How a vishing simulation transformed the cybersecurity culture in the Cher department
Interview with Aurélien LALEVEE, Chief Information Security Officer for the Cher department.
Objective: to test people’s vigilance against vishing… and to show that “it doesn’t just happen to other people.”
When asked why he decided to launch a simulation campaign, Aurélien is clear:
“Our main objective was to test our employees’ vigilance in the face of a vishing attempt (fraudulent phone call), specifically a scenario involving a fake international wire transfer order (FOVI).”
Aurélien LALEVEE, Chief Information Security Officer for the Cher department
The goal: to assess the teams’ ability to recognize social engineering attempts over the phone and via email, and, most importantly, to ensure that they respond appropriately.
But behind this operational goal, there was also a message to convey: attacks aren’t just aimed at others, and it’s much easier than people think to trick someone over the phone.
The setup: a fake agent, a spoofed number, and a very convincing scenario
To implement the initiative, the department relied on Hucency’s solution (“Avant de Cliquer” at the time of launch).
The scenario was simple on paper, but incredibly realistic.
A fake agent, posing as a new employee of the budget execution department, called targeted employees and asked them to update their bank account information via a link sent by email, using a domain that was nearly identical to the official one.
“The scenario was realistic because we had spoofed a phone number belonging to the budget execution department, but there were no technical consequences: no actual changes were made.”
Aurelien LALEVEE, Chief Information Security Officer for the Cher department
This scenario was part of an existing process within the organization, which lent credibility to the call.
A key aspect of the project was the unwavering support from management—and in particular from the Chief Financial Officer—which helped overcome all obstacles.
During the exercise: stress, mistrust… and a few clicks
The simulation lasted four days, one day less than planned. Very quickly, contrasting behaviors began to emerge:
- Some employees immediately recognize the scam and hang up;
- Others continue the conversation and eventually click on the link.
A memorable lesson:
“Statistically speaking, the first players were the ones who fell for it most easily. After that, word of mouth and independent communication raised the level of vigilance.”
Aurelien LALEVEE, Chief Information Security Officer for the Cher department
As the rumor spread within the company, the teams became more wary and more vigilant.
After the exercise: reflection and spontaneous discussions
The exercise sparked numerous spontaneous discussions among the teams.
The realization was immediate: yes, even a simple scenario can seem plausible, especially when it plays on internal norms.
Some of the reactions were intense: stressed-out agents, convinced they had made a real mistake, who had to be reassured… without revealing too soon that it was just a test.
Management welcomed this initiative, which highlighted areas for improvement in training and vigilance.
The lessons: nothing can replace training, real-world experience, and human interaction
What does this experience teach us? That raising awareness is never a done deal.
“The exercise demonstrated that even simple scenarios can fool users if the context seems credible. It also showed that this type of exercise is not impossible to implement, despite concerns about psychosocial risks.”
Aurelien LALEVEE, Chief Information Security Officer for the Cher department
A key point: explaining the in-person test transparently and with a touch of humor helps turn it into a learning experience rather than a source of stress.
Hucency: a “professional, responsive, and educational” partnership
How would you sum up the partnership with Hucency? The project manager doesn’t mince words:
“Hucency was able to adapt the script to our technical and legal constraints while maintaining a high level of realism. The calls were very realistic, right down to the sound design.”
Aurelien LALEVEE, Chief Information Security Officer for the Cher department
Already satisfied with the campaigns on phishing and USB dropping, the decision to renew the partnership came naturally.
“Today, I would choose them for their expertise in social engineering, their ability to create realistic scenarios, and their educational approach. Their solution makes it possible to measure user reactions in a concrete way.”
Aurelien LALEVEE, Chief Information Security Officer for the Cher department
Any advice for CIOs and CISOs?
“Take the plunge. These simulations are powerful tools for identifying risky behaviors. They help spark meaningful discussions and improve internal practices.”
Aurelien LALEVEE, Chief Information Security Officer for the Cher department
What happens next?
The department doesn't plan to stop there.
New simulated campaigns have already been launched—including phishing, smishing (SMS attacks), and other scenarios—to continue strengthening cybersecurity awareness.
