Graham Pelham, IT security manager at Harrogate-based logistics firm Westbridge Solutions, has confirmed that he spent the entirety of Thursday morning re-explaining the fundamental concept of email phishing to finance director Jennifer Cartwright, who has successfully fallen for similar attacks on at least three separate occasions since 2019.

The latest incident occurred at 9.47am on Tuesday when Cartwright forwarded her login credentials to an email address purporting to be from the company’s IT department, despite the sender’s address ending in ‘.ru’ and the message requesting her ‘urgent password for security purpose’.

Pelham, who has worked at Westbridge for seven years and maintains a spreadsheet tracking these incidents that he is not permitted to share with senior management, conducted the hour-long remedial session in Meeting Room B. The session covered such topics as ‘why Microsoft would not email you directly’, ‘the difference between a legitimate IT request and a criminal one’, and ‘basic pattern recognition’.

“Jennifer is very engaged with these training sessions,” said Pelham, staring at a point roughly three inches above this reporter’s head. “She always assures me that she’s got it now, that it all makes perfect sense, and that she can’t believe she didn’t spot the signs. Then she asks if I can reset her password because she’s written it down somewhere but can’t remember where.”

The password in question was visible on a yellow Post-it note affixed to the underside of Cartwright’s keyboard throughout the interview, reading ‘Westbridge2019!’ in blue biro.

Cartwright’s previous encounters with phishing attacks include a 2019 incident in which she attempted to claim a £5,000 Amazon voucher from an email address called ‘[email protected]’, and a 2021 episode involving what she described as a ‘very convincing’ message from the Chief Executive asking her to purchase £2,000 in iTunes gift cards for a client emergency. The Chief Executive has never asked anyone to purchase iTunes gift cards, does not know what iTunes gift cards are, and was on annual leave in the Algarve at the time.

“The thing about phishing is that it preys on people who act before they think,” Cartwright explained, forwarding an email as she spoke that promised her parcel would be returned to sender unless she confirmed her delivery details within two hours. “I’m normally quite careful, but these people are getting more and more sophisticated. Graham showed me some of the warning signs to look for, and I feel much more confident now.”

When asked whether she felt the training had been worthwhile, Cartwright confirmed that she absolutely understood the risks and would be far more vigilant going forward, before asking Pelham if he could help her install a browser toolbar that promised to speed up her internet connection by 400 per cent.

Pelham declined to comment further, though sources close to the IT department report that he has begun arriving at work with what colleagues describe as ‘a look of profound existential acceptance’.

“She always assures me that she’s got it now, that it all makes perfect sense, and that she can’t believe she didn’t spot the signs.”

The company has scheduled mandatory cybersecurity awareness training for all staff in March, which will be Cartwright’s fifth attendance at the same seminar since 2018.