Lesson 1.1: SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks Deep Dive

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks Deep Dive! Over the next 45 minutes, we will explore a sophisticated social engineering campaign that targets human psychology and organisational processes, not just technology.

But first, let me tell you about Priya Sharma.

It's 2:15 PM on a Tuesday in October. Priya Sharma, a senior IT help desk analyst at a financial services firm in London, is reviewing a backlog of password reset tickets. The office hums with the low murmur of colleagues and the faint smell of coffee. Her phone, set to vibrate, buzzes against the desk.

The caller ID shows an internal extension. A woman's voice, calm and professional, introduces herself as 'Anya from HR.' She explains there's an urgent issue with the new joiner system for the Edinburgh office; several new accounts are locked out, and managers can't access critical onboarding documents. She sounds flustered, apologising for the direct call but says the ticket system is 'acting up.'

Priya, wanting to help, pulls up the admin console. 'Anya' provides the names. Priya resets the first password. 'Anya' asks her to read it out so she can relay it directly to the waiting manager. A small alarm rings in Priya's mind about policy, but the caller's plausible stress and the internal number override it. She reads out the temporary password.

This is the story of a vishing attack. By the end of this lesson, you'll understand exactly why Priya never stood a chance, and more importantly, what could have saved her.

Content Section 1: The Anatomy of a Targeted Vishing Operation

Think of this not as a random scam call, but as a well-resourced business operation with a clear recruitment strategy, performance incentives, and a focus on high-value targets.

The Recruitment and Incentive Model

This campaign, tracked under the name 'SLH', specifically recruits women to make the vishing calls. Research suggests this is a deliberate choice to exploit perceived stereotypes of trustworthiness and to lower the target's guard during what is framed as an internal administrative call.

The financial incentive is significant and performance-based. Callers are offered between $500 and $1,000 per successful call. This isn't a flat fee; it's a bounty. This structure creates a powerful driver for the caller to be persuasive, to handle objections, and to see the interaction through to a successful credential compromise.

The implication is a professionalised threat. The caller is motivated, likely coached on scripts and objection handling, and is financially invested in your employee's failure. They are not amateurs; they are commissioned social engineers.

The Strategic Target: IT Help Desks

The choice of IT help desk as the target is not accidental. It's a strategic chokepoint. Help desk staff are trained to be helpful, to solve problems quickly, and often operate under pressure to reduce call times. Their systems hold the keys to the kingdom – the ability to reset passwords and potentially modify access.

By masquerading as an internal colleague from a trusted department like HR, and fabricating a plausible, time-sensitive crisis (like onboarding issues), the attacker bypasses technological defences entirely. The attack surface is the organisation's phone directory, its internal trust, and the human desire to assist a colleague in a bind.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to identify, assess, and manage all ICT risks, including those stemming from social engineering targeting critical operational staff like IT help desks.

ISO A.5.1 ISO 27001 A.5.1 mandates that management provides clear direction and support for information security. This includes establishing policies that address social engineering risks and ensuring all personnel, including support staff, understand their roles in following them.

Content Section 2: The Attack Flow: How the Illusion is Built

Understanding the step-by-step process reveals why it's so effective. Let me show you exactly how Priya was compromised.

Step-by-Step Compromise

Step 1: Intelligence Gathering. Attackers research the target organisation. They find names, departmental structures (like HR), and internal phone extensions. This data can come from LinkedIn, company websites, or even accidental disclosures.

Step 2: Spoofing and Establishment of Trust. The call arrives from a spoofed internal number. The caller uses a calm, professional tone and name-drops a credible department (HR). They immediately introduce a plausible, urgent work crisis – 'new joiner accounts are locked.' This frames the call as a collaborative effort to solve a business problem.

Step 3: The Bypass. The caller provides a reason to bypass official channels ('the ticket system is down'). This creates a shared 'us against the problem' dynamic and applies subtle pressure to act now, outside normal procedure.

Step 4: The Ask and Objection Handling. The request is for a password reset. If the help desk analyst hesitates or cites policy, the caller is prepared. They might express understanding, then escalate the perceived urgency ('The head of department is waiting on this'). Their script is designed to navigate these objections.

The Social Engineering Toolkit

The tools here are psychological, not software. They include urgency (a time-sensitive problem), authority (posing as a trusted internal department), and social proof (the implication that others, like a 'waiting manager,' are relying on this).

The use of a female recruiter and caller is another tool. While we must avoid stereotypes, threat actors are not ethical; they exploit perceived biases. Industry data indicates some social engineering campaigns believe a female voice may be perceived as less threatening and more trustworthy in certain administrative scenarios, making the initial engagement smoother.

Why Traditional Technical Defences Fail

Notice what all of these methods have in common. They are designed to stop malicious *code* or *unauthorised access*. This attack uses authorised actions performed by a legitimate user under manipulation. The weakest link is the process and the human following it.

This attack operates in a layer most technical controls don't monitor effectively. Here’s how common defences are bypassed:

NIST PR.AT-5 NIST CSF PR.AT-5 requires that physical and cybersecurity personnel are trained to perform their duties. This lesson directly provides the knowledge required for IT help desk personnel to recognise and resist social engineering attempts, fulfilling this training requirement.

NIS2 Article 21 NIS2 Article 21 mandates security risk management measures. This includes implementing policies, training, and technical measures to manage risks from social engineering, such as the vishing attacks detailed here.

Content Section 3: Building Human and Process Defences

Priya's computer knew nothing was wrong. It was her process that failed. Effective defence requires changes to how people work, not just what software they run.

Process-Level Controls: Verifying the Unverifiable

The fundamental control is a strict, non-bypassable verification ritual for all high-privilege actions. A password reset is a high-privilege action. The rule must be: Never perform the action based on a single inbound request.

Implement a call-back procedure. If a request comes in, the help desk analyst must terminate the call and call back the requester using an official number from a verified internal directory (not the number provided by the caller). This simple step breaks the attacker's spell of urgency and tests the legitimacy of the contact point.

Another control is mandatory ticket creation *before* action. No work item, no action. The system itself should enforce this workflow. The excuse 'the system is down' should be met with 'then we cannot proceed until it is up, as per policy.'

Training for the Moment of Doubt

Training must move beyond 'don't click links.' It must equip staff, especially help desk, with practised responses for high-pressure social engineering. Role-play scenarios exactly like this one.

Empower employees with a script of their own. Teach them phrases like, 'I understand the urgency. Our security policy requires I create a ticket first/call you back on the official HR line. Let me do that now.' This gives them a polite, policy-backed exit from the conversation without having to invent one under pressure.

Technical Signals and Monitoring

While the primary attack bypasses tech, monitoring can catch the aftermath. Look for clusters of password resets for users from a single help desk analyst account in a short time, especially if followed by anomalous login attempts from new locations.

Monitor for help desk tickets that are closed immediately after creation or marked 'resolved' with very short durations, which could indicate an action was taken without proper ticket logging. User and Entity Behaviour Analytics (UEBA) can help baseline normal help desk activity and flag deviations.

SOC2 CC1.1 SOC 2 CC1.1 evaluates the entity's commitment to integrity and ethical values. Implementing and enforcing strong verification processes for help desk operations, even under pressure, demonstrates this commitment operationally.

GDPR Article 32 GDPR Article 32 requires appropriate technical and organisational measures to ensure security of processing. The procedural controls and training outlined here are key organisational measures to prevent unauthorised access to personal data via credential compromise.

Content Section 4: Documenting Your Defence for Compliance

Compliance isn't about ticking boxes; it's about proving you've thought about the risks and taken sensible steps. The work you've done in this lesson is evidence.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that you have identified social engineering targeting critical ICT staff as a key risk and have trained personnel (via this lesson) as part of your ICT risk management framework.

For ISO A.5.1 auditors... For ISO 27001 assessors, you can evidence management direction for information security by showing this training has been deployed to relevant staff to address the specific threat of vishing, as part of control A.5.1 on management support.

For NIST PR.AT-5 auditors... For NIST CSF reviewers, you can show that your cybersecurity personnel (including help desk staff) have completed targeted training on sophisticated social engineering, directly supporting the PR.AT-5 requirement for trained personnel.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified (e.g., review help desk procedures)

Conclusion

Let me tell you how Priya's story ended.

The credentials she reset were for a senior accountant's account. The attackers logged in within minutes, initiated several large, fraudulent wire transfers to overseas accounts, and then covered their tracks. The financial loss was substantial. Priya was not fired, but she was moved off the help desk. The incident followed her, a quiet shadow on her career.

Six months later, the organisation implemented a strict call-back verification policy for all password resets. They also introduced mandatory quarterly, realistic social engineering drills for the help desk team. The new policy was unpopular at first, seen as slowing things down. But after the first drill where nearly everyone failed, its importance became painfully clear.

But it doesn't have to be your story. That's why we're here.

You should now understand the business model behind sophisticated vishing campaigns. You understand how they bypass technical controls by targeting human psychology and process gaps. You know the critical importance of a non-bypassable verification ritual for privileged actions. And you understand how to document this knowledge for both operational improvement and compliance evidence.

Next, we'll explore Next, we'll explore Lesson 1.2: The Infrastructure of Deception: Call Spoofing, VoIP Gateways, and Burner Numbers. We'll look at the technical backbone that makes these calls seem so legitimate, and how you can detect the fingerprints of this infrastructure.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators (e.g., clusters of password resets, tickets closed too quickly) and immediate response steps for a suspected SLH-style vishing attack on a single page.
• Compliance Mapping Worksheet - Map your organisation's vishing and social engineering controls to the specific DORA, ISO 27001, NIST CSF, NIS2, SOC 2, and GDPR framework requirements covered in this lesson.
• Risk Assessment Template - Assess your organisation's specific exposure to IT help desk vishing threats based on the SLH attack vectors, caller incentives, and process gaps covered in this lesson.
• Further reading - Links to official framework documentation (NIST, ISO) and threat intelligence sharing sources for tracking social engineering and vishing campaign trends.

SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026