Run the vishing session¶
The vishing session applies the same principle as the phishing session to phone-based social engineering. Participants make the calls before they receive them. The experience of working through a pretext, handling hesitation from the person on the other end, and discovering what actually produces compliance is not available from a presentation about what vishing sounds like.
The session runs for approximately two hours. It is more uncomfortable than the phishing session, because voice interaction is more personal than email. That discomfort is part of the learning. A participant who has felt the difficulty of maintaining a false pretext under questioning is better prepared to recognise the same technique when it arrives in the other direction.
Room setup¶
A dedicated landline or VoIP number for the session, answered in the room by the designated responder. Use an extension that rings audibly in the session space, or route calls through a speakerphone visible to the room.
Caller workstations: one per participant or pair. Each has a scenario card and a phone or softphone application. Participants do not use their personal mobiles.
A whiteboard or shared note visible to the room logging what each caller attempted and what response they received.
The facilitator has a separate handset and can monitor the call without being heard.
What participants are given¶
A scenario card describing:
Their claimed identity: a role, a name, an organisation. Examples: an IT helpdesk technician from the Home’s managed services provider; a caller from the Guild of Tax Collectors following up on a gift aid submission query; a new volunteer on their first day who needs someone to let them into the system remotely because their account is not working.
Their objective: what they are trying to obtain. A password reset. Confirmation of a named staff member’s email address. Access to a shared system. A callback number that will be used for a follow-up call.
Background context: the Home’s name, the responder’s known role, and two or three pieces of publicly available information the caller might plausibly know.
The facilitator prepares the scenario cards before the session using current threat intelligence on vishing pretexts observed in the non-profit sector. Participants do not write their own scenarios. The pretext is given; the execution is theirs.
The responder role¶
One participant plays the responder for the duration of the session. They sit separately from the group, ideally in an adjacent room or with headphones, and answer the phone as a Home staff member would answer it during a normal working day. They are told only that they will receive calls from unknown callers during the session.
The responder rotates every thirty minutes. The rotation is announced to the room but not to the responder.
Timing¶
The session runs for approximately two hours.
20 minutes: introduction and threat intelligence briefing. What vishing looks like in the non-profit sector currently, the pretexts in active use, and the social engineering techniques that make them effective. Keep this specific: a real example of a vishing call targeting a charity finance team, the pretext used, what was obtained. Then distribute scenario cards and begin.
60 minutes: live exercise. Callers work through their scenarios in sequence, each taking approximately five minutes per call. The room watches the whiteboard accumulate.
15 minutes: mid-session review. Pause and examine what worked, what the responder noticed, and what adjustments the callers want to make.
25 minutes: debrief.
Facilitator actions before the session starts¶
Prepare scenario cards. Three or four distinct pretexts, each grounded in a plausible Home operational context: IT support, finance, HR, a sector partner. Include enough background detail that the caller sounds credible on first contact.
Set up the call routing. Confirm the responder’s handset is working and that the room can hear both sides of the call, either through a speakerphone or a monitoring handset.
Brief the responder separately: they will receive calls during the session, they should respond as they would at their desk, and they may end a call if they become uncomfortable at any point.
Prepare the threat intelligence briefing: two or three current vishing examples with enough technical detail to illustrate the pretext structure and the social engineering mechanism. Ten minutes of material.
Facilitator actions during the exercise¶
Assign scenario cards at the start of the exercise. Each participant or pair gets one.
Signal each caller when it is their turn. Do not announce to the responder that a new caller is about to ring.
Note on the whiteboard after each call: the pretext used, what the caller attempted, what response they received. One line per call.
Do not coach callers during their call. Brief them before if they are uncertain about the scenario. Do not intervene during.
At the mid-session review, read through the whiteboard together. Ask the callers what worked and what did not. Ask the responder what they noticed and what prompted compliance or refusal.
After the review, rotate the responder and continue.
Debrief¶
The debrief has two parts.
The first reviews the session results from the whiteboard. For calls that succeeded in obtaining the objective: what made this work? Was it the urgency, the authority of the claimed identity, the familiarity of the context? For calls that failed: what gave it away? What did the responder notice?
The second covers the practical takeaways: verification through a different channel is the defence. IT does not call to ask for passwords. A caller who creates urgency and discourages verification is using urgency as a technique, not describing a genuine emergency. The correct response to any unexpected request for access or sensitive information is to end the call and call back on a number found independently.
End with the equivalent of the phishing session’s closing note: the calls made in this room today were constructed in twenty minutes by people with no prior social engineering experience, using a scenario card and publicly available information about the Home. A dedicated attacker has more time, more preparation, and is not doing this as a session. The question is whether the person who receives the call knows what to do next.
They now have a better answer.