MMario Rafael Becerra Dueñas — e-learning sample
← more samples
?
"Mark Reeves" caller unverified
claims: IT Security · inbound · +44 20 7946 0xxx
00:00
live call
Account exposure
None
Verification rigor
Caller — "Mark Reeves"
Your response
Non-linear scenario — your choices change how the attacker pushes and how the call ends.

Branching voice scenario · interactive HTML5

Your phone rings. It's "IT Security."

You work on the payments team. A caller says there's an account takeover in progress on your login and he needs your help to stop it — fast. He's calm, he knows things about you, and he's in a hurry. Only one problem: you can't actually see who's on the line. Listen, and choose what you say back.

VerifyYou called nobody — verify the caller out-of-band before you do anything.
Never shareNo OTP, no password, no push-approval. Real IT never asks for them.
ReportUrgency + authority + secrecy is the attack. Name it and report it.

The voiceover is the caller. Reading the transcript instead of listening costs a few points — there's no transcript on a real call. Keys 1/2/3.

Call ended

ACall outcome

None
Account exposure
Verification rigor
Learning objectives — what this call assessed

How to beat a vishing call

  • Verify out-of-band. Hang up and call IT back on a number you already trust — never one the caller gives you. A real team never minds.
  • Never read an OTP or approve a push you didn't start. Those exist to stop exactly this. IT will never ask for them.
  • The pressure is the attack. Urgency, authority and "keep this between us" are engineered to make you skip verification — that's the red flag, not the context.
  • If you slip, report instantly. Fast reporting lets security burn the code or kill the session before it's used — turning a breach back into a near-miss.
See more formats →