Non-linear scenario — your choices change how the attacker pushes and how the call ends.
Branching voice scenario · interactive HTML5
Your phone rings. It's "IT Security."
You work on the payments team. A caller says there's an account takeover in progress on your login and he needs your help to stop it — fast. He's calm, he knows things about you, and he's in a hurry. Only one problem: you can't actually see who's on the line. Listen, and choose what you say back.
VerifyYou called nobody — verify the caller out-of-band before you do anything.
Never shareNo OTP, no password, no push-approval. Real IT never asks for them.
ReportUrgency + authority + secrecy is the attack. Name it and report it.
The voiceover is the caller. Reading the transcript instead of listening costs a few points — there's no transcript on a real call. Keys 1/2/3.
Call ended
—
ACall outcome—
None
Account exposure
—
Verification rigor
Learning objectives — what this call assessed
How to beat a vishing call
Verify out-of-band. Hang up and call IT back on a number you already trust — never one the caller gives you. A real team never minds.
Never read an OTP or approve a push you didn't start. Those exist to stop exactly this. IT will never ask for them.
The pressure is the attack. Urgency, authority and "keep this between us" are engineered to make you skip verification — that's the red flag, not the context.
If you slip, report instantly. Fast reporting lets security burn the code or kill the session before it's used — turning a breach back into a near-miss.