Vishing - Beginners guide to hacking and penetration testing (2017)

Beginners guide to hacking and penetration testing (2017)


Vishing is in short the equivalent of phishing using the phone. The social engineer or hacker may pretend to be a user in need of a password reset, or a family member that is in trouble and needs you to wire them money. There are many uses and techniques for vishing.

Spoofing your number:

Generally, I think that spoofing your number when you are vishing can add an extra layer of protection from people tying your number back to you. There are several apps and companies that can help you to this end, most of which are paid.

Spooftel ( is an excellent example of one such program. You can not only hide your number, but you can also activate background sounds and disguise your voice.

When engaging with a target through vishing it's always useful to have a general outline of:

1. Who you are contacting

2. Who you are supposed to be

3. Why you are calling

4. What do you want to happen from this call

5. What is your personality going to be when initially calling

6. Are you going to use background noises in your call? If so have them ready and make sure they are longer than your expected call

7. Is this going to be a high pressure call (urgent) or casual?

Having a loose outline of who you are and what you are going to say will help you get into your role, keep it loose, you can never be 100% sure of how a call will go and you may need to change things on the fly.

Note: If you happen to know the target's password to their voice mail or guess it using their phone number to call and also setting the from as the same number will dial their voice message box.

One, very good example of vishing can be found with a simple Youtube search for vishing defcon. One in particular is from Social Engineer Inc. ran by Chris

In this vishing "attack" a reporter asked the team to try vishing his phone company. A female member of Chris' team call in and uses a crying baby audio clip in the background. Adding in that sense of urgency and sympathy she was quickly able to add herself to the reporter's account and even change the password without the reporter's password or credentials.

A number of years ago, we made a soundboard for gamers that would make it appear that they were a girl. We hired a girl to read a script containing a list of words and phrases for us in order to help sell that illusion. It worked well and is a example of vishing. Not that I would say that in a important engagement that a soundboard would work, but I have used them in the past for short conversations and pranks.

Streamlining the process and tweaking the annunciations would go a long way.