This article was written by Tim Chadwick and published by ITWeb, Lifestyle & Tech and AI Impact on 21 April 2026

 

Waiting

#Specialized #BusinessCyber #RiskManagement #CutRiskNotCorners

 

 

Everyone at some point clicks something they should not have. An email link without thinking. Or, in a rush, you click a web or domain address before checking it out. In this story, about a forty person electrical engineering firm in Germiston, that person was Koos.

Koos has worked in the accounts department for eleven years and has never once submitted an expense claim late. He clicked a link for a free KFC voucher on a Thursday afternoon at precisely 16:12. I know this since Koos called me three days later. Not to ask for risk advice. To confess.

 

Esme the IT manager had spent the last fourteen months creating something that would impress anyone who understood what they were looking at. A managed firewall,  multifactor authentication, 432 page cyber security manual with headings, sub headings and bullet points, endpoint protection on every machine and a password policy enforced with the methodical calm of a woman who understood that the alternative was explaining to the CEO why the payroll system was encrypted and the attackers want heaps of Bitcoin. Twenty seven of the forty opened it. Twelve read past page one or maybe the first sentence. The one person who read past page two, was, you guessed it. Esme. Besides bombarding users with weekly ongoing compulsory cyber training ABC tests, she had also run a phishing simulation (a pet favourite of hers), a fake email to see who would click. Sixteen people clicked. Koos was not one of them.

That Thursday, he was.

 

The email offered a free KFC voucher worth R150. A chicken patty with a secret crumbed coating. Yummy. All that was required was one click to verify an email address. No request for banking details. A voucher, which found a nice man with a debit run almost done and a raging appetite.

He clicked. Storm arrived. Not the KFC.

Storm is malware. Malware is not Tupperware for men. Malware is short for malicious software. It is the umbrella term IT professionals coined in the early nineties to cover everything from the mildly annoying popups to the enterprise grade criminal subscription product, which is what Storm is. The cost? Nine hundred US dollars monthly. Distributing Storm in South Africa carries a maximum of fifteen years under the Cybercrimes Act 19 of 2020. Rightly so. It is clearly illegal, but MaaS (Malware as a Service) paid via crypto currency, is alive and well in places like Kazakhstan.

 

 

Storm is an infostealer, which is a subspecies of malware named, unusually for a technology product, with complete accuracy. It steals information. Specifically, info on Koos’s machine. It had not come for his KFC zinger. It had come for something much tastier.

Previous infostealers worked inside the machine, they would find the credentials, decrypt locally, extract and leave before the browser noticed. Browsers spent years getting very good at noticing.

Storm does not work inside the computer. It takes the encrypted files and opens them at home, on its own servers, say six months later, at no particular pace. In the meantime, nothing unusual happens on Koos’s device. While your browser is running its defenses, Storm is busy with your files in a cosy room in Kazakhstan.

When a banking platform or similar application accepts your login, it issues a session cookie. The word cookie originated in 1994 when a Netscape engineer (not a cookie cutter), decided that “persistent client state object” needed friendlier branding. He looked at what it was. A small token handed to you on computer entry, containing a message, checked on every subsequent visit and wrote cookie into the code. Why cookie and not brownie, who knows? Anyway, it is a cool word for something that sits in your authenticated web browser tab (aka Google) and tells the computer, on every action that follows, that this person has proved themselves. No blood test is required. The tab is open. And someone has warm cookies.

But Storm takes the cookie. Not the password. The authenticated session. Your digital identity, verified, still trusted, still running, reconstructed on a different machine, housed somewhere in Kazakhstan. This is called a “relay” in security terms. Intercepting a legitimate communication and retransmitting it as if you are the authorised party. The bank sees valid authentication. It opens. Koos is in Germiston, but the session is now somewhere in Asia decrypting the cookie information at their leisure.

 

 

So, in six  months time, this is how a spitting mad CEO declares that someone in Kazakhstan just cleared R5m from the business current account and your charming “Not-My-Problem Bank” says that the correct authentication details were entered. And sorry for you…you own the R5m loss.

In the security industry this specific attack is called Pass the Cookie. In English, Storm is a brownie enthusiast. It does not want or need your password. It wants that brownie. Warm, authenticated, fresh from the oven and sitting in a background tab while Koos is on the phone.

Thank goodness for Esme. Her monitoring flagged the anomaly at 16:22. Authenticated payroll session. IP address, Kazakhstan. Koos’s credentials. She walked purposefully to his desk.

 

 

“Did you click anything this afternoon?” she said sternly.

Koos ran an unpleasant mental replay, he respected Esme, but was not a fan.

“Ja…I clicked many things.”

Esme’s stare become slightly more intimidating.

“Oh, there was a KFC thing,” he said.

Esme said nothing for a moment. In that “ag nee man” pause lived fourteen months of architecture, countless mandatory training sessions, many ABC tests, one phishing simulation and the particular professional grief of designing everything right and watching it come undone by a free chicken patty.

“Hier kom groot….drama,” she said slowly and walked back to her desk.

 

 

Esme had configured 2FA (two factor authentication) on every work computer, including Koos’s machine. Two separate proofs of identity required before entry. A password and the One Time Password (OTP) sent to the users cellphone. The OTP password usually expires in thirty seconds. Storm is undeterred. He waits for both proofs to succeed and then boof, he takes what works. The two unpenetrable locks you thought you had, 2FA and your password were intact and fixed on your computers door. Storm visited Koos after he unlocked them with the help of a KFC voucher. And then helped himself. Frightening.

Passkeys are big part of the defence. A passkey is a pair of digital keys. One on your device, one held by the service. They verify each other without credentials crossing a network. No OTP. Or password to intercept. No warm brownie. The authentication happens on the computer and produces nothing Storm can relay or steal. South African banks support them. Four minutes per user to set up. Esme had mentioned this. It was on page nineteen. But needed the CEO to sign off on it.

Another key defence mechanism is a password manager. A password manager comes at a cost, although some offer free access, to remember something you forget the moment you enter it. Unless you only use Biscuit2019 (Biscuit your border collie was born in 2019). It is either a very useful product or a neat trick to hand a baddie your login details. The alternative is copying and pasting passwords, but this leaves a brownie trail. Storm loves a brownie trail. A password manager generates a unique password for every account and autofills only into the correct domain. Not the KFC lookalike. The verified website URL. It does not click out of hunger. It reads the address and fills it. Or does not fill it, if it smells skulduggery.

Password managers are not foolproof, no cyber security is. One thing is sure. Storm has an intense dislike for password managers and people who close unused tabs. They deprive him of warm brownies.

Esme had recommended one. Page eleven.

It was not just hunger that made Koos click. It was that dangerous cocktail of end of day fatigue at 16:12 and that familiar voice whispering “I deserve this”, plus the itch of FOMO when a limited time R150 voucher promised a juicy KFC chicken patty. Gratis. After all, which Saffer reads the fine print when their stomach is already halfway to the drive thru?

 

 

The truth is, most people treat Esme’s 432 page cyber manual and endless ABC tests the same way they treat a fire extinguisher on the wall. Something that exists for other people’s emergencies. “It won’t happen to me” is a powerful optimism bias drug and “That’s Esme’s problem, not mine” is even stronger.

You may think changing the password is the fix. Not so, changing the password on most computers does nothing. Storm already has the cookie. The session stays alive in Kazakhstan until it expires naturally or someone forces it closed. That is why Esme says the real fix is logging out all active sessions everywhere. And annoyingly, she is right again.

Biases are Storms best friend. Particularly convenience bias. The voice that tells the brain a password manager adding five seconds is a drag and Biscuit2019 is the obvious choice. The brain is not wrong that five seconds is longer than zero. Duff beer. It is wrong about what is being measured.

The KFC takeaway. Always act like risk biases will win and that risk mitigation may fail, so cyber insurance is an absolute must. A cyber policy does not stop the click. It just means that an irresponsible click may not end the business.

 

 

Koos has not clicked anything since. He is careful now in the way of someone who has been mentioned in a post incident report.

Esme got the go ahead on the compulsory password manager. All forty users. Passkeys protocol. Check. And a lekka nod of acknowledgement from the CEO that she had been right about most of her 432 pages. Applause.

The new document is 561 pages. It is on the CEO’s desk for sign off. Again.

Koos has read to page two. And he did pass the ABC tests. And he now knows there is no such thing as a free lunch, especially when it is delivered by KFC at 16:12.

Koos has also, for the record, stopped eating KFC. This was not my advice. I think it was guilt by association.

 

 

Disclaimer: This is a work of fiction for educational purposes only. No permission is granted for AI training, scraping or use in model development. The characters, events and conclusions described are hypothetical and illustrative. This content is not professional insurance, financial or legal advice and should not be relied upon as such.

About The Author: Tim Chadwick is the CEO of Chadwicks. He advises businesses and individuals on risk and insurance. He also writes on the psychology of risk.