ScienceSoft Global Menu icon ScienceSoft Global

Careers

For journalists

email contact@scnsoft.com en flag +1 214 306 68 37
en flag +1 214 306 68 37
Contact us
Advanced Social Engineering Campaign for a Fortune 500 Financial Giant

Advanced Social Engineering Campaign for a Fortune 500 Financial Giant

Industry
Investment, BFSI

About Our Client

The Client is a Fortune 500 financial company based in the US and operating globally.

Need for a Tailored Vishing Campaign for BFSI Call Centers

As the Client handles large volumes of sensitive customer data, including financial and personal identification information, it must enforce stringent security measures to protect its systems and ensure data integrity and confidentiality. The Client proactively conducts regular cybersecurity assessments, social engineering training, and phishing campaigns targeting its employees from various departments.

This time, the Client wanted to check the security awareness of its call center staff across its offices in the USA, Asia, and the EU. Owing to ScienceSoft’s proven track record in social engineering simulation, including vishing and phishing testing for BFSI, the Client chose to engage our team for this initiative.

Comprehensive Social Engineering Testing for a Financial Call Center

ScienceSoft’s cybersecurity team designed a social engineering campaign with the following objectives:

  • Evaluating how well the call center employees recognize and respond to social engineering threats in realistic attack scenarios.
  • Assessing the extent to which call center agents adhere to the Client's established authentication processes when verifying customer identities.
  • Avoiding alerting call center employees to the ongoing assessment to measure their actual vigilance levels.
  • Ensuring that the assessment does not disrupt real customer interactions or expose any of the sensitive customer data to the testers.
  • Identifying vulnerabilities in the current security measures that could be exploited through phishing and vishing.
  • Recommending actionable next steps to bolster the Client’s defenses against social engineering attacks.
  • Delivering a comprehensive report detailing the testing methodology, findings, and recommended mitigation strategies.

Vishing simulation

To assess the call center’s resilience against vishing attacks, ScienceSoft’s testers designed four vishing scenarios. To make scenarios more realistic and believable, the team utilized publicly available information about the company, such as employee names, and used queries common to the Client’s industry vertical. Here are the scenarios with their respective results:

  • Impersonating Microsoft support agents. This scenario tests how effectively the call center employees identify and escalate a seemingly legitimate tech support call requesting hardware and Microsoft account information.
  • Impersonating customers who forgot their login ID or email. This scenario evaluates whether the call center agents follow the protocol by not disclosing the validity of email addresses provided by an unverified caller. Otherwise, the exposed valid addresses could be used in potential phishing attempts.
  • Requesting access to a customer’s financial dashboards or account-related information. The scenario checks that, when asked to reveal sensitive customer information, employees refuse to disclose any details without proper verification.
  • Requesting a password reset or a user ID. This scenario tests whether the employees refuse to assist the caller, i.e., ScienceSoft’s tester, without fully verifying their identity.

During the 3-month vishing simulation, ScienceSoft’s team made around 150 calls to the call center employees in the USA, Asia, and the EU. Our testers used Voice over IP (VoIP) technology, rotated phone numbers, and varying time windows to avoid detection.

Phishing simulation

Alongside the vishing testing, ScienceSoft’s team sent emails with fake links to around 200 email addresses according to custom phishing scenarios, including:

  • Fake Microsoft service notification. While impersonating an official service is designed to exploit user trust, the employees should always remain vigilant, recognize the email as suspicious, and report it to the IT department.
  • Scam emails disguised as a holiday gift card. This low-effort but effective scenario relies on emotional engagement to generate link clicks and entice victims to share personal details. It assesses the employees’ ability to recognize manipulative tactics, remain cautious, and protect themselves from possible follow-up attacks.

Based on the results of social engineering testing, ScienceSoft created a security awareness training program for the Client’s employees. Rather than describing general training recommendations, the program was tailored to target specific security weaknesses revealed during the testing.

Reporting

The Client was actively involved throughout the process: each week, ScienceSoft’s team shared testing insights via presentations and call recordings (containing only the tester’s voice, per privacy agreement). The Client participated in reviewing the findings and refining the testing strategy as needed.

Having completed the vishing and phishing testing, ScienceSoft documented the utilized testing methods, scenarios, identified vulnerabilities, and associated security risks in a comprehensive report.

Both assessments highlighted that even trained personnel can fall victim to sophisticated social engineering attacks. To mitigate these risks, ScienceSoft recommended the following mitigation measures in the report:

  • Training employees following the tailored program to fix the revealed gaps and raise security awareness.
  • Performing another advanced phishing and vishing testing to assess the success of the training and the effectiveness of the improved incident response procedures.
  • Regularly auditing, updating, and enforcing strict verification and authentication processes to prevent the disclosure of sensitive information to unauthorized entities.
  • Creating incident response playbooks that establish a transparent process for handling reported phishing or vishing attempts and include guidance on educating affected employees.
  • Implementing strong security controls such as advanced email filtering, domain authentication (SPF, DKIM, DMARC), caller identity verification tools, multi-factor authentication (MFA), and AI-based threat detection.

Social Engineering Testing Revealed Gaps in Security Awareness of Financial Call Center Employees

As a result of engaging ScienceSoft for vishing and phishing testing of its call center employees, a US financial giant discovered several security gaps in employee cybersecurity awareness and compliance with identity verification processes. Following phishing attacks against approximately 200 email addresses and 150 vishing calls, the Client received a detailed report on the detected vulnerabilities and associated risks to its systems and customer data. The report also included remediation recommendations to help the company improve its cybersecurity strategy and raise cybersecurity awareness among its call center agents.

No sensitive data of real financial customers was revealed during the simulation and the testing did not disrupt the regular operations of the call center.

Satisfied with our thorough approach to cybersecurity testing, the Client plans to engage ScienceSoft in future security projects.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

Get in touch instantly

Call us Email us WhatsApp Live chat