control of the conversation by providing simple information up front and are making an immediate request. We are doing this to appear confident and to see if IT will slip and share the information without looking up our name. If we are able to get a response from them (they tell us an employee ID number is required), we can naturally end the call and say we’ll call back later with it.
      2. Important Note: If the IT representative does their due diligence and checks your exact name before offering up information, they may tell you that they do not have that name in their system or something similar. You can laugh it off and say that you must have reached the wrong number.
        • Example: “Wow—I’m really sorry, I thought I’d dialed the number for my workplace. I’ve got a bunch of numbers here on my desk and the person I spoke with earlier transferred me over here. So sorry to waste your time.”
  3. Weaponizing Your Confidence. The more confident you are in your delivery and the more apt you are at using other forms of verbal control such as voice inflections, pauses, and mannerisms, you can help convince your victims that you are anyone from a technologically inept user to a busy manager. This entire section is really deserving of its own blog and is explored in depth through great books such as Never Split the Difference by Christopher Voss and Tahl Raz (https://www.blackswanltd.com/never-split-the-difference). A great way to weaponize your confidence is to practice speaking with people often, wherever you go, all the time. Look for opportunities to assert yourself and begin practicing with strangers. Trust me—it works!

Post-Exploitation: Cashing In

So you’ve successfully convinced somebody that you’re Chuck from IT and have not only reset their password but convinced them that they’ll need to take a lunch break while you work on “updating their computer.”

You’ve done it! But now you need to capitalize on your advantage. In this section, we’ll go over a few “must-do” items that will take your test in an even stronger direction.

  1. Proof of Compromise: Log into the compromised service (I really like Microsoft 365), screenshot the landing page, and send an email from the victim’s Outlook to yourself and the POC.
  2. Notify Your POC: Call them ASAP with the breach details. Tell them you’ve compromised a user and now have access to the environment. Ask for permission to perform additional searches of accessible materials.
  3. Loot Hunt: Search Outlook and SharePoint for “SSN,” “budget,” “password,” etc. Screenshot anything that looks like a juicy find (just make sure to redact sensitive information in your screenshots as needed).
  4. Reporting: Reporting as you go helps make reports stronger. However, I think we should also acknowledge that this may not always be an option while you are mid-attack. To help with this, I generally take screenshots of every single instance where my browser changes as I navigate the environment and I immediately save it with a cool tool called Greenshot, which lets you immediately save captures to an output directory. After you have the victim off the phone and are in the environment, you should have a very large number of screenshots. Immediately fill in the narrative to ensure you do not miss anything!

Pro Tips for Phone Mastery

I’ve worked in a number of positions where I’ve been on the phone talking with people who are experiencing all sorts of emotions. During my time as an HR professional, a researcher, and salesman, I’ve heard just about all of it by now. Here is some advice for how to best get comfortable when making social engineering calls.

  1. Breathe: Take a few deep breaths pre-call. Nerves are normal—channel them.
  2. Get Ready to Smile: It sounds dumb, but it works. Your tone lightens. People will feel it, especially if you rely on humor or feign interest in order to captivate someone.
  3. Embody the Role: Mentally become the IT guy or HR rep. Confidence flows from belief. If you are posing as an IT security person who is rushing to reach out to employees, your tone of voice should encompass a sense of command and expertise. You should be speaking with extreme confidence of why a data breach is serious and should be equipped with all the answers to ensure your target is given a good service experience
  4. Reflect on Voice Inflections: Slight inflections in your voice can help sway your victims. If somebody happens to share something rough with you over the phone, consider showing sympathy or sharing a real or fictitious story with them. By identifying what someone needs (whether they know it or not), you can adapt your persona to be more attractive, which will help sway them into giving up what you want.
  5. Timing: Call before lunch, a couple of minutes before the turn of an hour, or at the end-of-day. Doing so gives you a good reason to end calls at opportune times in a confident way and may rush your target into complying.
  6. Ditch Fillers: Skip “um” and “uh.” Remember—confidence matters. If you do not sound like someone who is used to providing (for example) IT security assistance over the phone, people may start to wonder.
  7. Mirror Your Target: Match their vibe—curse lightly if they’re gruff, sympathize if they’re stressed. If they’re laughing, start laughing also.
  8. Set Goals: “I’m going to do ten calls today.” Set the goal and stick to it. Make plans, set timers. Do whatever you have to do to stay on top of your game. I’ve found that in my personal experience, momentum matters. The more calls I do and the quicker they are, the more likely I am to keep going. Also—it allows me to stay ahead of the curve if any suspicion is raised and allows for the maximum number of compromised accounts.

A Quick Conclusion: Why This Matters

With social engineering being a primary form of access for modern security breaches, it only makes sense that mastering this skill should be at the forefront of our abilities as penetration testers.

To those who may be reading who are involved in managerial training, articles like this one should hopefully underpin why social engineering training is important. Remember, the battle does not stop at phishing. Your team should be hardened against attacks carried out over the phone, in person, or even through physical mail.

With that said—best of luck to my fellow testers. Now go make some calls…

…and don’t get caught.

Want to learn more about this topic from John? Register now for next week’s webcast taking place Thursday, June 26, at 1:00 pm EDT:

How to Design and Execute Social Engineering Calls