Read as
Why this module exists. Vishing (voice phishing) and smishing (SMS phishing) have grown faster than email phishing in Indian enterprises, driven by SMS-OTP-heavy banking, low call-spoofing barriers, and the WhatsApp pretext channel. This module covers the attacker techniques and the defender controls — call authentication, number-verification, employee scripts for resistance.
Why this module exists. The corporate phishing-defence stack — DMARC, anti-phishing platforms, FIDO2 — does not protect against an attacker calling the help desk. India’s PSTN and SMS infrastructure make voice-channel social engineering particularly cheap. This module covers what defenders can actually do.
The vishing playbook
The canonical Indian-enterprise vishing attack:
- OSINT to identify a target employee, often via LinkedIn — name, role, manager, recent activity.
- Spoof the caller ID to look like an internal extension or known vendor number.
- Establish credibility with one accurate fact (recent project, manager name).
- Create urgency — “your VPN access is being terminated; we need to verify your password to restore it.”
- Capture credentials, MFA codes, or trigger a privileged action (password reset, MFA-app re-enrollment).
The IT help desk is the highest-leverage target. A successful help-desk vish gets the attacker an MFA reset on a privileged account.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants