Using the Phone Should Not Reduce the Effort for the Social Engineer

In recent years, the Internet has come to dominate certain more “impersonal” aspects of social engineering, whereas in days past the phone was an integral part of social engineering. Because of this shift, many social engineers do not put the energy or effort into phone usage that can make it truly successful.

This topic is here to show that the phone is still one of the most powerful tools of the social engineer and the effort put into using it should not be diminished due to the impersonal nature of the Internet.

Sometimes when a social engineer plans a phone attack his thinking may differ because using the Internet might appear easier. Note that you should plan to put the same level of effort, the same level and depth of research and information gathering, and most importantly the same level of practice into your phone-based social engineering attacks. I was once with a small group that was going to practice phone presentations. We outlined the proper methods, the tone, the speed, the pitches, and the words to use. We outlined a script (more on this in a minute) and then launched a session.

The first person made the call, got on the phone with someone, and messed up the first few lines. Out of complete embarrassment and fear he just hung up on the person. There is a very good lesson there—the person on the other end of the phone has no clue what you are going to say, so you can’t really “mess up.” Practice sessions can help you learn how to handle the “unknowns” caused by your accidentally altering something in your script that throws you off base.

If you are not as fortunate to have a group to practice or hone these skills with, you will have to get creative. Try calling family or friends to see how far you can get manipulating them. Another way to practice is to record yourself as if you were on the phone and then play it back later to hear how you sound.

I personally feel that using an outlined script is very important. Here is an illustration: suppose you had to call your phone company or another utility. Maybe they messed up a bill or you had another service problem and you are going to complain. After you explain yourself to the rep, telling her how upset and disappointed you are, and the rep does absolutely nothing for you, she says something like, “XY&Z is committed to excellent service; have I answered all your questions today?” If the drone behind the phone thought for one second about what she was asking she would realize how silly it is, right? This is what happens when you use a written-out script instead of an outline. An outline allows you “creative artistic freedom” to move around in the conversation and not be so worried about what must come next. Using the phone to solidify your pretext is one of the quickest methods inside your target’s door. The phone allows the social engineer to “spoof,” or fake, almost anything. Take into consideration this example: If I wanted to call you and pretend I was in a bustling office to add to the pretext I was trying to use, I could simply grab the audio track from Thriving Office (www.thrivingoffice.com/). This site offers a track called “Busy” and another called “Very Busy.” From the creators: “This valuable CD, which is filled with the sounds people expect to hear from an established company, provides instant credibility. It’s simple, effective, and guaranteed!”

That sentence alone is filled with social engineering goodness—filled with what people expect to hear from an established company. Already you can see that the CD is geared to fill expectations and provide credibility (at least, in the target’s mind, after his expectations are met), thereby automatically building trust.

In addition, spoofing caller ID information is relatively simple. Services like SpoofCard (www.spoofcard.com) or using homegrown solutions, allows a social engineer to tell the target you are calling from a corporate headquarters, the White House, or the local bank. With these services you can spoof the number to be coming from anywhere in the world.

The phone is a deadly tool for social engineers; developing the habits to practice using it and to treat it with utter respect will enhance any social engineer’s toolset for pretexting. Because the phone is such a deadly tool and has not lost its effectiveness, you should give it the time and effort it deserves in any social engineering gig.