CTRL+Vish

Phone-based vishing simulations

Awareness doesn't answer
the phone. You do.

Your team knows what vishing is. They've sat through the slides. They can spot the red flags on a poster. And then a call comes in, someone sounds authoritative, the pressure is on, and they hand over the details anyway.

Knowledge isn't the gap. Practice is.

With CTRL+Vish, you call the AI. You know it's training. And you still nearly fall for it. That's the point.

Get a demo Visit the CTRL+Vish site
3 Default scenarios
You call the AI. Not the other way round.
Risk scored Per participant
How it works

Practice first.
Test second.

Vishing attacks surged by 442% in H2 2024. Attackers skip the inbox and go straight for the phone because a confident voice bypasses suspicion in a way a suspicious email never could. CTRL+Vish builds the instinct to handle that call before it ever happens for real.

01 Step 01

Learn

A short, focused intro to vishing before anyone picks up the phone. What it is, how it works, and why even well-trained people still fall for it. No slides. No multiple choice. Just the content that actually sticks.

02 Step 02

Train

Your team calls the AI. They experience a live vishing scenario in a low-pressure environment, building confidence and hearing exactly what a real attack sounds like before they're tested on it.

03 Step 03

Test

Once they've trained, the AI calls them. A tailored scenario, at an unexpected time. Real pressure. No warning banner. No "this is a test." Just the call. That's where instinct gets tested.

04 Step 04

Report

Every call is scored on behaviour, not just outcome. Did they hesitate? Push back? Over-share? A human risk score per participant, call recordings, and benchmarking data that tells you exactly where the risk lives.

!
This is not a gotcha test

Nobody gets cold-called without context. Participants go through Learn and Train before the Test phase begins. They know a simulation is coming. They just don't know when. That distinction matters. It builds capability without blame, and it means the data you get reflects genuine behaviour under pressure, not panic from being blindsided.

See it in action

He knew it was training.
He still nearly fell for it.

This is a real recording of someone running through a CTRL+Vish scenario for the first time. No script. No coaching. Just an unfiltered first reaction. Watch how the pressure builds, how he responds, and what he says when it's over.

Real participant. Unscripted.
"I really think I should talk to my boss before I do anything."
Participant, CTRL+Vish scenario walkthrough

He wasn't tricked into picking up the phone. He knew it was a simulation. He called the AI himself. And he still responded like it was real, applying exactly the kind of judgement you want your team to have when an actual attacker calls.

That's not a fluke. That's what immersive training does. It builds the instinct before the incident.

Try it yourself

That was real.
Now it's your turn.

Sarah is waiting in the corner of your screen. Hit the button and take the call. See how you handle the pressure when it's on you.

For demonstration purposes only. Full CTRL+Vish deployments include reporting, risk scoring, and participant management.

Default scenarios

These aren't abstract threats.
They're Tuesday morning.

Every scenario is built around the real moments where vishing works. Authority. Urgency. Familiarity. The situations your team faces every week, except this time they get to practice before it counts.

HR

The Employee File

Personal data under pressure

A caller asks for employee information. They reference internal processes, mention real-sounding names, and have just enough context to sound legitimate. It feels genuine. It feels awkward to question. That's exactly how it's designed to feel.

Trains
  • Data protection
  • Verification discipline
  • Trust exploitation
Finance

The Urgent Payment

Payment fraud under time pressure

A supplier. A senior leader. Someone from the finance team. The story changes, but the pressure doesn't. There's a payment that needs to go out now. The bank details are slightly different. The clock is ticking.

Trains
  • Payment fraud awareness
  • Escalation under pressure
  • Authority challenge
IT

The Account Reset

Credential harvesting via fake support

IT support is calling. There's a problem with your account and they need your login to fix it. It'll only take a minute. Everyone's busy. This would be so much easier if you just handed it over.

Trains
  • Password security
  • Impersonation awareness
  • Verification behaviour
IT Helpdesk New

The Exception Request

Policy under pressure from within

This one flips the table. Your IT helpdesk team are the targets. A caller claims to be an employee locked out of their account. They're late for a meeting. Their manager is waiting. Can you make an exception? Just this once? This trains the people responsible for holding the security line to hold it, even when the pressure makes it very hard to say no.

Trains
  • Policy enforcement
  • Empathy manipulation
  • Saying no under pressure
Custom

Build Your Own Scenario

Bespoke scenarios for your environment

Default scenarios reflect common attack patterns. But every organisation has its own processes, terminology, and risk profile. Custom scenarios are built around your specific environment, your roles, your internal language, and your known vulnerabilities. If the threat is real for your organisation, we can simulate it.

Options include
  • Custom personas
  • Tailored scripts
  • Internal terminology
  • Role-specific targeting
Why it actually works

Knowledge isn't
the same as instinct.

Most security training teaches people what to know. CTRL+Vish trains people what to do. There's a significant difference, and it only becomes obvious when the phone rings.

01
It mirrors real pressure

Pressure

Real vishing works because of time pressure, authority, and social discomfort. CTRL+Vish replicates all three. No warning banners. No "this is a test." Just a call that sounds plausible and asks for something now. That's the only environment where real behaviour gets trained.

02
It trains behaviour, not recall

Behaviour

Policies don't answer the phone. People do. And in the moment, people don't consult a policy document, they act on instinct. CTRL+Vish trains the instinct -- how to pause, how to push back, how to escalate -- in the environment where it actually needs to work.

03
It sticks because it's felt

Memory

People remember experiences, not slides. They remember the moment they hesitated. The moment they nearly said yes. The moment they caught themselves. That emotional residue is what changes behaviour next time -- not a completion certificate and a score of 8 out of 10.

04
It builds confidence, not compliance

Confidence

Gotcha testing teaches people to feel bad about mistakes. CTRL+Vish gives people a safe place to practice saying no, asking questions, and slowing things down. People leave knowing they can handle it -- not dreading the next time the phone rings.

People remember how it felt to hesitate. To nearly say yes. That's what changes behaviour next time.

The Behaviour Cycle • The Cyber Escape Room Co.
Run a pilot

See how your
team really
responds.

The best way to understand what CTRL+Vish does is to run it. Try it with a real team, in a real environment, and see how people respond when the pressure is on.

You'll learn more from one pilot than from any demo. And so will your team.

Run a CTRL+Vish Pilot

Tell us your team size and we'll get you set up. We'll walk you through everything you need and make sure the right people are in the loop from the start.

Get in touch Visit the CTRL+Vish site Or call us to talk it through first