Beyond Phishing: The Rising Threat of Voice-Based Social Engineering

As organisations become increasingly adept at identifying and blocking email-based phishing attempts, cybercriminals are shifting their tactics towards more direct approaches. Voice-based social engineering, often referred to as "vishing", has emerged as a particularly effective method of gaining unauthorised access to corporate networks. At GEN, we recently conducted a controlled test with seven of our customers' permission, calling from an unknown number and posing as IT support staff. The results were concerning: we successfully obtained remote access to three companies' systems with some effort, while one organisation granted access without any challenge whatsoever.

This shift in tactics represents a significant evolution in the threat landscape, and in 2025 we're seeing a sudden and significant increase in scam calls hitting businesses in the UK. Whilst email security tools can scan for malicious links and attachments, human psychology remains remarkably vulnerable to authoritative voices claiming to be from internal departments. The perceived urgency of IT issues, combined with a general reluctance to question authority figures, creates a perfect environment for these attacks to succeed. Our test demonstrated that even organisations with robust email security measures can fall victim to a well-executed voice call.

The implications of granting remote access to malicious actors are severe and far-reaching. Once installed, remote access software provides complete control over the compromised device, allowing attackers to install additional malware, access sensitive documents, capture keystrokes, and potentially move laterally through the network. In essence, the organisation's entire digital infrastructure becomes compromised through a single successful social engineering call. Financial data, intellectual property, and customer information all become accessible to the attacker.

What makes these attacks particularly dangerous is their psychological sophistication. Attackers often research their targets thoroughly, gathering information from company websites, social media profiles, and even previous data breaches. They then use this intelligence to create convincing personas, often claiming to be responding to a reported issue or conducting routine maintenance. The pressure to resolve IT problems quickly, especially when they appear to impact productivity, frequently overrides security concerns among employees who simply want to get on with their work.

A Transcript

With very greatful permission from one of our successful penetrations, and changing names and links, we'd like to share a call transcript.

• GEN: Hello, is that sally
• Customer: Yes, speaking
• GEN: Hi sally, this is david from it support how are you doing today
• Customer: I'm fine thanks how can I help
• GEN: We're short staffed today because half the team is off with flu so i'm trying my best to deal with the chaos
• Customer: Yes, it's everywhere we're one down and i'm not feeling brilliant
• GEN: Well i hope you're spared from what i'm told it's a bad one anyway i'm calling because our endpoint security tool detected something on your computer have you noticed anything running slowly today
• Customer: Not particularly everything seems normal to me not that its ever fast
• GEN: Ham oh by the way is mark still in your department or have i got that wrong he borrowed a mobile printer last week and i need it back for someone else
• Customer: Oh mark not this department logistics probably downstairs
• GEN: Are that makes sense i'll track him down after this call are you ready to run some diagnostics so I can track this down it'll only take a minute or two
• Customer:Yep do you need me to do anything or can you do it from your end
• GEN: It's a joint effort could you open your web browser for me
• Customer:Yes it's already open
• GEN: Perfect now in the address bar at the top could you type in dodgy-support.com that's our secure remote diagnostic tool
• Customer: Okay dodgy-support.com right i've got a page that says XXXXXXXXX
• GEN: That's the one now you should see a six digit code field i'll generate a secure code for your session can you enter 4 7 3 9 2 1
• Customer: 4 7 3 9 2 1 done
• GEN: Great now just click the connect button and you should see a small file downloading
• Customer: Yes it's downloading something at the moment
• GEN: Perfect once it's downloaded could you run that file for me you might get a security prompt that's just Windows so you need to click yes or run to allow it
• Customer: Okay i've clicked run now it's asking for permission to make changes to my device
• GEN: That's normal just click yes there the tool needs those permissions to scan your system properly
• Customer: Done now i see a window that says waiting for technician connection
• GEN: Excellent i can now see your system i'll just run a quick diagnostic check in the background you won't see much happening but i'll let you know when it's complete you can continue working as normal
• Customer: Okay that's fine it's a busy day
• GEN: While this runs could i just confirm you haven't received any unusual emails or clicked on any suspicious links recently have you
• Customer: No nothing that i can think of
• GEN: Good to hear you'd be surprised how many issues we deal with that start from fishing emails but actually your department has never had an issue according to my system so well done with that one
• Customer: That's nice to know
• GEN: Alright i can see the scan results now everything looks fine and the alert looks to be a false positive triggered by a windows update that pushed out this morning
• Customer: Good to know thank you
• GEN: No problem at all that's what we're here for and better safe than sorry i really appreciate you taking the time today
• Customer: Absolutely thanks for checking
• GEN: You're welcome i'll close the connection now and have a great day sally
• Customer: You too thanks for your help

And there it is, 9 minutes is all it took to persuade Sally (not her real name) to install malware and give us full access. It is important to note that the 'support' tool we had them download is not real, the website and the 'tool' it downloads were constructed by our development teams for this exercise, and upon installation it simply makes a https request back to one of our development sites with the code entered to show the installation succeeded. At no point did we actually install any remote access software.

A well configured RMM tool would have obstructed us to some degree but we'd be able to work around it with more effort, and in the real world we rarely see 'properly' configured RMM because the restrictions needed to fully protect windows endpoints generate far too much traffic to the IT department.

Protecting Your Organisation

Comprehensive staff training remains the most effective defence against these sophisticated social engineering attempts. Employees at all levels should be educated about verification protocols before granting system access or installing software. In most cases, IT should never call up and ask anyone to install anything and that's easy to educate. Regular simulated attacks, like the one we conducted, can identify vulnerabilities in your human firewall before real attackers exploit them. We do provide this as a service, but it is just as easy for you to do it yourself.

Technical controls also play a crucial role in mitigating these risks. Implementing strict software installation policies, requiring administrative approval for new applications, and utilising application whitelisting can prevent unauthorised remote access tools from being installed, and a whole bunch of other things far outside the scope of this article.

We've observed cases where initial contact via phone is followed by emails containing "required" software, lending legitimacy to the attack, and intelligence gathered is further leveraged to extend the attack to other users.

Some sophisticated campaigns even involve multiple calls over several days, emails and even a site visit or two, building rapport before dropping the malware bomb. This patient approach significantly increases success rates because the attackers become familiar and 'normal'. In one exercise we carried out a few years ago now we delivered 6 vending machines to a select few customers, placing them inside secure areas without challenge - because, no one sees a vending machine as a threat, when infact our vendors contained NUCs with wifi, phone home and remote access.

Challenge everything, suspect anyone new, and asses risk at all points.

Transcription Processing

GEN Developed a tool in 2020 which takes the daily call recordings, converts those to transcripts and then uses machine learning to scan those transcripts for anything which might be a social engineering attack. The same system can identify potential data leaks, abuse, and fraud. If you'd like to hear more, contact us for a demonstration.

The Future

As we move forward, organisations must adopt a holistic approach to security that addresses both technical vulnerabilities and human factors. Regular security awareness training, clear escalation procedures for unusual requests, and a culture that rewards security-conscious behaviour rather than punishing it will be essential. The most secure organisations aren't necessarily those with the most advanced technical controls, but rather those that have successfully integrated security awareness into their corporate culture.

The test we conducted serves as a stark reminder that cybersecurity is not merely a technical challenge but fundamentally a human one.