Opening the Casebook
Detective Olusegun set his coffee on the conference table and clicked to the first slide. The room held twelve people β incident responders, security analysts, the CISO, and three members of the finance team who had been specifically asked to attend. Outside the glass walls of the thirty-second floor conference room, the city glittered in the early morning light. Inside, the mood was deliberately purposeful.
"This morning we're running a tabletop exercise," Olusegun said. "Not a technical drill. No simulated network intrusions, no malware sandboxes. What I've compiled here are six actual incidents from the past eighteen months β incidents that happened to us, to our industry peers, or to organizations close enough that we should treat them as our own near-misses." He paused. "The common thread is that none of these started with a technical exploit. Every single one started with a human choice."
He advanced the slide. The room saw a single line of text: Six Cases. Six Different Attack Types. One Common Vulnerability: Us.
"The attacks I want us to understand today are the ones security teams sometimes dismiss because they don't fit cleanly into 'phishing' or 'network intrusion.' They're the ones that blend into normal business operations β the vendor emails, the USB drives in parking lots, the conference small talk, the viral social media posts."
He clicked again. "Let's open the casebook."
Case 1: The Invoice Fraud
Olusegun pulled up the first case file. "Fourteen months ago. Our accounts payable team received an email from what appeared to be a long-standing vendor β a data analytics firm we've worked with for three years." He displayed the email on the projector. To everyone in the room, it looked completely legitimate: the correct company letterhead, the right vendor name, even the account manager's name and signature block.
The email informed the AP department that the vendor had switched banks and provided new payment routing and account numbers for all future invoices. It cited a routine banking migration and apologized for any inconvenience. The tone was professional. The formatting was perfect. AP updated the payment details in the system.
"The next three months of invoices β totaling $280,000 β went to the attacker's account," Olusegun said. "The real vendor never received a penny. We had no idea until their controller called asking why they hadn't been paid. By then, the funds were gone."
He let the silence sit for a moment. "This is vendor fraud β also called invoice fraud, accounts payable fraud, or a variant of Business Email Compromise. The attacker either compromised the vendor's actual email account and sent from it β an account takeover β or created a convincing lookalike domain. In this case, forensics determined it was a lookalike: analytics-firm.com instead of analyticsfirm.com. One hyphen."
The CISO spoke: "How does AP catch that?" Olusegun nodded. "They shouldn't have to catch it on their own. The process has to protect them. Any request to change a vendor's banking details must be verified by calling the vendor on a phone number that you obtained from the original contract β not the number in the email, not a callback number that the 'vendor' provides in the change request. Out-of-band verification. Every time. No exceptions."
Case 2: The USB Drop
"Case two happened nine months ago," Olusegun said. "One of our analysts β she works in the London office β was walking to her car in the parking garage when she spotted a USB drive near the elevator. It had a label on it: 'Q3 Salary Review - Confidential.'" He looked around the room. "Can I get a show of hands β who here would pick that up?"
Several hands went up, then came down as people realized where this was going. Olusegun didn't judge. "That's human nature. It's actually a combination of two very powerful instincts: curiosity, and the desire to do the right thing. Her first thought was that it might belong to someone in HR who had dropped it. Her second thought was that it contained sensitive employee data and maybe she should secure it."
She plugged it into her workstation. "The drive didn't contain salary data," Olusegun said. "It contained a HID attack β a Human Interface Device attack. The drive identified itself to Windows not as a storage device, but as a USB keyboard. Windows automatically installed the built-in keyboard driver β no elevated privileges required, no security prompt, no warning. The 'keyboard' then began typing at machine speed: a series of commands that opened a PowerShell session and downloaded a remote access tool."
He advanced to a slide showing statistics. "A 2013 Cyberoam study found that 45% of people plug in found USB drives. University of Michigan and Illinois researchers ran a real-world experiment: they dropped 297 USB drives in public locations on a university campus. 98% were picked up. 45% were plugged in within the first few hours. The higher-value the label β 'private,' 'confidential,' 'salary' β the faster they were plugged in."
"And Stuxnet," he added, "spread to air-gapped Iranian nuclear facilities at Natanz in 2010 via exactly this vector. A facility with no internet connection, specifically designed to be isolated from the outside world, was breached because someone plugged in a USB drive. Physical security is part of cybersecurity."
Case 3: The Rubber Ducky
"Case three," Olusegun said, "is where things get more sophisticated β and more unsettling, because there's no behavioral mistake to point to." He brought up a photo of a USB-C charging cable. An unremarkable, black cable β the kind that came in the box with every recent laptop. "Seven months ago, a contractor working on a project in our New York office brought this cable to use at one of our conference room workstations. He said he needed to charge his phone. It looked exactly like every other cable in every drawer in every office in this building."
It was an O.MG Cable β a USB cable with a hidden WiFi-connected microcontroller embedded in the connector housing. When plugged into the conference room workstation, it identified itself as a USB keyboard β just like the parking garage drive had done β and executed a PowerShell download cradle that established a reverse shell to an external server the attacker was monitoring from across the city.
"The O.MG Cable is one product in a category of HID attack devices," Olusegun explained. "The Hak5 Rubber Ducky looks like a standard USB flash drive but contains a pre-programmed microcontroller that acts as a keyboard and injects keystrokes at approximately 1,000 characters per second β faster than any human typist. USB Ninja is similar. There are now HID attack devices embedded in mice, keyboards, chargers, and cables. They are physically indistinguishable from legitimate peripherals. You cannot identify one by looking at it."
He paused. "What makes these devices so powerful is that they bypass every network security control you have. They don't traverse your firewall. They don't trigger your email gateway. They appear, from the operating system's perspective, as a trusted input device β the same way your own keyboard does. The attack is happening at the human interface layer."
Case 4: The Disinformation Campaign
"Case four is the one that cost us the most," Olusegun said quietly. He pulled up a screenshot of a social media post that had gone viral five months earlier. It showed what appeared to be a BBC News screenshot reporting that the firm's CEO had abruptly resigned amid a regulatory investigation into alleged compliance failures. The post had 4,200 retweets within the first hour.
"The post was false. The screenshot was fabricated. There was no regulatory investigation, no resignation. But the market didn't know that." He pulled up a stock chart. The firm's share price had dropped 4% before the exchange halted trading. "It took six hours, multiple press statements, a call from our CEO to a major financial news channel, and two days of media management to fully correct the narrative. The reputational and financial damage during that window was real."
Olusegun walked through the terminology carefully. "This is disinformation β false information deliberately created and spread with the intent to deceive. It is distinguished from misinformation, which is false information spread by people who genuinely believe it's true. The person who retweeted the post because they thought it looked real was spreading misinformation. The person who created the fake BBC screenshot and seeded it through a network of coordinated accounts was conducting a disinformation campaign."
"There is also a third category: malinformation. True information spread with malicious intent. An example would be leaking an executive's private communications, out of context, to cause maximum harm. The information is factually accurate; the intent is malicious."
He looked around the room. "For attribution and legal response, intent matters enormously. For operational defense β what you do in the first six hours when something is spreading β the defense is identical for all three: verify claims through primary sources before acting. Establish official communication channels and monitor them. Have a crisis communication playbook ready before you need it."
Case 5: Elicitation
"Case five," Olusegun said, "is the one that makes security people the most uncomfortable, because there's nothing technically wrong with what happened. No phishing link was clicked. No USB drive was plugged in. No email was spoofed." He turned to the room. "A junior developer β let's call him Marcus β attended a developer conference in Amsterdam three months ago. While there, he met someone at the evening networking event. A friendly, knowledgeable developer from what seemed to be another financial services company. They talked for about an hour over drinks."
"Marcus didn't think he was sharing anything sensitive. They were just talking about work. But what he shared over the course of that hour included: the company's current technology stack and which components were being migrated; a security vulnerability the team had recently discovered and was in the process of patching; the fact that we were in acquisition discussions β which was not yet public; and the names and roles of two specific senior engineers."
Olusegun paused. "The person Marcus was talking to was not a fellow developer. We believe they were conducting corporate intelligence gathering. We cannot prove it. We never can."
"This is elicitation," Olusegun explained. "The skillful extraction of sensitive information through seemingly normal conversation. Intelligence agencies have used it systematically for decades. Competitive intelligence firms use it. Social engineers doing reconnaissance before technical attacks use it. The techniques are documented: flattery that makes the target feel like an expert and want to demonstrate their knowledge; feigned ignorance that invites explanation; deliberate false statements that the target corrects with accurate information; bracketing β giving a plausible-but-wrong estimate so the target provides the real number; and volunteering false details, hoping the target reciprocates with real ones."
Case 6: Spam, SPIM, and Hoaxes
"The final case," Olusegun said with a slight smile, "is the least financially damaging of the six, but in some ways the most instructive, because it shows how unsophisticated an attack can be and still succeed." He pulled up an internal email chain. "Two months ago, forty employees β across four different offices β forwarded an urgent internal email to their colleagues. The email warned that Windows Update had a critical bug: if you allowed the update to run, it would delete your System32 folder. To protect yourself, the email said, you should immediately disable Windows Defender and send this warning to everyone you know."
"A classic hoax," he said. "A decades-old format dressed up in current-sounding language. But forty people forwarded it. And at least twelve of them actually disabled Windows Defender on their workstations, leaving their machines genuinely unprotected for several hours before IT caught it."
He explained the taxonomy. "Spam is unsolicited bulk messages β primarily email, used for advertising, phishing, or malware distribution. SPIM is spam over instant messaging β the same category of attack, delivered via Teams, Slack, SMS, or social media DMs. Platforms like Teams have less mature filtering than email, and employees may be less suspicious of messages that arrive in their chat client. Hoaxes are a subcategory of manipulation: false alerts or warnings that cause recipients to take harmful actions. The particularly dangerous hoaxes are the ones that spread by weaponizing helpfulness β the recipient genuinely believes they're doing their colleagues a favor by forwarding."
"The defense against spam is technical: spam filters, email authentication protocols, user reporting. The defense against hoaxes is cultural: any 'urgent security warning' should be verified with IT before acting on it. Real security alerts don't ask you to disable your security tools."
Building a Defense Culture
Olusegun closed the casebook and looked at the room. "Six cases. Six different attack types. And every single one had one common element: a human chose to trust. AP trusted the vendor email. The analyst trusted her instinct to return a lost drive. Marcus trusted a friendly conversation. Forty employees trusted a warning that felt authentic enough to share."
"The instinct to trust isn't a flaw," he said. "It's what makes organizations function. We cannot patch it out of people and we shouldn't try. What we can do is build systems and culture that give people better tools for deciding when trust is warranted."
He walked through five principles. First: verify before trust. Out-of-band verification for any request involving money, system access, or sensitive data changes. The verification call happens on a phone number from the original contract β not from the request itself. Second: need-to-know discipline. Don't share what doesn't need to be shared β not at conferences, not in vendor meetings, not in casual conversation. If you're unsure whether something is sensitive, treat it as sensitive until you've checked. Third: physical security awareness. USB drops, tailgating, shoulder surfing β the physical layer is part of the attack surface. Found USB drives go to IT security. Charging cables from unknown sources don't get plugged in. Screen locks engage when you step away.
Fourth: report without fear. The most important cultural element. If people are embarrassed to report that they clicked something suspicious or shared something they shouldn't have, incidents go unreported and get worse. Psychological safety β the ability to report a mistake without punishment β is a security control. Fifth: exercise regularly. Tabletops, phishing simulations, social engineering red team exercises. The goal is not to catch people; it's to build reflexes before an attacker has the chance to test them for real.
"One more thing," Olusegun said, bringing up a final slide. "Every attack we reviewed today began with reconnaissance. Attackers researched the vendor relationship before crafting the AP email. They labeled the USB drive correctly for our industry. The conference attacker knew enough about financial services technology to ask the right questions. They used OSINT β open source intelligence β LinkedIn profiles, our company website, job postings, conference speaker bios. Before any of these attacks, someone was reading our digital footprint."
"Be aware of what you're broadcasting publicly. Not to go dark β we operate in a public industry β but to know what the attacker already knows about you before they pick up the phone or drop the USB drive."