It is Friday evening, when most people had already mentally left office and the few still online were pretending to finish what Monday would punish them for ignoring, a finance officer in a medium-sized organisation received a short instruction on email. The message appeared to come from the head of operations, a calm man with silver-rimmed spectacles who rarely wrote long emails and was known for sending brief approvals from his phone. The instruction was simple. A supplier needed urgent payment before close of business because a field activity was starting in the west on Monday morning. The invoice was attached with the bank account details were in the body of the email. A voice note followed on the internal messaging platform, sounding like the same senior officer, firm but not rude, saying, “Please support this today, the team is stuck.”
The finance officer was not careless, that is the part many investigators miss. She had attended cybersecurity training three months earlier. She knew about phishing, about not to click suspicious links, the organisation had a payment policy, she also knew the field team had been complaining all week, the supplier had previously worked with the organisation, her supervisor was in a board committee meeting, and the senior officer who appeared to send the instruction had a habit of pushing urgent payments late in the day. The email did not defeat the training but working environment did.
By 7:04 p.m., the payment had been processed. By Monday, the real supplier was asking why money had not arrived. By Tuesday, the organisation had a suspicious payment, an altered invoice, a disputed email, a possible compromised account, a voice note suspected to be synthetic, a payment officer in tears, a senior officer insisting he never issued the instruction, and a board asking one of those dangerous questions that sounds intelligent until the evidence is inspected: “How could staff still fall for this after training?”
Think about it differently. The problem was not that the training was absent but, that the training lived in a classroom, while the attack lived inside pressure, hierarchy, convenience, fatigue and weak verification habits. That is where cyber incidents happen in real life, not in neat slides, policy manuals, or annual quiz where everyone scores 92 percent because the answers are obvious, they happen at 6:18 p.m., when authority speaks, time is short, and the person at the keyboard wants to be helpful.
Why training failed before the email arrived
Most cybersecurity training fails because it teaches people to identify danger in isolation, yet real danger arrives dressed as work. In this case, the finance officer did not receive an email from a stranger promising a lottery win, it was a message that matched a known work pattern. The language was familiar, the urgency was believable, the supplier name was not strange, the voice note added pressure, and the internal weakness was not ignorance. It was predictable obedience under pressure.
The training also failed because it placed too much responsibility on the individual and too little on the system. A good organisation should not depend on one tired employee to defeat a well-timed payment fraud. Cybersecurity awareness is useful, but it cannot compensate for poor workflow design, vague approval rules, shared institutional shortcuts and a culture where staff fear delaying senior people more than they fear breaching procedure. When people are punished socially for asking verification questions, training becomes decoration.
Another missed issue is that staff are often trained on threats, not on decisions. They learn what phishing is but do not rehearse what to say when a senior person pressures them after hours. They learn not to click strange links but do not practise freezing a transaction, escalating without panic, preserving the email properly and refusing to rely on a voice note as approval. The human skill is not merely awareness, it is disciplined hesitation.
The board also misunderstood what success looked like. Completion rates are not evidence of behavioural readiness, attendance sheets only prove that people attended, and quiz scores only prove that people remembered the obvious under calm conditions. The real measure is whether staff can apply controls when a transaction is urgent, a boss is impatient, a supplier is shouting, and the system allows shortcuts.
Try this with your team or top leadership. Put one real-looking payment instruction on the screen, give the room four minutes, add a voice note, add a senior title, add a field emergency. Then ask each person to write the exact words they would use to pause the payment without appearing insubordinate. That exercise will tell you more about your cyber culture than a hundred certificates.
The small compromise that opened the gate
The incident did not begin with the payment. It began two weeks earlier, when a procurement assistant, a quiet young man with a neat beard and a habit of carrying two phones, received what looked like a supplier update form from a familiar contact. He downloaded it, filled in a few fields, and sent it back. The file carried a link to a cloud document, he clicked because he was following up on delayed delivery notes. His login session was later used to access old supplier correspondence. Nothing dramatic happened on the screen, no red warning, no Hollywood moment, just a small compromise, quiet enough to survive.
That is how many incidents mature. The attacker does not always attack finance first, they study language, workflow, names, signatures, invoice formats, supplier disputes, reporting lines and approval habits. By the time the fraudulent instruction arrives, it feels internal because it was built from internal material. The organisation later calls it a clever attack, but in truth, it was also a patient reading of its own habits.
The compromised email was not the only issue, the supplier master file had no strong independent verification for bank account changes. The payment checklist required approval, but did not require a fresh call-back to a known contact using a number already held in the system. The organisation allowed urgent payments to move outside normal hours. The messaging platform was informally accepted as evidence of instruction, although the policy did not say so. The attack worked because the formal control and the real culture were not the same animal.
There is a legal lesson here. When a matter reaches dispute, defence counsel will not only ask whether the employee clicked. They will ask whether the organisation had a reliable process, staff were trained on that process, exceptions were documented, senior managers routinely bypassed controls, and whether the accused person acted outside the norm or merely followed the organisation’s tolerated shortcuts. That is why balanced investigations matter. A fair investigator does not begin by hunting a culprit but reconstructs the operating environment.
Take your last ten urgent payments and ask the team to reconstruct each one from request to approval to bank release. Do not ask whether the policy exists. Ask whether the actual evidence shows the policy working. Look for after-hours approvals, changed account details, personal email use, WhatsApp instructions, missing call-backs, attachments renamed by staff, and approvals made by people who did not see the original request. That is where the first compromise usually hides.
The evidence that matters is not always the evidence people print
When the issue was discovered, the IT officer did what many good IT officers do under pressure. He took screenshots, exported the suspicious email as a PDF, forwarded copies to management, logged into the procurement assistant’s mailbox to confirm what happened. He meant well but also created problems.
A screenshot may be useful, but it is not the whole thing. A forwarded email may lose header detail, a PDF export may flatten important properties, opening a file can change access dates, logging into a user account can create fresh activity that later confuses the sequence. A voice note played, downloaded, forwarded and renamed several times may become harder to tie to its first source. The evidence had not disappeared, but its clean edges were being rubbed away.
The trail that mattered was wider. The team needed the original email with full headers, mailbox audit logs, sign-in records, device information, IP addresses, multi-factor authentication events, supplier master changes, payment workflow logs, bank release records, cloud document version history, message platform exports, attachment metadata, endpoint alerts, backup snapshots and the exact state of the devices when the incident was discovered. They also needed human behaviour evidence, who was under pressure, who had authority, who usually bypassed controls, who had access, who raised concern, and who remained unusually calm when others panicked.
This is where average investigations become thin. They collect what is visible and ignore what is probative. Court is not impressed by volume but wants relevance, authenticity, continuity and explanation. A pile of screenshots is like a sack of market receipts dropped at the registry without dates, source or witness. It may contain truth, but truth has to arrive in a form that can be tested.

Draw four columns on a board. Put transaction, communication, system access and human conduct. Under each, list the source, owner, format, volatility and preservation action. Then assign one person to challenge the map as opposing counsel. That person should ask, “How do you know this is complete? Who handled it? What changed after discovery? What was not collected? What alternative explanation remains?” The case improves immediately when it is attacked early by your own team.

When evidence exists but cannot carry the case
The organisation eventually found useful material. The supplier bank details had been changed in a document version created from an account linked to the procurement assistant’s compromised credentials. The suspicious email had failed one authentication check, the voice note had no reliable internal approval trail, the payment was released outside the usual time window, the real senior officer had been in a meeting at the time the instruction was sent. On the surface, it looked clear.
Then the weaknesses appeared. The procurement assistant’s password had been reused on another platform. Several staff had access to shared procurement folders. The suspicious document had been downloaded and reopened after discovery. The payment officer had forwarded the email before preservation. The organisation had no written protocol for handling suspected deepfake voice instructions. The supplier verification call was made after the money had moved, not before, and the senior officer had previously approved urgent payments informally, which made the disputed instruction plausible.
That is the part many lawyers must understand. Evidence can point strongly in one direction and still be legally vulnerable. Authenticity is not a feeling, completeness is not assumed, and context is not optional. If an expert cannot explain how the data was obtained, what state it was in, what may have changed, and what limits apply, the report may sound confident while standing on soft ground.
A strong defence does not need to prove a different story in full. It may only need to create reasonable doubt in a criminal matter, or show procedural unfairness in a disciplinary matter, or challenge causation in a civil recovery matter. Counsel may argue that the employee was a victim of credential compromise, that the organisation normalised shortcuts, that the evidence was contaminated, that management had already decided the answer, that logs were incomplete, or that the alleged deepfake was never properly tested. Some of those arguments may fail. Some may hurt but all should be anticipated.
The practical training activity I use is a mock cross-examination of the evidence custodian and the expert before the report is finalised. Ask the custodian to explain the chain of custody without reading from the file. Ask the expert to explain what the logs prove and what they do not prove. Ask the investigator to identify evidence favourable to the employee. If the team becomes defensive, the case is not ready.
What actually works
Cybersecurity training sticks when it is tied to the work people actually do. Finance staff need payment fraud drills, procurement staff need supplier change verification drills, executives need training on how their authority is abused, board members need deepfake and business email compromise simulations, lawyers need evidence preservation exercises, and IT teams need incident handling discipline. Everyone does not need the same lecture. Role-based training is not a luxury, it is the beginning of seriousness.
Training also works when the organisation makes the safe action easy. A payment officer should have a simple pause button, a trusted escalation route and written protection from retaliation when they challenge urgency. A staff member should know the exact phrase to use: “I am pausing this transaction for independent verification under policy.” That sentence can save millions if the culture supports it. Without support, the same sentence can damage someone’s career. That is why cybersecurity is a governance issue before it is a technical issue.
Controls must be designed for fatigue. People are not machines, they rush, fear, obey, assume and forget. A future-ready organisation assumes that some staff will click, some passwords will be exposed, some messages will look real, and some senior instructions will be misused. The answer is not more blame but layered verification, least privilege, strong authentication, vendor change controls, transaction monitoring, segregation of duties, clean audit trails, tested incident playbooks and evidence preservation protocols.
What else should readers know? Artificial intelligence has made imitation cheaper. A voice note may sound familiar, a video may look convincing, and an email may carry the perfect tone. The old advice, “look for spelling mistakes,” is now weak medicine. The better advice is to verify outside the channel, use known contact points, require workflow approvals, monitor account behaviour, preserve original artefacts and train staff to pause without shame.
To illustrate this point, I give live “pause drill.” Select one department each month, end a controlled but realistic instruction that creates urgency, authority and consequence. Do not embarrass the employee. Measure whether the process catches the issue. Did the staff member verify through an independent channel? Did the supervisor support the pause? Did IT preserve the artefact correctly? Did legal know when to step in? The lesson must improve the system, not humiliate the person.
Closing the case.
The investigation closed without dramatic accusations. That mattered. The finance officer had acted under pressure and within a culture that had tolerated informal urgency, the procurement assistant’s account had likely been compromised after interacting with a supplier-themed document, and the senior officer had not issued the disputed instruction, but his previous informal approval habits had made the fraud believable. The organisation recovered part of the money through quick bank engagement, strengthened vendor verification, removed informal messaging as an approval channel, introduced a payment pause protocol, trained high-risk roles separately, and created a digital evidence response checklist for legal, IT, audit and management.
The most important finding was not that someone had failed training. The organisation had trained people to recognise cyber risk, but had not trained the business to behave securely under pressure. That distinction is the boardroom lesson.
In court, evidence is like a lantern carried through rain. If you cover it too much, it gives no light. If you swing it carelessly, the flame dies. The work of the investigator is not to shout that there was darkness. The work is to protect the flame long enough for the court, the board or the disciplinary panel to see what truly happened.
What to do before the evidence goes cold
- Preserve the original email, not just the screenshot or forwarded copy. Keep the headers, attachments and mailbox audit logs.
- Freeze relevant accounts, but record exactly when access was blocked and by whom.
- Secure laptops and phones without browsing through them casually.
- Export payment logs, supplier master changes and approval records in native or system-supported format.
- Capture cloud version history before files are overwritten or synced into confusion.
- Record the first discovery witness carefully, including what they saw, opened, copied, renamed, forwarded or deleted.
- Verify supplier bank changes using contact details already held in approved records, not details supplied in the suspicious message.
- Separate incident response from blame. Preservation comes before interviews.
- Test the suspected voice note, video or message through a competent method, but do not oversell what the technology can prove.
- Prepare for defence questions early: authenticity, completeness, authority, shared access, contamination, normal practice, proportionality and fairness.
Why cybersecurity training doesn’t stick is no longer a mystery to those of us who have handled the damaged files, the late-night payment instructions, the missing logs, the anxious witnesses, the confident screenshots and the expert reports that collapse under three careful questions. Training fails when it asks employees to be perfect inside imperfect systems. What works is practice, context, role-specific rehearsal, clean controls, respectful escalation and disciplined evidence handling.
The honest employee became expensive not because she was foolish, but because the organisation placed too much weight on memory and too little weight on design. In modern cybersecurity and digital forensics, the winning question is not, “Did we train them?” The better question is, “When pressure arrived, did our people, systems and evidence process know what to do?”
Copyright Institute of Forensics & ICT Security, 2026. All rights reserved.


