“There were certain things regarding cybersecurity I just assumed my staff would know about. It turns out I was wrong.” This is what a senior manager said to me recently during a meeting. A member of staff had been caught out by a phishing email. There were plenty of warning signs that the email was a scam, however on this occasion the recipient missed all of them. Why was that?