5. Scenario-Based Training Modules

Each scenario follows: Setup → Red Flags → Three-Step Protocol response → Real-world anchor. Ordered from common to advanced.

5A. The Urgent Wire (CEO Impersonation)

SCENARIO: Your CFO calls from her mobile number, sounding exactly right. She’s in a board meeting overseas and needs you to wire $85,000 to a new vendor today. She says not to use email and not to discuss it until it’s finalized.

Red flags: Urgency, bypass of normal approval, new payment destination, secrecy instruction.

Response: PAUSE (financial trigger + executive urgency). CHALLENGE (“Our policy requires SureCircle verification—takes 30 seconds”). If verified, proceed through standard dual-authorization workflow. If not, escalate.

Anchor: Arup $25.6M—a 30-second challenge would have stopped 15 transfers before they began.

5B. The Helpful IT Caller

SCENARIO: IT calls saying your credentials were flagged in a breach. He needs you to install a remote diagnostic tool and read him the MFA code that just arrived. He knows your name, your manager, and references a real internal system.

Red flags: Unsolicited IT contact, request for MFA code, remote-access install.

Response: PAUSE (credential + software triggers). CHALLENGE. If refused, end call immediately and contact IT helpdesk via official number.

Anchor: MGM Resorts 2023—a single vishing ("voice phishing") call yielded a VPN reset and $100M+ in damages.

5C. The Bank Fraud Alert

SCENARIO: Your card processor calls about suspicious activity. To “freeze fraudulent transactions,” they need the last four of the card, billing zip, and a one-time code. The window to reverse closes in 15 minutes.

Red flags: Inbound bank contact, request for credentials/codes, artificial time pressure.

Response: PAUSE (financial + inbound bank triggers). CHALLENGE. Even if verified, independently call the bank’s known number to confirm. Bank impersonation warrants dual verification.

Anchor: Bank impersonation causes $50K–$500K losses per SMB incident.

5D. The Vendor Account Change

SCENARIO: A regular vendor contact calls to say they’ve completed an acquisition—all payments need to go to a new bank account immediately. A confirming email arrives moments later from the correct domain.

Red flags: Banking detail change, urgency, coordinated phone + email (BEC 2.0 pattern).

Response: PAUSE (payment routing trigger). CHALLENGE. If verified, process through standard vendor payment-change workflow requiring secondary email to a pre-registered address.

Anchor: Vendor impersonation is a top FBI IC3 category—billions in annual losses.

5E. The Deepfake Video Conference (Advanced)

SCENARIO: You join a Zoom call with your CEO, CFO, and outside counsel. All are visible on video. They explain a confidential acquisition requiring immediate wire authorization of $1.2M. They instruct you not to discuss it outside the call.

Red flags: High-value transaction on video, multiple participants creating social proof, secrecy, urgency.

Response: PAUSE (every trigger category active). CHALLENGE each participant individually. If any participant refuses or fails, halt the entire process. Partial verification does not vouch for unverified participants.