Working in cybersecurity for a large corporation often means your colleagues look to you as their personal tech guru, answering questions ranging from “Which password manager should I use?” to “Can hackers steal my money if I answer a call from a weird number?”

It’s all in a day’s work—so much so that when a C-level executive (let’s call him Mario) approached me at the coffee machine one autumn day in 2019, asking for help with a “delicate matter,” I didn’t bat an eye.

“Sure,” I said. “What’s up?”

“I think I might have scammed someone,” he confessed, a nervous grin spreading across his face.

Now, if you’re in my line of work, red flags like this don’t just wave—they start doing the Macarena. I immediately thought of all the worst-case scenarios: Had he inadvertently set off some sort of corporate security breach? Was this an insider threat? My mind was racing as I followed him to a quiet meeting room.

“Alright, Mario,” I said, trying to keep my voice calm. “What happened?”

“Well,” he began, his voice hushed as though he was afraid the walls might be listening. “I was on Facebook, you know, just scrolling through, when suddenly a pop-up appeared saying I’d won an iPhone!

Ah, the infamous “You’ve won an iPhone” scam. If I had a nickel for every time someone fell for that one, I could probably afford an iPhone 11 Pro myself. But let’s rewind for a moment, so I can explain why this set off all sorts of alarms in my head.

In the realm of cybersecurity, one of the most common “malvertising” campaigns—malicious ads designed to scam you—is the old “Congratulations! You’ve won a valuable prize!” trick.

immagine

You have won the iPhone 11 PRO! Almost done! You need to confirm your address and pay a small commission (€1.95) for insured shipping and delivery by Poste Italiane.

It usually involves a flashy banner or pop-up that promises a new gadget, like an iPhone, in exchange for something ridiculously simple, like paying a small shipping fee. Of course, this is just a front for phishing, a tactic used to steal personal information, credit card details, and more.

Mario, bless his heart, had fallen for one of these.

“So, let me get this straight,” I said, still holding onto a shred of hope that this was just a simple misunderstanding. “You clicked on the pop-up?”

“Yes,” he nodded eagerly. “And the site asked me to pay a small fee, just €1.95, to cover the shipping for the prize. So, I entered the company credit card details, and the payment went through. I was so excited!”

My heart sank a little. But, as I would soon find out, the story was far from over.

“Then,” Mario continued, his grin widening like a kid who had just discovered his Christmas presents hidden in the closet, “I had a brilliant idea. I thought, wouldn’t it be great if I could get one of these iPhones for my wife as well? So, I reloaded the page.”

I could feel a sinking feeling in my stomach. “And?”

“And another pop-up appeared!” Mario said, his eyes gleaming. “It said I’d won again! I couldn’t believe it. I’d hacked the contest!”

Oh dear. There was no hacking involved here—just a well-crafted scam designed to lure victims in again and again. But I let him continue.

“But this time,” Mario said, lowering his voice as if sharing a top-secret revelation, “I knew I couldn’t use the same company credit card. They’d probably catch on if I did that. So…“

Please, Mario, don’t say it. Don’t say what I think you’re about to say.

“…I used my personal credit card instead!”

There it was. The pièce de résistance.

“And did the payment go through?” I asked, already knowing the answer.

“Yes!” Mario exclaimed triumphantly. “I even used a different shipping address—one for the office, and one for my home, just to be safe. Clever, right?”

I took a deep breath, trying to process what I had just heard. Here was one of the top executives in the company, a man responsible for making million-dollar decisions, and he had just fallen for a phishing scam—not once, but twice, and with two different credit cards.

“So, Mario,” I began cautiously, “why exactly are you worried? Are you concerned about your credit cards being compromised?”

“Exactly!” Mario interrupted, a look of genuine concern on his face. “I’m afraid the contest organizers might figure out that I managed to hack their system and enter twice. Do you think they’ll report me? Or maybe they’ll cancel the iPhones?”

At this point, I couldn’t hold it in any longer. I burst out laughing. Poor Mario, he had no idea what he had gotten himself into.

“Mario,” I said, wiping tears of laughter from my eyes, “I hate to break it to you, but there aren’t going to be any iPhones.”

He stared at me, his expression a mix of confusion and disbelief. “What do you mean?”

We spent the next hour canceling his cards, reporting the fraudulent transactions, and setting up monitoring for any suspicious activity. It was a tedious process, but necessary to ensure that Mario didn’t suffer any further financial losses.

As we wrapped things up, Mario looked at me with a sheepish grin. “I guess I won’t be getting those iPhones, huh?”

I chuckled. “No, but look at it this way—you’ve got a great story to tell at the next company event!”

And so, the tale of Mario and the “hacked” iPhone contest became a running joke in the office. Every time someone mentioned a new gadget, someone else would chime in with, “Hey, Mario, won any more iPhones lately?” It was all in good fun, and Mario took it in stride, eventually laughing along with the rest of us.

But on a more serious note, the incident served as a valuable lesson for everyone in the company. It highlighted just how easily even the most tech-savvy individuals could fall victim to social engineering and phishing scams.

No one is immune, not even the C-level executives who manage the company’s most critical decisions.