A pretext call (vishing) is a social engineering technique where an attacker impersonates a trusted authority figure over the phone to manipulate targets into divulging sensitive information, performing actions, or granting access. In red team engagements, pretext calls test the human element of security controls, measuring employee adherence to verification procedures and security awareness training effectiveness. MITRE ATT&CK maps this to T1566.004 (Phishing for Information: Voice) and T1598 (Phishing for Information).
| Technique ID | Name | Tactic |
|---|---|---|
| T1566.004 | Phishing: Voice | Initial Access |
| T1598 | Phishing for Information | Reconnaissance |
| T1598.003 | Phishing for Information: Spearphishing Voice | Reconnaissance |
| T1589 | Gather Victim Identity Information | Reconnaissance |
| T1591 | Gather Victim Org Information | Reconnaissance |
# LinkedIn employee enumeration
theHarvester -d targetcorp.com -b linkedin -l 200
# Company org chart and employee roles
# Review LinkedIn, corporate website "About Us" / "Team" pages
# Technology stack identification
# Check job postings for technology references (VPN vendor, email, helpdesk tool)
# Phone system identification
# Call main line, note IVR options, department names, extension patterns
Key intelligence to gather:
IT Helpdesk Impersonation (Most Effective):
"Hi, this is [name] from the IT Service Desk. We're migrating everyone to the new VPN client this week, and I see your account hasn't been updated yet. I need to verify your current credentials to ensure the migration goes smoothly. Can you confirm your username and current password?"
Vendor/Contractor:
"Hi, I'm [name] from [known vendor]. We're doing an emergency patch deployment for [product] and I need remote access to your system. Could you help me connect via TeamViewer?"
Executive Assistant (Authority):
"This is [name] calling on behalf of [CFO name]. [He/She] needs an urgent wire transfer processed for a deal that's closing today. I'll email you the details, but we need this done in the next hour."
Building/Facilities:
"Hi, this is [name] from facilities management. We're updating the badge access system this weekend. I need to confirm your employee ID and current badge number so your access isn't interrupted."
| Objection | Response |
|---|---|
| "Can I call you back?" | "Of course, call the main helpdesk line and ask for [name]. But this needs to be done by EOD." |
| "I need to verify this" | "Absolutely, I appreciate your diligence. You can check with [manager name]." |
| "I was told never to give passwords" | "You're right, and normally we wouldn't ask. This is a special case because [reason]. I can have my manager call you." |
| "What's your employee ID?" | Pivot: "It's [made-up ID]. Listen, I have 50 more people to call today. Can we just get this done?" |
| "I'll email IT instead" | "Sure, but the system migration happens tonight. If it's not done by then..." |
Track the following for each call:
| Metric | Description |
|---|---|
| Target Name | Employee called |
| Department | Target's department |
| Date/Time | When call was made |
| Duration | Length of call |
| Pretext Used | Which scenario |
| Information Obtained | What was disclosed |
| Credential Disclosed | Yes/No (and type) |
| Verification Attempted | Did target try to verify caller? |
| Reported to Security | Did target report the call? |
| Social Engineering Score | 1-5 susceptibility rating |
| Metric | Target | Result |
|---|---|---|
| Credential Disclosure Rate | <10% | XX% |
| Sensitive Info Disclosure Rate | <20% | XX% |
| Verification Rate | >80% | XX% |
| Security Reporting Rate | >50% | XX% |