The call nobody talks about
The attack call is the one that gets written up in the report. But in James Sheppard's experience, it's rarely the most important call he makes.
The attack call is the one that gets written up in the report. But in James Sheppard's experience, it's rarely the most important call he makes.
The attack call is the one that gets written up in the report. It’s the call where something happens: a credential reset, an MFA bypass, a piece of information that shouldn’t have been shared. That’s the call the client hears about in the debrief, the one that becomes the story.
But it’s rarely the most important call I make.
Before I get anywhere near a target, I make calls that have nothing to do with the engagement objective. I make low-stake reconnaissance calls. I ask questions I already know the answers to. I listen for how people answer the phone, what they call things internally, how they handle a caller they don’t recognize, whether they’re warm or guarded or somewhere in between. It’s rarely what people remember. All of it shapes what happens when it matters.
This is the part of social engineering that rarely gets any atttention, probably because it doesn’t make for a good story. There’s no moment of tension, no clever manoeuvre. It’s just methodical work. But in my experience the outcome of an engagement is largely determined before the approach call starts, by how well I understand the environment I’m about to engage with.
Every organization has its own internal language. Abbreviations, team names, process references, the specific way people describe a common request. These things sound trivial. They aren’t.
When I’m on a call impersonating an internal employee, the difference between sounding like someone who works there and sounding like someone who doesn’t is almost never the pretext itself. It’s the detail. The way I refer to a system. The name I use for a team. Whether I say “service desk” or “IT support” or something else entirely, because that organization has its own term for it and everyone who works there uses it without thinking.
Getting that right requires work before the approach. I’ll make calls to departments nowhere near my actual target, ask routine questions, and listen carefully to how people respond. I’m not extracting information. I’m learning the dialect.
A pretext built on the right language feels native. One built without it has a texture that’s slightly off, and people feel that even when they can’t name it. Their instinct tells them something isn’t quite right. If I’ve done the preparation properly, that instinct never gets triggered.
Preparation isn’t just about what I expect to happen. It’s about building enough context that I can handle what I don’t expect.
Before any vishing engagement I work through escape clauses. If they ask me this, I go here. If that route closes, I have another. If someone asks me something I genuinely can’t answer, I have a way to move past it without the call falling apart. On one engagement, a verification question came up that I hadn’t anticipated: what was my high school mascot. That’s not something you can prepare for directly. What you can prepare for is having enough confidence in the rest of your pretext that one unexpected question doesn’t derail you. You pick an answer, you deliver it with the same calm you’ve had throughout the call, and you keep moving.
That’s not improvisation. It’s what thorough preparation makes possible.
There’s a version of social engineering that exists in films and people’s imaginations: high pressure, dramatic, built on urgency and fear. In my experience, the opposite is true. The calls that work are the ones that feel completely routine to the person on the other end.
I’m not trying to create pressure. I’m trying to slot into a workflow so naturally that no flag ever gets raised. A service desk processes password resets all day. If my call feels like every other password reset request, the person handling it isn’t reacting to something that feels unusual – they’re following a familiar process. The moment a call feels unusual, I’ve made my job harder.
This is why the preparation matters as much as the execution. If I’ve done the work, the call sounds like it belongs. The language is right, the context makes sense, the request fits the kind of thing that happens in that organization on a normal day. I’m not performing a character. I’m reflecting the environment back at itself.
The calls your people will remember are the attack calls. The ones that shaped those calls happened earlier, and they were quiet, and they looked like nothing.
That’s where the work gets done.
James Sheppard is a social engineer at CovertSwarm. His background in high-pressure operational environments shaped an approach to SE that is methodical, precise, and built around preparation. He specializes in vishing, physical infiltration, and pretext development.
Humans In The Loop: The Non-Negotiable In Offensive Security
AI and automation have transformed offensive security, but not replaced human ingenuity. Luke Potter explains why real attackers, and real defenders, still need humans in the…
AI voice impersonation: voice-based authentication just got owned
Does the voice you recognize at the end of the phone really belong to the person you think it is? Find out what AI voice impersonation…
AI guardrails will always fail. NIST just proved it mathematically.
NIST scientist Apostol Vassilev has published a mathematical proof that no finite set of AI guardrails is universally robust against adversarial prompts. Not as a risk…