Threats
T1566Social Engineering — Vishing, SMShing, and Deepfakes
How attackers use voice phishing (vishing), SMS phishing (SMShing), and AI-generated deepfakes to bypass technical controls — and how SOC analysts can detect and respond.
View on Graph
What Social Engineering Is and Why It Bypasses Technical Controls
- Social engineering is the psychological manipulation of people to perform actions or disclose sensitive information. Unlike exploits that target software bugs, social engineering targets the human element — the most vulnerable component in any security architecture.
- MITRE ATT&CK maps social engineering primarily under
T1566(Phishing), with sub-techniques for Spearphishing Voice (T1566.004) and Spearphishing via Service (T1566.003). Deepfakes are an emerging attack vector that extends traditional voice/social engineering to include AI-generated impersonation. - Social engineering attacks are effective because they bypass technical controls: email filters catch phishing, but they cannot stop a phone call. MFA stops credential theft, but it cannot stop a user who is socially engineered into approving a push notification.
- According to the Verizon DBIR, social engineering is involved in over 70% of data breaches. Vishing and SMShing attacks have increased by over 300% since 2020 as attackers adapt to better email security.
Vishing — Voice Phishing
How Vishing Works
Vishing (voice phishing) uses telephone calls or voicemail to extract credentials, financial information, or access. Attackers impersonate trusted entities — IT support, help desks, bank fraud departments, or executive leadership.
The attack flow typically follows this pattern:
- Reconnaissance — The attacker gathers information about the target from OSINT sources: LinkedIn job titles, organizational charts, data breach dumps, or OSINT tooling
- Caller ID spoofing — The attacker uses VoIP to spoof the caller ID, making the call appear to come from a trusted internal number or vendor
- Social script execution — The attacker follows a script tailored to the target’s role and the desired outcome (credential reset, MFA approval, wire transfer)
- Information extraction — The attacker extracts the target information or action during the call
Common vishing scenarios:
| Scenario | Impersonated Role | Goal |
|---|---|---|
| IT help desk call | Internal IT support | Reset the user’s password or bypass MFA registration |
| Vendor support call | Trusted vendor (Microsoft, AWS) | Obtain admin credentials or API keys |
| CEO/executive call (“whaling”) | C-suite executive | Authorize an emergency wire transfer (BEC variant) |
| HR/payroll call | HR representative | Obtain W-2 or payroll information |
| Security team call | Internal security team | Convince user to install a “security tool” (actually malware) |
Detection — Vishing
Vishing is notoriously difficult to detect at the technical level because the attack happens over voice — not through email or web traffic. Detection relies on:
| Signal | What to Monitor | How to Correlate |
|---|---|---|
| Anomalous password resets | Event ID 4724 (password reset attempt) | Multiple resets shortly after an internal phone call |
| MFA enrollment changes | MFA registration log (Azure AD, Duo) | New MFA device registered by the user shortly after a call |
| Unusual VPN access | VPN connection logs | First-time VPN connection from a non-corporate IP after a help-desk-style call |
| Post-call phishing activity | Email logs, web proxy | User receives a follow-up email from a suspicious domain |
| MFA push fatigue | MFA deny/approve logs | Dozens of MFA push requests to the same user — the attacker calls to pressure approval |
SPL query — detect password reset shortly after call activity:
index=windows EventCode=4724
| eval call_window = bin(_time, 900) (15-minute window)
| lookup internal_call_log.csv call_window, TargetUserName OUTPUT CallSource, CallDuration
| where isnotnull(CallSource)
| eval alert = "HIGH — password reset for " . TargetUserName . " within 15 minutes of call from " . CallSource
| table _time, TargetUserName, CallSource, CallDuration, alert
| sort - _timeResponse — Vishing
| Action | Detail | Timeline |
|---|---|---|
| Verify the call | Ask the user for details: who called, what was requested, what was provided | Immediate |
| Reset password | If the user provided their password, reset it immediately | Immediate |
| Revoke MFA tokens | De-register any MFA devices enrolled after the call | Immediate |
| Review account activity | Audit logons, email rules, and file access for 48 hours after the call | 1-2 hours |
| Alert the SOC team | Document the attack pattern — attacker phone number, script used, impersonated role | 1 hour |
| Report to carrier | If caller ID spoofing is involved, report to the telecom carrier | After containment |
SMShing — SMS Phishing
How SMShing Works
SMShing (SMS phishing) uses text messages to deliver malicious links or request sensitive information. Mobile devices have fewer security controls than corporate laptops — no EDR, limited URL filtering, and users are conditioned to trust text messages.
Common SMShing vectors:
| Vector | Example Message | Goal |
|---|---|---|
| Package delivery | ”Your package is delayed — click here to reschedule” | Credential harvesting via fake login page |
| Bank alert | ”Suspicious charge detected — confirm or block” | Financial credential theft |
| Corporate notification | ”Your VPN password expires today — update now” | Corporate credential theft |
| Voicemail notification | ”New voicemail from [CEO name] — listen here” | Phishing link leading to credential harvesting |
| MFA challenge | ”Approve this login from [location] — reply YES or NO” | MFA fatigue — combined with a phone call |
Detection — SMShing
| Signal | What to Monitor | How to Detect |
|---|---|---|
| Anomalous SMS volume | SMS gateway logs | A user receiving multiple SMS messages from unknown numbers |
| Malicious link clicks | URL filtering / secure web gateway | Click on a known malicious domain from a mobile device |
| Credential harvesting pages | Web proxy logs | POST to a typosquat domain mimicking the corporate login portal |
| New device registration | MFA / SSO logs | New device registered for MFA shortly after SMS click |
| Multi-factor authentication anomalies | MFA logs | MFA approval from an unusual geographic location |
Response — SMShing
| Action | Detail |
|---|---|
| Isolate the mobile device | If the user clicked a link, block the device from corporate resources |
| Revoke session tokens | Invalidate all active sessions for the affected user |
| Scan for malware | If the link delivered malware, run mobile security scan |
| Check corporate apps | Verify the user did not install a malicious app from the SMS link |
| Alert carrier | Report the SMS sender number to the mobile carrier |
Deepfakes — AI-Generated Voice and Video Attacks
How Deepfake Social Engineering Works
Deepfake technology uses generative AI to create realistic voice or video impersonations. An attacker needs as little as 3-10 seconds of a target’s voice — from a voicemail greeting, a YouTube interview, or a conference recording — to generate convincing audio.
Deepfake attack scenarios:
| Scenario | Media | Impact |
|---|---|---|
| CEO voice deepfake | Audio | Authorize wire transfer (BEC via voice) |
| IT support voice deepfake | Audio | Extract password reset from help desk agent |
| Executive video deepfake | Video | Impersonate the CEO in a video call to authorize access |
| Vendor voice deepfake | Audio | Convince procurement to change payment details |
| Employee voice deepfake | Audio | Call the help desk as the employee to reset MFA |
In 2024, a finance worker in Hong Kong was tricked into transferring $25 million after attending a video call with deepfake versions of the company’s CFO and colleagues.
Detection — Deepfake Attacks
| Signal | Detection Method | Reliability |
|---|---|---|
| Unusual call-back request | Call audio analysis — does the caller insist on a separate call or delayed action? | Medium |
| Voice artifacts | AI detection tools — unnatural breathing, inconsistent tone, digital artifacts | High (with specialist tools) |
| Uncharacteristic request | Behavioral analysis — is the request outside normal authority or procedure? | High |
| Call-out-of-band verification | Process control — confirm the request via a separate channel | Very high (best practice) |
| Video lip-sync mismatch | Video analysis — lip movements slightly misaligned with audio | Medium (evolving) |
Prevention — Deepfake Social Engineering
| Control | What It Prevents | Implementation |
|---|---|---|
| Out-of-band verification | All deepfake scenarios | Critical transactions require confirmation via a separate channel (Slack + phone + in-person) |
| Call-back procedures | Impersonation during single call | Always call back through the official number, not the number provided by the caller |
| Code words | Any impersonation scenario | Executive/IT/finance teams use a pre-arranged code word for sensitive requests |
| Voice biometrics | Voice deepfake | Compare incoming call voiceprint against stored voiceprint |
| Security awareness training | User susceptibility | Regular training on deepfake risk and verification procedures |
The key principle: any request involving money, credentials, or access changes must be verified through a second channel. A phone call is not a second channel if the attacker is the one making the call.
Detection — Cross-Channel Correlation
The most effective detection approach for social engineering is cross-channel correlation: tracking the same user across voice, SMS, email, and authentication events.
KQL query — cross-channel social engineering correlation:
// Find users who received a suspicious call AND had authentication anomalies
let suspicious_calls = (
// Replace with call log data source
datatable(CalledUser:string, CallTime:datetime, CallerNumber:string)
[ ]
);
let auth_anomalies = (
SigninLogs
| where TimeGenerated between (datetime(now-24h) .. datetime(now))
| where ResultType != "0" (failed or anomalous)
);
suspicious_calls
| join kind=inner auth_anomalies on $left.CalledUser == $right.UserPrincipalName
| where datetime_diff('hour', SigninLogs.TimeGenerated, CallTime) < 2
| project CallTime, CalledUser, CallerNumber, SigninTime=SigninLogs.TimeGenerated, ResultType, ResultDescription
| sort by CallTime ascPrevention — Defense in Depth for Social Engineering
| Control Layer | What It Stops | Limitation |
|---|---|---|
| Security awareness training | User susceptibility to common attacks | Training fatigue; does not prevent sophisticated deepfakes |
| MFA with number matching | MFA fatigue via vishing | Attacker can still pressure user to approve a specific number |
| Call-back verification policy | Vishing and deepfake impersonation | Requires user compliance; attackers may intercept call-back |
| SMS gateway filtering | Bulk SMShing campaigns | Does not stop targeted SMShing from non-carrier numbers |
| AI voice detection | Deepfake voice | Not widely deployed; false positive rate still high |
| Out-of-band confirmation | All scenarios | The gold standard — confirm changes via a completely separate channel |
| Endpoint controls on mobile | Malicious link clicks | MDM with mobile EDR; limited for personal devices |
Related
- Phishing — detection and response for T1566 techniques
- Business Email Compromise Response — detection and response for T1566, T1114, T1098, T1586 techniques
- Insider Threat — detection and response for T1078 techniques
- Credential Theft Incident Response — detection and response for T1558.001, T1003.001, T1134 techniques
- MFA Fatigue — detection and response for T1110.004, T1621 techniques