Vishing Social Engineering Tests

€65K Transfer Through One Phone Call - Case Study

An accountant at a manufacturing company received a call from the “CFO” who was “in a meeting with a client”. The voice sounded familiar (deepfake), situation urgent: “We need to process a wire transfer for a new supplier, I’ll send you the details by email”.

Email came from a similar domain (company-inc.com instead of company.com). The accountant processed the €65K transfer. Money gone. She didn’t call back to verify - “after all, it was the boss’s voice”.

Without vishing tests:

• Employees trust voice on the phone without verification
• No callback verification procedures for unusual requests
• Unaware of voice manipulation techniques (urgency, authority, reciprocity)
• Deepfake voice cloning is becoming easier (AI)

Professional Operators, Realistic Scenarios, Zero Stress

We don’t call with threats or put employees under stress. We test reactions to realistic scenarios used by real attackers. We measure whether the team verifies identity before taking action.

What you get:

• OSINT research (company structure, industry jargon, technologies)
• 3-5 different vishing scenarios tailored to context
• Professional operators (not automated calls)
• Targeting different groups (finance, IT, HR, executives)
• Metrics: success rate, verification attempts, escalation rate
• Audio recordings (with consent and only for analysis purposes)
• Documentation of each conversation (transcription, outcome)
• Report identifying most vulnerable individuals/departments
• Verification procedure recommendations (callback process)
• Educational session for team (how to recognize vishing)

Who Is It For?

This service is for you if:

• Finance team has access to transfers and you’re concerned about BEC
• You want to implement phone verification procedures (callback)
• Your employees frequently receive calls with “urgent” requests
• You need to measure vulnerability to voice phishing

Test Scope

Vishing Scenarios

1. Fake IT Support

• Pretext: “Hello, IT helpdesk. We have a server outage, I need your password to reset the account”
• Goal: Check if they share credentials over phone
• Red flags: Asking for password, no ticket number, urgency

2. Executive Impersonation

• Pretext: “This is director X, I’m in a meeting and urgently need access to document Y”
• Goal: Check if they verify supervisor identity
• Red flags: Unusual request, urgency, pressure

3. Vendor/Partner Verification

• Pretext: “I’m calling from ABC company, we work with you. I need to verify payment details”
• Goal: Check if they verify contractor identity
• Red flags: Requesting payment details, no context

4. Bank/Financial Institution

• Pretext: “Bank X security. We registered a suspicious transaction, please confirm your card details”
• Goal: Check reaction to “authority” pretexting
• Red flags: Asking for card details, PIN, passwords

5. HR/Recruitment

• Pretext: “HR department. We’re verifying employee data for the HR system, please confirm social security number and address”
• Goal: Check if they share personal data
• Red flags: Asking for personal data over phone

6. Emergency/Crisis

• Pretext: “Hello, security. We have a security incident, please immediately change passwords and provide the new one”
• Goal: Check reaction to stress and urgency
• Red flags: Extreme urgency, fear tactics, immediate action required

Manipulation Techniques

We test resistance to classic social engineering techniques:

Authority - Impersonating supervisors, IT, security Urgency - “We need to do this immediately” Fear - “If we don’t do this now, there will be consequences” Reciprocity - “I helped you before, now I’m asking for help” Social proof - “Everyone in the department already did it” Scarcity - “This is the only chance, later it will be too late”

Target Groups

We target different groups to map vulnerability:

• Finance/Accounting - most critical target (payment access)
• IT Helpdesk - often asked to reset passwords
• HR - access to personal data
• Executives - little time, high authority = easy target
• Reception - first line of contact
• New employees - less aware of procedures

Metrics

For each campaign we measure:

Success Rate - % of people who performed requested action (gave password, transferred to number, etc.)

Verification Attempts - % of people who tried to verify caller identity

Escalation Rate - % of people who escalated unusual request to supervisor

Time to Suspicion - How long before the person started suspecting fraud

Callback Rate - % of people who called back to verify

Credential Disclosure - % of people who shared sensitive information

Heat Map Report

We identify:

• Most vulnerable departments
• Most effective scenarios
• Common weaknesses
• Best responders (for recognition and learning)

Ethics and Methodology

Ethical Vishing Principles

• Management consent - Full authorization before tests
• No harm - We don’t threaten or cause long-term stress
• No real damage - We don’t ask for actual transfers
• Educational debrief - After tests: educational session, not “name and shame”
• Confidentiality - Recordings only for analysis, then destroyed
• Legal compliance - GDPR, recording consent where required

Call Recording

• Recordings only with consent (informed after test)
• Used exclusively for analysis and debriefing
• Destroyed after project completion
• Not shared with third parties

Related Glossary Terms

Learn more about key concepts related to this service:

• BEC
• GDPR (General Data Protection Regulation)
• ICS
• OT (Operational Technology)
• SCA
• SOC
• SSE
• Tor