Similar to a phish email test, add the capability to call users and test their ability to detect the threat. Calls could perform social engineering, or ask the user to download a remote control tool, etc