GET IN TOUCH
●  Social Engineering
▲  Critical Infrastructure
Energy Sector
United States
One Phone Call Away From a $100M+ Breach
How Digiss exposed a critical gap in human-layer security at a major U.S. energy company gaining C-suite access in seconds using nothing but phone and a script.
75%
Attack success rate across all test calls
6
C-suite and executive targets in scope
3
Accounts compromised before the client halted the exercise
0
Technical exploits used; humans were the only attack surface
BACKGROUND
The MGM Wake-Up Call That Prompted This Engagement
In September 2023, a vishing attack against MGM Resorts cost the company over $100 million in losses - all triggered by a ten-minute phone call to IT support. The attackers impersonated an employee, manipulated a helpdesk agent, and walked straight through the front door.
Our client, a major U.S. energy company providing land drilling, pressure pumping, directional drilling, and rental technology services, recognized the parallel risk immediately. They engaged Digiss to answer a critical question: could the same attack work against their organization?
The answer, we would discover, was yes, repeatedly.
The MGM Precedent
$100M+
Lost by MGM Resorts following a single vishing call to heir IT helpdesk in September 2023
The Attack Vector
Vishing (voice phishing) requires no malware, no zero-day exploit, and no technical sophistication - only a convincing voice and a target withoutadequate training.
Why It Works
Helpdesk agents are trained to be helpful, which adversaries weaponize. Urgency, authority, and familiarity are the three levers every social engineer pulls.
Scope of Engagement
Six High-Value Impersonation Targets
Digiss engineers were authorized to impersonate the following executives each representing a high-authority identity that helpdesk staff would be under significant social pressure to assist without verification.
Chief Executive Officer
CEO
Chief Financial Officer
CFO
Chief Operating Officer
COO
Chief Information Officer
CIO
Chief Human Resources Officer
CHRO
EVP of Legal
Executive Vice President
Following the executive phase, Digiss was directed to target three mid-level managers. The exercise was halted after two of those three tests succeeded, bringing the overall success rate to 75% and triggering an immediate risk escalation by the client.
Methodology
The Anatomy of a Successful Vishing Call
Each test adhered to a straightforward strategy, intentionally kept basic to illustrate that even simple social engineering tactics can succeed when organizations depend on human helpfulness instead of verified identity protocols.
Digiss engineers called the company's support line, identified themselves as the targeted executive, reported a locked account, and requested an immediate password reset directing the reset to an unregistered external email address by claiming the primary account had been compromised.
No technical intrusion. No malware. No special tooling. Just a phone call.
Called the published internal IT support line
Impersonated target executive by name, title, and email
Reported account lockout due to failed login attempts, claimed primary email was hacked, and requested a password reset to Gmail.
In 3 of 4 executive tests: agent called back, reset password, and read it aloud
Attacker Script — Used Verbatim
“Hi, my name is [Executive Name], I am the [Title]. My email address is [name@company.com]. I think I may have locked myself out of my email after multiple unsuccessful login attempts. Could you please reset my password and either read the temporary password to me over the phone, or send it to my Gmail account? The primary email I have on file appears to have been compromised, so it cannot be trusted at this point.”
Why this script works
It combines three social engineering triggers simultaneously: authority (C-suite identity), urgency (locked out, can't work), and plausible explanation (account already hacked). Each element reduces the agent's resistance to compliance.
Key Findings
What Happened, Call by Call
✕  Failed Attempt — EVP of Legal
The One Agent Who Did the Right Thing
The Digiss engineer, impersonating the EVP of Legal via the payroll support line, reported being locked out and claimed the registered email account had been hacked. The payroll agent offered to send a reset link to the account on file. When the engineer pushed back, insisting the account was compromised, the agent declined to proceed and stated that someone would call back to verify. No further action was taken. The call was terminated.
Takeaway: This agent's instinct to pause and verify instead of complying under pressure represents exactly the behavior security awareness training should reinforce across the organization. It was the exception, not the rule.
✓  Successful Attempts — CFO + 2 Managers
C-Suite Access. Delivered Over the Phone.
In three separate tests, helpdesk agents opened a support ticket after receiving the call. Within minutes, an individual called back, performed the password reset, and read the temporary password aloud to the Digiss engineer. The CFO test succeeded first, at which point the client’s management intervened to halt further executive targeting. Two subsequent mid-level manager tests also succeeded before the full exercise was stopped.
Critical detail: The callback model, where a different agent calls back, did not improve security. The original unverified claim was simply passed along with the ticket, and the second agent acted on it without re-verification.
Exercise Outcome
75%
success rate
3 of 4 completed tests succeeded
1 failed (EVP of Legal)
Exercise halted after
4 tests
at client's request
Security Findings
Root Causes Identified
The 75% success rate was not a failure of technology. Every vulnerability exploited in this engagement was human. These are the systemic gaps Digiss identified.
01
No Caller Identity Verification Protocol
Helpdesk agents had no structured process to verify the identity of callers claiming to be executives. Name and title alone were sufficient to trigger action.
02
Passwords Delivered Over Voice Channels
Agents read temporary passwords aloud on phone calls, a practice that should be categorically prohibited regardless of caller identity.
03
Callback Model Created False Security
The two-step support ticket and callback process gave the appearance of a control without providing one. Unverified claims were simply inherited by the callback agent.
04
External Email Reset Was Uncontested
Agents accepted requests to send or read credentials to unregistered Gmail addresses, a clear indicator of account takeover that went unrecognized.
05
No Security Awareness Training for Helpdesk
Helpdesk staff lacked training in social engineering scenarios relevant to their roles, making them prime targets in potential attacks.
What Digiss Did NOT Use
Malware or exploits
Phishing emails or fake portals
Network intrusion techniques
Insider access or privileged information
Voice spoofing or deepfake audio
Every test succeeded using only
publicly available information and a convincing telephone persona
This is the nature of social engineering risk, and why it demands a dedicated response.
Real-World Equivalent
Remediation Outcomes
From Vulnerability to Resilience
Following Digiss's report and recommendations, the client implemented a structured remediation plan. These three actions directly addressed the roo causes identified during the assessment.
01
Abuse and Misuse Cases Built Into the Support Workflow
The self-service process flow was redesigned to include explicit social engineering scenarios. Helpdesk agents were trained to recognize authority-based manipulation, unsolicited account claims, and requests to redirect credentials to unregistered email addresses. These scenarios are now part of mandatory onboarding and periodic refresher training.
02
Zero-Tolerance Policy on Voice-Delivered Credentials
A formal, enterprise-wide policy was issued prohibiting helpdesk staff from disclosing passwords, temporary credentials, or reset links over the phone under any circumstances. The policy was communicated with clear consequence framing, stating that agents who violate it face disciplinary action up to and including termination, ensuring the message carried organizational weight.
03
Ongoing Internal Vishing Drill Program
The organization initiated a regular internal drill program to consistently evaluate helpdesk staff in realistic scenarios. Instead of a single assessment, the client now views social engineering preparedness as an ongoing practice, conducting both scheduled and surprise vishing simulations to maintain awareness and prevent complacency.
Your Organization Could Be Next
Find Out If Your Helpdesk Would Let an Attacker In
We achieved a 75% success rate at a Fortune-class energy company using only a phone call. Digiss can conduct the same evaluation for your organization before a real attacker strikes.
Talk to Our Team
Engagements are fully scoped, authorized, and handled with discretion. All findings remain confidential
ADDRESS
USA: 401 E. Sonterra Blvd, San Antonio, Texas 78261
NG: 12A Bola Ogunsanya, Magodo Phase 2, Lagos
TELEPHONE
+1 830 202 9767
(USA)  
+234 805 442 9222
(NG)
SOLUTIONS
IDENTITY AND DEVICE MANAGEMENTUNIFIED CYBER DEFENSESECURE DESIGNGRC AUTOMATION
SERVICES
CYBERSECURITY GRCSECURITY ENGINEERINGSECURITY oPERATIONSSTRATEGIC SERVICES
RESOURCES
CASE STUDIESINTERNSHIPBLOG
ContactPrivacy Notice
© 2026 Digiss. Digiss is a trading name of Digital Information Security Solutions, LLC. All rights reserved.