Team: _________________

🕵️ SOCIAL ENGINEERING ESCAPE ROOM

Player Handouts — {{company}}

📋 How to use this packet:

You'll receive different pages at different stages
Work as a team to make decisions
Facilitator will explain each scenario
Record your answers on this sheet

📞 STAGE 1: PRETEXTING

The phone call happens. Facilitator will read it to you.

Your Decision:

What do you do?

Write your team's response above

Scoring: You'll get points for recognizing red flags and verifying the caller's identity.

Page 1

Team: _________________

🔍 STAGE 2: OSINT (RECONNAISSANCE)

Before the attack, the threat actor did their homework. Below are six pieces of public information about {{company}}. Your job: Rank them by risk.

OSINT Item 1: LinkedIn Profile

LinkedIn Profile — Public

Alex Chen

Senior Software Engineer at {{company}}

Skills: Python, AWS, Kubernetes | 500+ connections

Phone: (555) 123-4567 | Location: San Francisco, CA

OSINT Item 2: GitHub Repository

GitHub — Public Repository

commit: a1b2c3d
Author: alex.chen@{{company}}.com
Date: 2024-01-15

"Fixed vendor reconciliation tool - added Stripe API key"
API_KEY = "sk_live_4x1a2b..."

OSINT Item 3: Press Release

{{company}} Partners with Acme Logistics

{{company}} announced a strategic partnership with Acme Logistics Inc. for supply chain optimization. Partnership Manager: Sarah Martinez (sarah.martinez@{{company}}.com). This integration will streamline vendor payments and reduce processing time by 40%.

OSINT Item 4: Corporate Twitter/X

@{{company}} Security Team Tweet

"Happy to announce {{ciso_name}} as our new Chief Information Security Officer! 🎉 {{ciso_name}} brings 20 years of experience in enterprise security. Welcome aboard! #CyberSecurity"

Your Ranking (most dangerous to least):

#1 Most Dangerous	_______________
#2	_______________
#3	_______________

Why? What information could an attacker use, and how?

Page 2

Team: _________________

📧 STAGE 3: PHISHING EMAILS

Eight emails arrived in {{company}}'s inbox today. Seven are legitimate. One is a spear phish. Your job: Find it.

EMAIL #1: Calendly Meeting

From: john.smith@calendly.com

Subject: Meeting scheduled with you

Hi, Sarah accepted your Calendly invitation for "Q1 Planning." The meeting is on March 15 at 2 PM. Add to calendar.

calendly.com is a legitimate scheduling tool

EMAIL #2: Slack Notification

From: notify@slack.com

Subject: @{{company}}-security mentioned you

Alex Chen mentioned you in #security-alerts: "Check the latest vulnerability report in our pinned docs."

EMAIL #3: AWS Billing Alert

From: billing-alerts@aws.amazon.com

Subject: Your AWS bill for this month is ready

Your {{company}} AWS account has generated a bill of $3,452.19. View your invoice in the AWS console.

EMAIL #4: 🚨 SPEAR PHISH 🚨

From: alex.chen@{{company}}.com

Subject: URGENT: GitHub access revocation — confirm identity

Hi team,

I'm doing a security audit of GitHub access. Can you confirm your GitHub handles and last login timestamp? This will only take 30 seconds.

Click here to confirm your GitHub handles: bit.ly/github-confirm-identities

Or reply to this email with:
• Your GitHub username
• Last login date
• Account recovery email

Thanks, Alex

⚠️ RED FLAGS: Generic greeting, asking for sensitive info, shortened URL, spoofed sender

EMAIL #5: GitHub Notification

From: noreply@github.com

Subject: You have a new pull request

Sarah Martinez requested a code review on "Add session timeout controls" (PR #2847). Review on GitHub.

EMAIL #6: Zoom Link

From: security@{{company}}.com

Subject: Weekly security sync — Zoom link

Join us Thursday at 3 PM for our weekly security sync. Zoom link here. Meeting ID: 123 456 789.

EMAIL #7: Vendor Invoice

From: finance@acmelogistics.com

Subject: Invoice #INV-2024-001 — Monthly Services

Please remit payment for March services. Invoice #INV-2024-001. Amount: $5,000. Due by March 31. View Invoice.

EMAIL #8: HR Benefits

From: hr@{{company}}.com

Subject: Q2 Benefits Enrollment Reminder

Q2 benefits enrollment closes on March 31. Review your options and make changes in the HR portal. Questions? Contact HR at hr@{{company}}.com.

Your Answer:

Which email is the spear phish? (Write the email number #)

____

Why do you think it's fake?

Page 3

Team: _________________

🎙️ STAGE 4: VISHING & DEEPFAKE VOICE

Two employees just clicked the phishing email and entered their credentials. The attacker now has access to their accounts. Here's what comes next:

📞 VOICEMAIL FROM: {{ciso_name}} (Caller ID: +1-555-0001)
[Slight audio artifacts, very slight delay between phrases]

"Hey, it's {{ciso_name}}. I'm in a back-to-back meeting in New York right now. I need a favor ASAP.
We're closing an acquisition deal and I need to wire $250,000 to our legal firm for escrow. It's time-sensitive.
I'm using the credentials I just got from IT to access the system, but our fraud detection flagged it as unusual. Can you help push it through in the payment approval queue?
You can approve it in the system if you have access, or just let me know and I'll work around it. We're closing in 2 hours.
Call me back at [555-0001] or just confirm via email that you'll handle it. Thanks."

⚠️ RED FLAGS:

Urgency ("2 hours," "ASAP")
Large wire amount ($250k)
{{ciso_name}} never asks this via voicemail normally
Mentions "credentials from IT" (connects to phishing email)
Deepfake voice artifacts (subtle delay, slight robotic tone)
Asking employee to "push through" a fraudulent flag

Your Decision (High Pressure):

You receive this voicemail. What do you do?

Choose one or describe your action:

Consider: Would you approve the wire? Call someone? Report it? Ask questions?

💡 Teaching point: This is the most emotionally intense stage. Urgency overrides judgment. The learning: Never approve large transactions based on voicemail. Always callback on a known number to verify.

Page 4

Team: _________________

🚪 STAGE 5: PHYSICAL TAILGATING

It's 4:30 PM. The attacker has been locked out of digital systems. Now they try the physical path.

🚪 SCENARIO:

You're walking toward your office building's main entrance at 4:30 PM. The lobby has a badge gate — you swipe your card and enter.

Behind you, someone in a blue delivery uniform carrying a box calls out:

"Hey! I'm with Acme Logistics. I've got a delivery for {{company}}. The main entrance is locked and I'm running late. Can you let me through the gate? The package has to get in today."

What do you do?

Your Decision:

Options might include: Let them in, ask for ID, call reception, direct them to the main entrance, etc.

✓ GOOD APPROACH:

Ask for ID, call reception to verify, or direct them to the official entrance. Badge gates exist for a reason.

✗ BAD APPROACH:

Letting them through. Even if the person is legitimate, badge gates protect everyone. Tailgating is a real attack vector.

💡 Real-world stat: Studies show 80% of employees will hold a door for someone carrying something. It feels rude not to help. But: Procedures exist for a reason.

Page 5

Team: _________________

🔗 STAGE 6: SUPPLY CHAIN COMPROMISE

The attacker has tried five vectors. Now they try the sixth: a compromised vendor. Four vendor requests came in today. One is risky. Rank them.

REQUEST #1: Bank Change (from Acme Logistics)

From: finance@acmelogistcs.com

Subject: Banking Information Update

Hi {{team}},

We're updating our banking information for invoices. Please update our account in your system:

New Account:
Bank: Wells Fargo
Routing: 121000248
Account: 9876543210

Can you confirm this is updated in your system? Thanks!

⚠️ Attacker goal: Divert future payments

REQUEST #2: Normal Invoice (from Different Vendor)

From: invoices@techsupp.com

Subject: Invoice #TS-2024-001 for February Services

PO #12345 — Invoice Amount: $5,000
Services: Feb 2024 IT support & patching
Due Date: March 15, 2024
View full invoice

✓ Specific PO, amount, normal language

REQUEST #3: Follow-up (from Acme Logistics, legitimate)

From: alex@acmelogistics.com

Subject: RE: Your Q1 Order

Thank you for the transfer last week. Your goods shipped on Friday (Tracking: AL-2024-5678). They should arrive by March 20. Let me know if you have questions.

✓ Normal business follow-up, uses correct email

REQUEST #4: Contract Renewal (from Different Vendor)

From: legal@cloudservices.com

Subject: 2025 Service Agreement — Signature Needed

Q4 renewal for Cloud Services contract. The attached agreement extends through Q4 2025. Please sign and return. Questions? Contact legal@cloudservices.com.

✓ Normal renewal cycle, specific document

Your Decision:

Which request is risky? How would you handle it?

Risky request #: _____

How would you verify before approving?

💡 Real-world story: One company approved a vendor bank change without calling to verify. 2 weeks later, $150k went to the attacker instead of the real vendor.

Page 6

Team: _________________

📋 FINAL DEBRIEF: ATTACK TIMELINE

You survived six stages. Now rebuild the 48-hour attack chain.

Timeline of the Attack

HOUR 0: OSINT GATHERING
Attacker scrapes LinkedIn, GitHub, press releases

HOUR 12: PHISHING EMAIL
Spear phish sent. 2 employees click and enter credentials.

HOUR 24: NETWORK ACCESS
Attacker uses stolen credentials to access internal systems

HOUR 30: VISHING ATTACK
Deepfake voicemail from "CFO" requests $250k wire

HOUR 36: PHYSICAL ATTEMPT
Attacker tries tailgating. Badge gate blocks them.

HOUR 42: VENDOR PIVOT
Compromised vendor email requests bank change

Controls That Worked (Caught the attack)

Verification: Stage 1 (don't engage without checking IT ticketing)
Email awareness: Stage 3 (employees spot phishing)
No wire via voicemail: Stage 4 (callback verification stops it)
Badge gate: Stage 5 (physical access denied)
Vendor verification: Stage 6 (call to verify bank change)

Controls That Failed (Or don't exist)

OSINT removal (you can't hide your company from Google)
Phishing 100% prevention (some will slip through)
Deepfake detection (still a hard problem in 2024)

Key Takeaways

Attackers are patient. They don't give up after one vector fails. They try multiple angles.
Every employee is a sensor. Each person who questions something can stop the attack.
Procedures exist for a reason. Verify through known channels. Escalate when unsure.
No single control works. Defense is layered. Awareness is one critical layer.
Trust your instincts. If something feels wrong, it probably is. Ask questions.

Next Steps

This week: Review your {{company}} vendor verification process. Is it clear? Is it followed?
This month: Check your email filtering settings. How many phishing emails slip through?
Going forward: Report suspicious emails to {{reportingEmail}}. You're the first line of defense.

Have a question?

Email {{reportingEmail}} anytime. We want to hear about suspicious activity.

Page 7