Tackling the human element in cybersecurity management: A tale of a phishing attack on a Malaysian fashion company

Introduction

Cybersecurity management is a company’s strategic effort to protect its digital information and assets from cybersecurity threats. This includes deploying continuous monitoring systems, regular risk assessments, employee cybersecurity awareness and training, and the deployment of cybersecurity technologies to protect systems, data, and networks (Jha, 2023).

The cost of cybersecurity attacks is staggering, resulting in huge losses and damages. In 2024 alone, global cybercrime costs reached about $9.4 trillion which is a threefold increase since 2015. The amount of payment related to ransomware exceeded $1 billion, while online payment fraud caused an estimated $38 billion in 2023 (Colback, 2024). In response to these alarming rates, governments are ramping up their efforts to strengthen cybersecurity efforts. For instance, the US Government has proposed a $13 billion budget for IT security in 2025, up from $11.8 billion in 2024 (Colback, 2024).

While several factors contribute to cybersecurity risks, the human element remains one of organizational systems' most critical and vulnerable factors. According to Nobles (2018), 8% of employees are responsible for approximately 80% of security-related errors, indicating how a small fraction of the workforce can significantly amplify the risk exposure. These errors are frequently caused by inadequate cybersecurity hygiene, such as using bad passwords or not adhering to standard security protocols (Hadlington, 2017; Parsons et al., 2019). For example, in 2023, there was a cybersecurity attack on MGM Resorts in Las Vegas, where hackers used social engineering to obtain access and took advantage of weak login credentials. The event shows how readily human-related vulnerabilities can be exploited, leading to extensive service interruptions, data breaches, and financial losses (Colback, 2024).

Learning objectives

The learning objectives of this case study are as follows:

1. Explain the human element in cybersecurity management.

About the case study

In this case study, you take on the role of a cybersecurity consultant who was hired due to a significant phishing attack at MFashion^{1, 2} . Your role is to investigate the cybersecurity incident and recommend strategies and solutions that the company could undertake to minimize this incident in the future.

MFashion started its operations in 2009. It began initially as a fashion manufacturer of Muslim apparel and accessories before expanding to retail. In the past, customers often had to alter the clothes they purchased to achieve a proper fit and ensure comfort. Due to its innovative design and growing popularity, MFashion has expanded its retail presence to more than 30 small retail stores across Malaysia, Indonesia, and the United Kingdom. MFashion also has an online store that processes customer payments and personal data. The online store uses Shopify as its e-commerce platform. The platform enables MFashion to support various aspects of e-commerce, including product management, payment processing, and targeted customer personalization. MFashion also integrates social media sharing features to enhance product visibility. Its payment system is integrated with multiple banks and payment platforms in Malaysia.

MFashion can be considered a small-medium enterprise (SME) sized company with a limited number of IT staff, which is typical for most companies. Like most SMEs, MFashion faces cybersecurity vulnerabilities due to constrained resources. With limited IT staff often overburdened with multiple roles, SMEs struggle to implement robust security measures. The lack of dedicated cybersecurity expertise also means SMEs often fail to respond to cybersecurity attacks promptly. The financial stakes are also higher for SMEs. Large corporations have the financial resources to absorb the damages caused by cybersecurity attacks, but for SMEs with limited resources, such attacks could disrupt their operations.

The story about the phishing attack

You decide to pay the company a visit to begin your investigation. You first begin by interviewing the CIO (Chief Information Officer), John. John mentioned that the phishing attack occurred in January 2023. The attack was on a single transaction of the purchase of fabric for MFashion’s production. MFashion usually buys in massive quantities and has been doing business with the supplier for many years. He believed that the “access to our systems was breached for quite some time before the [phishing] attack happened.” The attackers likely infiltrated MFashion’s email systems and monitored communications for weeks or even months before launching the phishing attack in order to identify vulnerabilities they could exploit.

He remarked that:

“So, we made one payment for that particular fabric, which turned out to be a phishing scam [attack]. Somehow, the scammers hijacked the email thread between us and our suppliers. What happened is they acquired an email domain similar to the supplier. They get into the email thread and reply to the email thread, posing as our suppliers. The way they communicated with our staff was no different than the actual person from the supplier. They tricked our staff into transferring our payment to the supplier into a different bank account.”

The company discovered the phishing attack after the real supplier contacted them for payment in about a week. Upon realizing it was a phishing attack, the company immediately reported the matter to the police. John noted that:

“We still haven’t recovered the money yet, and the investigation with the police is still going on. So yeah, that was one of the biggest ones we faced, and it opened up many eyes in the management to tackle cybersecurity issues.”

The company was affected badly due to the phishing attack. John stated:

“We banked in a lot of money. However, we contacted the bank to request a hold and freeze on the payment. But the money had already been transferred out to another country. The authorities investigated the bank account, but it is completely empty and inactive.”

You start to reflect on the statements by John. The detection of the phishing attack seems too slow. The chances of recovery of money will be higher if the phishing attack is detected quickly. The detection came about a week after the transfer was made and only when the real supplier contacted them. You wonder how long it would have taken MFashion to detect the phishing attack if it had not received the communication of payment from the real supplier.

The phishing attack strained MFashion’s supplier relationship, as the real supplier questioned the delayed payment, raising concerns about MFashion’s operational reliability and security practices. MFashion did not disclose the actual amount of its financial loss. Fortunately, no customer data was compromised during the incident, as the attack focused solely on diverting payment through a phishing attack. This helped reassure customers that their data remained safe. However, the reputational damage from the attack could have deterred partnerships with larger organizations reliant on MFashion’s cybersecurity for their supply chains. To date, MFashion has reported no widespread customer complaints or indications of data misuse, reinforcing that the attack was solely isolated to that phishing event.

You look further into the IT infrastructure of MFashion, and it becomes clear that the company relied on basic email security tools such as spam filters but lacked advanced phishing detection. The finance team also used a shared email company account for all communications with vendors and customers. While this may have seemed convenient, it likely might increase exposure to impersonation attacks.

Cybersecurity challenges

You managed to discuss with John regarding the challenges that he faced. He appeared quite frustrated:

“I think the lack of awareness. People have no issue sharing their passwords with their friends. People would just leave their laptops at their desks with all the private and confidential information displayed on the screen when they go to the bathroom, or they just want to have a drink or something like that. So, it's frustrating to have to actually change the culture in the company. System wise it is easy to just change a lot of settings. You can just enforce this and that. But the weakest link is actually the user. They can undermine the systems or the processes that are in place. So, it is the variable that is really out of our control. Basically, that is the most frustrating thing for me.”

John explained the cybersecurity awareness level of the employees. He noted that many of the employees lack awareness about matters beyond their immediate scope of work. These employees show up to work, focus on their tasks, and tend to overlook other essential aspects of their roles. They often fail to understand the importance of completing cybersecurity training or why topics like phishing are critical to the organization’s safety. When the company introduced mandatory cybersecurity training, it was met with complaints from certain staff members who viewed it as an unnecessary imposition.

John also speculated that some employees did not care about taking cybersecurity seriously until a cybersecurity attack incident happened to them. As John remarked,

“An incident occurs and that is when people will start seeing the value of having proper cyber security efforts in any company. But until that happens. People will just not prioritize it and then put it on the back burner.”

Although you are alarmed by this statement, you know that this situation is common among clients that you have investigated. Many employees are not aware that cyberattacks can exploit human negligence in cybersecurity. For instance, clicking on a malicious link can compromise an entire network. These employees may not also be aware that the organization could be subject to costly legal ramifications because of negligence.

John also mentioned about the lack of management support,

“It is just the lack of priority from the management […]. Revenue-generating activities more than cyber security, even in IT [is] ranked [as] a lower priority than others. For example, we always focus on stuff like automation, how to make people’s jobs easier with technology and [other] stuff like […] handling tickets, handling issues in the office. So, cybersecurity ranks quite low.”

You also wonder if the lack of priority is due to a lack of awareness. Many small business owners may not fully understand the risks and consequences of neglecting cybersecurity. Cybersecurity can be expensive, and many small and medium-sized firms do not have the resources to invest in robust security measures. Given the resource constraints, top management prioritizes more immediate, tangible business needs like sales, marketing, or operations over something that feels unlikely to happen. Without experiencing cybersecurity attacks, they might underestimate its importance. Furthermore, some small firms have only one staff member allocated to all IT tasks, which worsens the issue.

Cybersecurity wake-up call

You investigate further to determine the actions taken by the company since the cyber security attacks. John noted,

“This was one of the things that we immediately changed afterward. We need to have, at a minimum, two different channels of confirmation from the supplier for the details. Previously, before the incident, it was just one channel, meaning they sent it through email, WhatsApp, or whatever channel of communication. Then we just wired the money through that account details.”

The internal control processes seem inadequate in regards to changing the payment procedures. Pre-cybersecurity attacks, MFashion seems to rely solely on email alone for payment approvals, creating a single point of failure. He continued

“After the phishing incident, we realized that one channel could be compromised. So, we now must have at least two channels of confirmation. This could be WhatsApp plus email or email plus a video call or something like that, just to confirm that we are transferring the money to the correct account.”

To address the awareness issues with the employees, John mentioned that

“After any awareness campaigns, [that is] the information that we send to all our staff, we also put in place certain enforcement through [the] system. So, for example, if we want the staff to change their password to something more secure, then we [do] through the system itself. We set a password policy. You need to have at least one capital letter, one number, one special character, [and] stuff like that.”

John informed you that there is a regular random spot-checks throughout the company on whether MFashion employees are complying with the company’s policies:

“For certain things that we are unable to enforce through the system, we would have regular follow-ups randomly to any staff just to check if hey, did you remember that we told everyone about this?”

John also noted the MFashion tried some innovative awareness messaging through

“We have an internal bulletin board to put out [the] bi-weekly newsletter from [the IT department] ... saying the security risk of using certain tools —basically, newsletter campaigns. We also have strengthened our onboarding program. For new hires, when they read through [the] onboarding guide, which includes IT SOP. They have to answer quizzes at the end, just to see if they actually read the material, and we also sometimes put out … TikTok videos. So, awareness is just basically a marketing campaign.”

You also had a meaningful discussion with a senior colleague Adnan who pointed out that, “It is actually about securing the human, the people inside the organization. So, when we talk about cybersecurity, we always say that the weakest link in any SME organization when it comes to cybersecurity is always the human.”

People are often considered the weakest link in an organization’s cybersecurity chain. A substantial majority of cyber incidents, phishing attacks, data breaches, and ransomware attacks are because of human vulnerabilities (Jeong et al., 2019; Nobles, 2018). Even if MFashion spends extensively on technology, if human factors are not addressed, technology alone cannot prevent cybersecurity attacks. Cyber attackers frequently target human vulnerabilities because it is often less complicated than exploiting technological weaknesses (Nobles, 2018). The problems caused by human factors stem from various issues, including unintentional errors and behavioral factors. Unintentional errors often result from a lack of knowledge and skills, negligence, or misinformation regarding cyber threats. Specific examples include forgetting to log out of systems, unknowingly clicking malicious emails or links, and creating weak passwords. Risky behaviors and lack of motivation also contribute to security issues (Kadena and Gupi, 2021).

However, another colleague, Daniel, argued that the human element is not a problem, but the process and system need to account for and mitigate this human vulnerability issue. The human element is an inherent part of any organization, and errors arising from human behavior are natural. Blaming employees for cybersecurity lapses overlooks the reality of the processes and technologies that should have accounted for these lapses.

Cybersecurity is fundamentally a socio-technical issue, meaning it involves the interaction between human factors, organizational factors, and technology. Errors can be unintentional, stemming from a lack of knowledge and skills, negligence, or misinformation. However, these issues are often enabled by organizational shortcomings, such as poorly written rules, unclear procedures, poor management practices, heavy workloads, and inadequate staffing can lead to weaknesses in human factors (He and Zhang, 2019). Policies and rules perceived as too costly or difficult to implement are often not followed (Pollini et al., 2022). Usability challenges with security mechanisms also lead users to avoid them or make mistakes, ultimately undermining security.

You realized that MFashion’s phishing attack stemmed from human error, inadequate processes, and insufficient security measures. Employees’ lack of cybersecurity awareness compounded the risk. Post-attack, MFashion introduced dual-channel verification for payments, stricter password policies, and awareness campaigns (e.g., newsletters, quizzes at the end of onboarding, and TikTok videos). You know that challenges and weaknesses still persist in MFashion. You wonder whether the actions taken by the company are sufficient.

Suggested questions

The following are the suggested questions:

(1) MFashion used TikTok videos, newsletters, and quizzes to improve cybersecurity awareness. Are these methods likely to be effective for MFashion? What alternative approaches could better engage employees who view cybersecurity training as a low priority?