Callback requests are a type of phishing payload whereby attackers attempt to entice victims into dialling a phone number embedded within an email. CanIPhish uses a combination of technologies to provide callback phishing as part of our phishing simulator.
Overview
Employees receive a simulated phishing email enticing them to call a phone number. They're simultaneously given a 6-digit "Caller Code". Upon dialling the phone number embedded within the email, employees are met by an Interactive Voice Response (IVR) system, which prompts them to provide their 6-digit caller code so they can be directed to the appropriate team member.
Once a valid caller code is provided, the phone call is then redirected from the IVR system to an AI Agent that's powered by CanIPhish's PhishAI technology. Over the course of the conversation with the AI Agent, the employee will be enticed to verify their identity through basic validation questions (e.g. what's your first name, what's your last name, what's your job title, etc.). Once two of these questions are answered, the AI Agent will shut down, and a pre-recorded message will be played that notifies the employee of the simulated phishing exercise.
Interaction Tracking
Outside of standard interactions (i.e. email delivered, email viewed, email reported), the following interactions are tracked as part of phishing emails that leverage the callback request payload type:
- Email Reply Event: When an employee responds to an email, this event will be triggered. Additionally, they'll receive an email reply within 10-30 minutes from an AI Agent, which further entices them to jump on a phone call. If the AI Agent receives pushback, they'll fall back to a standard information request over email.
- Payload Interaction Event: If an employee calls the provided phone number and enters their 6-digit caller code, this event will be triggered. Additionally, they'll be forwarded to a Conversational AI Agent to have a voice call discussion.
- Employee Compromised Event: If an employee provides identity verification answers to the Conversational AI Agent, this event will be triggered. Additionally, a pre-recorded message will be played, which notifies them of the simulated phishing exercise.
Supported Phone Numbers
CanIPhish has acquired phone numbers in various locations across the world. By default, the phone number selected is based on the storage location setup in your CanIPhish tenant. However, the geographic location of phone numbers we use for callback phishing campaigns can also be hardcoded. Currently, CanIPhish maintains phone numbers in the following geographic locations:
- United States
- Canada
- Australia
- United Kingdom
- Finland
- Chile
- Israel
- Denmark
Supported Languages
English is the only officially supported and tested language.
In saying this, the AI Agent is capable of speaking in 28 other languages, including: French (European), Spanish (LATAM), Portuguese (Brazilian), Chinese (Mandarin), Arabic, Hindi, Italian, Korean, Dutch, Turkish, Swedish, Indonesian, Filipino, Japanese, Ukrainian, Greek, Czech, Finnish, Romanian, Russian, Danish, Bulgarian, Malay, Slovak, Croatian, Tamil, Polish, and German. Where specified, the AI agent will attempt to talk in these languages, falling back to English should there be any translation difficulties.
Finding Callback Phishing Templates
Callback Phishing is currently available for all paid subscriptions. To locate Callback Phishing templates in the phishing library, use the filtering options to filter by "Payload Type."
Step 1: Click "Show all emails."
Step 2: Select "Voice Call Compromise (Callback Request)" from the "Payload Type" drop-down menu.
Conversational AI Limitations
Conversational AI, particularly as it relates to real-time voice discussions, is on the bleeding edge of what AI is currently capable of. Because of this, the AI model used to transcribe audio and generate counter-responses may be prone to error. There is a chance that the AI Agent provides non-sensical responses or misinterprets what an employee is saying to it. To help with this and to help identify instances of false positives, CanIPhish provides audio transcripts, which provide administrators with a picture of what was said over the course of the conversation. With this transcript, administrators can determine if the employee did infact divulge identity verification information.
Note: This evidence can be deleted if any overly sensitive information is shared by an employee.
We're excited to provide this innovative technology to our customers. If you run into any issues, please don't hesitate to contact the CanIPhish support team.
Comments
0 comments
Please sign in to leave a comment.