FakeBat Scenario: Small Business Software Trap

FakeBat Scenario: Small Business Software Trap

Maple Street Consulting: Professional services firm, 25 employees

Social Engineering • FakeBat

STAKES

Client data + Business operations + Service continuity + Maple Street Consulting reputation

HOOK

Workstations used for client deliverables are redirecting searches to unfamiliar domains, browser ads are appearing inside active project tools, and staff report installing urgent software updates from lookalike vendor pages. With a major client presentation in two days, delivery timelines and client trust are both at risk.

PRESSURE

• Major client presentation due Friday
• Contract at risk representing 40% of quarterly revenue

FRONT • 120 minutes • Intermediate

Maple Street Consulting: Professional services firm, 25 employees

Social Engineering • FakeBat

NPCs

• Greg Palmer (Owner): Leading client-facing decisions while delivery timelines degrade
• Lisa Martinez (Office Manager): Tracking endpoint instability and staff workflow impact across the firm
• Dev Kapoor (Lead Consultant): Managing deliverable quality while project systems show browser manipulation

SECRETS

• Staff installed lookalike software updates from spoofed vendor pages
• Browser extensions with broad permissions are intercepting search and form traffic
• Shared credentials on project systems increased risk of account takeover

FakeBat Scenario: Small Business Software Trap

Elm & Partners: Professional services firm, 20 employees

Social Engineering • FakeBat

STAKES

Client data + Business operations + Service continuity + Elm & Partners reputation

HOOK

Workstations used for client deliverables are redirecting searches to unfamiliar domains, browser ads are appearing inside active project tools, and staff report installing urgent software updates from lookalike vendor pages. With a major client presentation in two days, delivery timelines and client trust are both at risk.

PRESSURE

• Major client presentation due Friday
• Contract at risk representing 40% of quarterly revenue

FRONT • 120 minutes • Intermediate

Elm & Partners: Professional services firm, 20 employees

Social Engineering • FakeBat

NPCs

• Simon Fletcher (Owner): Leading client-facing decisions while delivery timelines degrade
• Zara Ahmed (Office Manager): Tracking endpoint instability and staff workflow impact across the firm
• Chris Jenkins (Lead Consultant): Managing deliverable quality while project systems show browser manipulation

SECRETS

• Staff installed lookalike software updates from spoofed vendor pages
• Browser extensions with broad permissions are intercepting search and form traffic
• Shared credentials on project systems increased risk of account takeover

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

FakeBat Small Business Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

FakeBat Small Business Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Wednesday morning at Maple Street Consulting. Team members report that project workstations suddenly redirect to unfamiliar websites, pop-up ads appear during client deliverable prep, and new browser extensions appeared after urgent software updates were installed yesterday. The biggest presentation of the quarter is due Friday, and the team needs answers before deadlines and client confidence collapse.”

“It is Wednesday morning at Elm & Partners. Team members report that project workstations suddenly redirect to unfamiliar websites, pop-up ads appear during client deliverable prep, and new browser extensions appeared after urgent software updates were installed yesterday. The biggest presentation of the quarter is due Friday, and the team needs answers before deadlines and client confidence collapse.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• Workstations used for client deliverables are running slower than normal
• Browsers are redirecting to unfamiliar search and advertising pages
• Persistent pop-up ads appear during active project work
• Staff report installing urgent software updates from unexpected websites
• Homepage and extension settings changed without user approval

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Installation logs show unsigned update executables on multiple endpoints
• Process analysis reveals suspicious binaries launched from temporary folders
• Browser history links update activity to recently registered lookalike domains
• Registry artifacts show unauthorized extension installs and homepage tampering

Protector System Analysis:

Note🛡️ Protector System Analysis

• Memory telemetry indicates active browser injection processes
• Endpoint performance data confirms hidden tasks consuming system resources
• Extension permission review shows broad access to web sessions and form content
• Signature validation confirms update binaries are not vendor-signed

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• DNS logs show repeated queries to newly registered lookalike domains
• Traffic analysis identifies outbound connections to ad-injection infrastructure
• Proxy logs show rewritten search traffic and suspicious redirect chains
• Download telemetry traces the installer path to malvertising campaigns

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Staff explain they installed updates to avoid project disruption ahead of deadlines
• Leadership reports concern about client trust if deliverables miss quality thresholds
• Operations confirms shared credentials are still used across project systems
• Delivery teams request guidance on when systems are safe to return to production use

Mid-Scenario Pressure Points:

• Hour 2: Key client requests an immediate preview of presentation materials
• Hour 3: Leadership demands a firm timeline for restoring reliable project systems
• Hour 4: Client-facing staff report reputational risk from visible quality delays

Evolution Triggers:

• If containment exceeds 3 hours, secondary payload behavior escalates credential risk
• If browser persistence is not removed, reinfection continues after partial cleanup
• If update-source controls are not enforced, additional staff may repeat the same install path

Resolution Pathways:

Technical Success Indicators:

• Team identifies the masquerading update chain and removes persistence artifacts
• Endpoint controls block untrusted update sources and unauthorized extension installs
• Credential resets and session revocations stop ongoing account abuse

Business Success Indicators:

• Client deliverables proceed with controlled disruption and transparent risk messaging
• Service operations stabilize while remediation completes
• Security controls are added without disabling core consulting workflows

Learning Success Indicators:

• Team understands how software masquerading targets routine productivity behavior
• Participants recognize why verification controls matter in small organizations
• Group demonstrates practical balancing of delivery commitments and containment rigor

Common IM Facilitation Challenges:

If Team Focuses Too Heavily on Technical Details:

“How will your technical findings translate into a clear client-facing update before the presentation review call?”

If Business Stakeholders Are Ignored:

“Leadership is asking which systems can be trusted today and which workflows require manual fallback. What is your recommendation?”

If Software Masquerading Is Missed:

“Why were these update prompts convincing to experienced consultants under deadline pressure, and how will you prevent that pattern next week?”

Success Metrics for Session:

• Team identifies software masquerading and social engineering components
• Business continuity concerns are balanced with thorough remediation
• Verification controls are established for software and browser changes
• Response addresses immediate threat and longer-term prevention
• Learning outcomes include durable user behavior and governance improvements

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Use Hook and Initial Symptoms for rapid setup. Present guided clues at short intervals, then move to immediate containment and communication choices.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: Expand decision pressure across technical containment, client confidence, and governance obligations.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Players design and justify their own response path balancing operational, legal, and reputational outcomes.

Advanced Challenge (150-170 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add conflicting signals from legitimate updates and partial telemetry to force evidence-based prioritization.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Multiple project workstations downloaded unsigned update executables from lookalike vendor domains registered in the last week.”
Clue 2 (Minute 10): “The binaries are not vendor-signed and install browser extensions with broad content-modification permissions.”
Clue 3 (Minute 15): “Traffic logs confirm redirect chains and ad injection into active client deliverable workflows.”

Pre-Defined Response Options

Option A: Full Endpoint Remediation and Verification

• Action: Remove unauthorized software and extensions, rebuild trust baselines, and enforce approved update sources.
• Pros: High confidence containment with durable prevention controls.
• Cons: Requires temporary productivity loss during cleanup.
• Type Effectiveness: Super effective against Trojan and Downloader behaviors.

Option B: Browser Containment First

• Action: Reset browser state, remove unauthorized extensions, block malicious redirect paths, and monitor for reinfection.
• Pros: Fast reduction in visible impact on client workstreams.
• Cons: Underlying endpoint compromise may persist.
• Type Effectiveness: Moderately effective against Browser Hijacker behavior.

Option C: Infrastructure Blocking and Monitoring

• Action: Block malicious domains and C2 destinations while collecting forensic evidence.
• Pros: Prevents additional downloads and outbound command traffic.
• Cons: Does not remediate already compromised hosts.
• Type Effectiveness: Partially effective against Downloader behavior.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Initial Detection and Delivery Risk (35-40 min)

It is Wednesday morning at Maple Street Consulting, and the Friday client presentation that represents 40% of quarterly revenue is in final preparation. Owner Greg Palmer calls an emergency standup after the project team reports browser redirects and unstable workstation behavior. Office Manager Lisa Martinez reports that multiple staff members installed update packages after seeing urgent software warnings in search results. “The prompts looked legitimate, and everyone thought they were protecting client work,” she says. Lead Consultant Dev Kapoor adds that mockups now load with injected ads and unexpected links. “If this keeps spreading, we risk missing the presentation deadline and losing the account,” he warns.

It is Wednesday morning at Elm & Partners, and the Friday client presentation that represents 40% of quarterly revenue is in final preparation. Owner Simon Fletcher calls an emergency standup after the project team reports browser redirects and unstable workstation behavior. Office Manager Zara Ahmed reports that multiple staff members installed update packages after seeing urgent software warnings in search results. “The prompts looked legitimate, and everyone thought they were protecting client work,” she says. Lead Consultant Chris Jenkins adds that mockups now load with injected ads and unexpected links. “If this keeps spreading, we risk missing the presentation deadline and losing the account,” he warns.

Time-Stamped Investigation Clues:

• Minute 5: Unsigned installers are found on systems used for active client projects
• Minute 8: Browser injection and persistence artifacts are confirmed
• Minute 12: Network logs show repeated callbacks to newly registered infrastructure
• Minute 16: Staff report urgent update prompts appeared during deadline-critical tasks
• Minute 20: Extension permission scope indicates potential exposure of project credentials

Pressure Event (Minute 22): “A client stakeholder requests immediate assurance that deliverable systems are safe before final review materials are accepted.”

Response Options:

• Option A: Full remediation before any further client delivery actions
• Option B: Staged restoration with high-risk systems isolated first
• Option C: Evidence-first approach to preserve investigation quality before full cleanup

Round 1 Debrief: “Which action most reduced near-term business risk while preserving evidence quality for follow-up decisions?”

Round 2: Reporting, Governance, and Client Trust (35-45 min)

Evolution Based on Round 1 Choice: Containment status improves, but credential risk and stakeholder expectations now drive response quality.

Regulatory and Governance Pressure: Legal counsel advises that client-impact analysis must align with state privacy obligations and FTC expectations, and external reporting should be coordinated with the state authority before client-facing statements are finalized.

• Framework context: State privacy laws and FTC Section 5 unfair-practices enforcement.
  
• Regulatory engagement: State Attorney General consumer protection office and Federal Trade Commission and state Attorneys General.
  
• Response partners: FBI Cyber Division and CISA.
  
• Notification clock: state-dependent timelines.

Regulatory and Governance Pressure: Legal counsel advises that client-impact analysis must align with UK GDPR obligations and ICO expectations, and external reporting should be coordinated with the ICO before client-facing statements are finalized.

• Framework context: UK GDPR and Data Protection Act 2018.
  
• Regulatory engagement: Information Commissioner’s Office (ICO) and Information Commissioner’s Office and National Cyber Security Centre.
  
• Response partners: NCSC and National Crime Agency.
  
• Notification clock: 72 hours for qualifying personal data breaches.

Facilitation questions:

• “What minimum evidence threshold justifies external communication to clients and regulators?”
• “How do you sequence containment, client updates, and governance reporting under deadline pressure?”
• “Which decisions are reversible, and which would create long-term trust damage if wrong?”

Key Learning Objectives (Lunch & Learn)

Technical: Update-source verification, persistence identification, and practical endpoint containment.
Business: Deadline protection, client confidence preservation, and transparent decision-making.
Incident Response: Evidence-driven triage, proportional reporting, and governance alignment under pressure.

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game extends from guided decisions to open investigation with a third round focused on strategic recovery and sustainable operating controls.

Round 1: Discovery and Immediate Containment (35-40 min)

It is Wednesday morning at Maple Street Consulting, and the Friday client presentation that represents 40% of quarterly revenue is in final preparation. Owner Greg Palmer calls an emergency standup after the project team reports browser redirects and unstable workstation behavior. Office Manager Lisa Martinez reports that multiple staff members installed update packages after seeing urgent software warnings in search results. “The prompts looked legitimate, and everyone thought they were protecting client work,” she says. Lead Consultant Dev Kapoor adds that mockups now load with injected ads and unexpected links. “If this keeps spreading, we risk missing the presentation deadline and losing the account,” he warns.

It is Wednesday morning at Elm & Partners, and the Friday client presentation that represents 40% of quarterly revenue is in final preparation. Owner Simon Fletcher calls an emergency standup after the project team reports browser redirects and unstable workstation behavior. Office Manager Zara Ahmed reports that multiple staff members installed update packages after seeing urgent software warnings in search results. “The prompts looked legitimate, and everyone thought they were protecting client work,” she says. Lead Consultant Chris Jenkins adds that mockups now load with injected ads and unexpected links. “If this keeps spreading, we risk missing the presentation deadline and losing the account,” he warns.

Players investigate openly. Expected findings include spoofed update sources, browser manipulation, credential-exposure risk, and weak software governance across shared project endpoints.

If team stalls: “Client delivery decisions are due now. Which systems can remain in use today, and which must be isolated immediately?”

Facilitation questions:

• “What is your fastest high-confidence containment action?”
• “How do you keep client trust while uncertainty remains?”
• “Who signs off on production-system reactivation?”

Round 1→2 Transition

Initial containment reduces immediate disruption, but evidence quality and communication strategy now determine whether the incident stays manageable.

Round 2: Trust, Reporting, and Control Validation (35-40 min)

Technical remediation continues while leadership demands defensible updates for clients and governance stakeholders.

Facilitation questions:

• “Do you communicate early with partial certainty or wait for stronger validation?”
• “What evidence package supports your reporting decisions?”
• “How do you preserve productivity without reintroducing compromise risk?”

Round 2→3 Transition

Operational risk is reduced, but longer-term business resilience now depends on practical control design and sustained behavior change.

Round 3: Recovery and Sustainable Security Model (40-55 min)

Opening: Leadership shifts from incident mode to operating model design for a small consulting firm that must stay delivery-capable under tight margins.

Financial and Planning Pressure: Leadership must choose between immediate external triage at $2,000, ongoing managed protection at $150/month, or ad-hoc consultant support at $75/hour, while also planning for a $5,000 deductible and at least $5,000 in security improvements.

• External triage option: $2,000.
• Managed service baseline: $150/month.
• Consultant alternative: $75/hour.
• Insurance constraint: $5,000.
• Control uplift target: $5,000.

Opening: Leadership shifts from incident mode to operating model design for a small consulting firm that must stay delivery-capable under tight margins.

Financial and Planning Pressure: Leadership must choose between immediate external triage at £2,000, ongoing managed protection at £150/month, or ad-hoc consultant support at £75/hour, while also planning for a £5,000 deductible and at least £5,000 in security improvements.

• External triage option: £2,000.
  
• Managed service baseline: £150/month.
  
• Consultant alternative: £75/hour.
  
• Insurance constraint: £5,000.
  
• Control uplift target: £5,000.

Victory conditions for full 3-round arc:

• Compromised update chain removed and persistence eliminated
• Client communication delivered with accurate, defensible evidence
• Governance obligations met in-region with no unresolved compliance actions
• Sustainable, budget-aligned controls adopted for ongoing consulting operations

Debrief Focus

• Why software update trust is a high-risk dependency in small professional-service firms
• How to align technical containment with client-facing communication under deadline stress
• Which controls deliver the highest protection value per dollar in low-margin environments
• How to prevent recurrence without crippling delivery speed

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

1. A legitimate software update release creates overlapping performance symptoms.
2. Shared account usage blurs attribution across multiple endpoints.
3. Hosting-side latency issues mimic malware-related client portal instability.
4. Benign browser plugins create noise during extension triage.

Removed Resources and Constraints

• No external malware reference material during play
• No dedicated in-house security staff
• Partial endpoint logging with data gaps
• Emergency spending requires leadership approval

Enhanced Pressure

• Client review is moved up by 24 hours
• Competitors circulate security-focused messaging in the same market window
• Internal rumor sharing increases reputational risk
• New lookalike update domains appear during remediation

Ethical Dilemmas

1. Disclosure timing: “Is early disclosure with partial certainty better than delayed disclosure with stronger evidence?”
2. Team accountability: “How do you address risky install behavior without creating a blame culture that hides future incidents?”
3. Budget realism: “If full remediation is unaffordable this quarter, which controls are non-negotiable and why?”
4. Client trust tradeoff: “How transparent can you be about risk without triggering avoidable contract loss?”

Advanced Debrief Topics

• Decision quality under constrained telemetry and compressed business deadlines
• Control prioritization in small-service organizations with limited financial slack
• Communication frameworks that preserve trust when facts are still emerging
• Long-term governance patterns that reduce repeat exposure to masquerading campaigns