Phone-based social engineering, or 'vishing,' happens when attackers trick employees into giving away information or access over the phone. Help desks and secretaries are common targets, as they handle daily calls and often reset accounts or manage sensitive details. This guide will help you spot red flags, know what questions to ask, and handle pressure tactics. 

Common Red Flags: 

• Urgency: “I need my password reset right now or the system will go down!”

 • Impersonation: Claiming to be your boss or IT support. 

• Aggression: Yelling, threatening, or shaming you. 

• Odd Requests: Asking for MFA codes, personal details, or unusual actions. 

Key Questions to Ask: 

• Who are you exactly? (Full name, department, ID) 

• Why is this request being made? • Can you confirm through another channel (official email/number)? 

• What’s your callback number? (Verify it against directory) 

Handling Aggressive or Urgent Callers: 

If someone is yelling, impersonating a supervisor, or demanding immediate action, stay calm and stick to the process. Polite responses such as: “I’ll call you right back on your official extension” or “I must verify your identity before proceeding” help stop attackers. Always document suspicious calls. 

Best Practices: 

• Follow your verification policy every time. 

• Never give out passwords or MFA codes. 

• Train staff with role-playing scenarios. 

• Report suspicious calls immediately. 

Real-World Examples: 

• Workday Social Engineering Attack – Hackers impersonated IT/HR to steal employee data (Cybersecurity Dive). 

• Scattered Spider Targeting Help Desks – Reset MFA and passwords to gain access (CISA). 

• Clorox vs. Cognizant – Vendor allegedly failed verification, leading to $400M breach (TechInformed). 

Remember: Attackers exploit human behavior, not just technology. By asking the right questions, staying calm under pressure, and refusing to bypass verification, you are the first and strongest line of defense. 

Author Valerie Leuchtmann 09/18/2025