Gary's Monday from Hell.
It's Monday morning. Gary's about to have the worst day of his life — and every single thing that goes wrong is someone manipulating him.
Gary opens the post at 6:30am. A letter from "Cipher Lane Council" says his coffee licence expires tomorrow. "Renew immediately at this link or your shop will be closed." Gary panics. The letter looks official.
Sarah stops him. "Gary, look at the address. It was sent to every shop on the street. It's not personal." She's right — hundreds of identical letters. That's phishing — mass, untargeted, playing on urgency and authority.
7am. Another letter — addressed to Gary personally, mentioning his shop name, his wife Sarah, and last Tuesday's health inspection. Someone researched Gary before writing this.
That's spear phishing — targeted, personalised, much harder to spot. That same morning, the Lord Mayor gets a beautifully formatted invoice from his "trusted accountant" — except the bank details have been changed. He pays £15,000 to a stranger's account. That's whaling — spear phishing aimed at the top.
8am. Gary's phone rings. "Good morning, this is the fraud department at your bank. I need to verify your PIN." The caller sounds professional, knows Gary's name. Gary's finger hovers over the keypad.
Sarah grabs the phone and hangs up. "If the bank needs you, you call them on the number on your card." That was vishing — voice phishing, exploiting fear ("fraud detected") and authority ("this is your bank").
Five minutes later, a text: "Royal Mail: Your parcel could not be delivered. Reschedule here." Gary almost clicks before Sarah takes his phone away.
That's smishing — SMS phishing.
9am. A bloke in a high-vis vest and a clipboard walks in. "Morning mate, I'm from British Gas. Need to check your meter — council's orders. Mind if I go out back?"
He's not from British Gas. He wants into the back office. That's pretexting — creating a believable false scenario to gain access. It works because of authority and trust. While the fake gas man distracts Gary, his accomplice walks in the back door directly behind a barista carrying milk crates. Nobody stops him. That's tailgating — following an authorised person through a secured entrance without being checked.
10am. Gary finds a USB stick on the doormat, labelled "Staff Bonuses 2026 — CONFIDENTIAL." His cleaner, curious, plugs it into the till computer. It installs malware.
That's baiting — leaving an enticing trap that exploits curiosity. The "confidential" label made it irresistible.
11am. Gary types his online banking password at the till. He doesn't notice the customer behind him watching his fingers on the keyboard.
That's shoulder surfing. Meanwhile outside, someone goes through Gary's recycling bins — printed bank statements, supplier invoices with account numbers, an old customer list. That's dumpster diving.
2pm. Gary opens his favourite website — the Cipher Lane Coffee Blog. Last night an attacker hacked the blog and injected invisible malware. Every visitor this week is getting infected.
That's a watering hole attack — instead of attacking Gary directly, the attacker compromised a place Gary trusts and visits.
5pm. Gary's mate calls: "Have you seen your website? There's a copycat!" Someone registered "GarysCoffeeShop.com" — with different characters. It looks identical to Gary's real site.
That's typosquatting — a look-alike domain designed to catch people who mistype or don't read carefully.
That evening, Gary sits with Sarah and makes a list of why every single con worked. The same five tricks, over and over.
Authority — "I'm from the council/bank/gas board." Urgency — "Your licence expires tomorrow." Fear — "Your account has been compromised." Trust — "Your accountant sent this." Scarcity — "Act now or lose access."
"Every single one of them," Sarah says. "They didn't hack your computer. They hacked you."
They didn't hack the computer. They hacked Gary. Every manipulation uses the same five triggers — authority, urgency, fear, trust, scarcity. Recognise the trigger and you break the spell. — Story 09 · Social Engineering