The phone call that bypassed everything

The scenario:

• The caller knew the CEO's name, the IT manager's extension, and just enough about the recent system migration to sound legitimate. The password reset took 90 seconds.

  
  

• Voice phishing (vishing) attacks bypass technical controls entirely by targeting the human element directly. Attackers research organisations through LinkedIn, press releases, and previous breaches to build convincing pretexts. They call help desks, pose as executives or IT staff, and social engineer their way to credential resets, MFA bypasses, or direct system access.

  
  

• The MGM breach demonstrated the scale of damage possible: one phone call to the help desk, impersonating an employee found on LinkedIn, resulted in a ransomware attack that cost over $100 million. No malware delivery. No vulnerability exploitation. Just a convincing voice on the phone.

  
  

• Defend against vishing by implementing strict verification procedures for sensitive requests - callback verification, manager approval, out-of-band confirmation.

  
  

• Train help desk staff to recognise social engineering tactics and empower them to refuse requests that don't follow protocol, regardless of claimed urgency or authority. Document and test these procedures regularly.

  
  

• Social engineering attacks leave no malware signature and trigger no technical alerts. Detection comes from behavioural signals after the fact - password resets followed by unusual access patterns, new device enrollments, or privilege escalation. The call itself is invisible to your security stack.