From phishing to vishing and all the -ishings

Most security training fails. It’s a one-off event, focused on passive awareness, that doesn’t stick. Teams are left thinking “phishing” is just about poorly written emails, while attackers use a vast arsenal of psychological tactics.

This workshop is different. It’s a highly adaptable, immersive session designed to turn your team from the primary target into the first line of defense. We move beyond the email to explore the entire spectrum of social engineering: vishing (voice), smishing (SMS), pretexting, and more.

We don’t just teach what to look for; we build your team’s muscle memory to respond effectively and disrupt attacks in progress.

Core principles

  • Adaptable, Not Static: The content is a framework, not a sermon. Scenarios, examples, and lessons are tailored in real-time to your team’s roles, tools, and specific threat landscape.

  • Action Over Awareness: The goal isn’t to know more; it’s to do something differently. We focus on building practical, repeatable habits for detection and response.

  • Psychological, Not Technical: We demystify the human principles of influence (authority, urgency, scarcity) that attackers exploit, making them easier to recognize in any medium.

  • Blame-Free Environment: The goal is to learn, not to shame. We create a safe space for participants to discuss past mistakes and practice new skills.

How it works: A flexible structure

The workshop is modular and can be scaled from a 90-minute primer to a half-day deep dive.

  1. The Setup: The Attacker’s Playbook (The “Why”)

    • A quick, engaging primer on the psychology of social engineering.

    • Why do these attacks work? We break down principles like authority, urgency, and social proof.

  2. The Immersion: Real-World Scenarios (The “What”)

    • Adaptable Modules: We run through tailored examples of:

      • Phishing: Beyond the inbox (Slack, Microsoft Teams, collaboration tools).

      • Vishing: Phone-based scams targeting HR, finance, and IT.

      • Smishing & Quishing: SMS and QR code scams.

      • Pretexting: Elaborate lies built to extract information over time.

    • Format: A mix of facilitated discussion, live demos, and review of real (anonymized) examples.

  3. The Action: Building Muscle Memory (The “How”)

    • The Core Question: “What do you do when you suspect something?”

    • We collaboratively develop and practice a simple, team-specific protocol for:

      • Verifying a suspicious request (e.g., the “3-point verification” rule).

      • Reporting it quickly and effectively to security teams.

      • Disrupting the attack (e.g., a safe way to string along a visher to waste their time).

  4. The Output: Your Team’s Playbook

    • The session concludes by capturing the agreed-upon protocols and resources into a simple, one-page “quick reference guide” that participants can immediately use.

Who it is for

This workshop is designed for any team that handles information, systems, or access. We adapt the content for:

  • Executive & Leadership Teams (high-value targets for vishing)

  • HR & Finance Departments (targets for W-2/CEO fraud)

  • IT & Security Teams (targets for credential theft and system access)

  • Whole-Company Sessions (building a unified culture of security)

Take the next step

Ready to build your human firewall? Let's design a session for your specific needs. Start with a free consultation.