Phishing for Information: Spearphishing Voice

Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.[1]

Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.[2]

Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to tailor pretexts to be even more persuasive and believable for the victim.

ID: T1598.004
Sub-technique of:  T1598
Tactic: Reconnaissance
Platforms: PRE
Version: 1.0
Created: 07 September 2023
Last Modified: 08 September 2023

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[3]


LAPSUS$ has called victims' help desk to convince the support personnel to reset a privileged account’s credentials.[4]


ID Mitigation Description
M1017 User Training

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[5]


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers.