Become a Cyber Guardian
A sample from Raymond A. Parkes
A cyber-forensic field guide to digital evidence, real cybercrime, and practical defence.
Prologue - The Knock at the Door
The call came in on a Tuesday, a little after nine in the morning. By the time I reached the office park, the woman who had phoned me was standing in the car park, holding her phone in both hands as though it might bite her.
She ran a small import business. Eleven staff, a warehouse, two decades of careful work. The day before, her bookkeeper had paid an invoice the way she paid a hundred invoices a year, by following the banking details on an email from a supplier they had used since the business began. The email looked exactly like every other email from that supplier. The same logo. The same signature. The same slightly formal turn of phrase the supplier's accounts clerk always used. Only one thing had changed, and it was the one thing nobody had reason to check: the account number.
Four hundred and twelve thousand rand had left her account and, within the hour, had been broken into smaller amounts and moved on through a chain of accounts she would never trace.
She did not understand how it had happened. She had not clicked anything reckless. No one had handed over a password. There was no dramatic break-in, no hacker in a hood hammering at a keyboard. To her, it felt like the money had simply evaporated, and the not-understanding was almost worse than the loss. "We're careful people," she kept saying. "We're not stupid."
She was right. They were not stupid. They had been read.
This is what cybercrime actually looks like when it lands in someone's life. Not a Hollywood scene of cascading green code, but an ordinary morning, an ordinary email, and a quiet, devastating moment when an honest person realises they have been steered, gently and precisely, into making a mistake on someone else's behalf.
My work begins at that moment. I am a cyber-forensic investigator. I am the person who arrives after the money is gone, after the account is locked, after the breach notification has landed, and whose job is to reconstruct, from whatever fragments remain, what happened, how, and what can still be done. I read email headers the way a detective reads a room. I follow logs, timestamps, domain registrations and device traces backwards through time until the shape of the attack reveals itself.
What I have learned, in years of doing this, is that almost every case I see could have been prevented, or at least survived with far less damage, by a handful of habits that no one had ever explained in plain language. The people I meet are not careless. They have simply never been shown how this world works from the inside, by someone who has stood in the wreckage and traced the wires back.
That is the book you are holding. It is not a textbook, and it is not written to frighten you into buying something. It is a field guide, written by someone who investigates these crimes for a living, built around the real shapes that cybercrime takes and the real ways ordinary people and ordinary businesses can defend themselves.
Throughout the book you will find short passages marked From the Casebook. These are composites, drawn from patterns I have seen many times, with every identifying detail changed to protect the people involved. They are here because the lessons of this field do not lodge in the memory as rules. They lodge as stories, the way they lodged in mine, standing in a car park on a Tuesday morning, watching an honest woman try to understand how her own caution had been turned against her.
Let us begin where the work begins: with how to see what she could not.
Chapter 1 - The Invisible Crime Scene
On the evening of Friday, 12 May 2017, a radiographer at a hospital in the north of England went to pull up a patient's scan and found a ransom note instead. The screen had turned, as one nurse later described it, "the colour of a warning." A red panel demanded three hundred dollars in Bitcoin. She did what any sensible person does when a computer misbehaves: she tried another machine. It showed the same note. So did the one after that.
What she was watching, without knowing it, was a worm called WannaCry moving through the National Health Service faster than anyone could pick up a phone. Within hours it had reached dozens of NHS organisations. Ambulances were turned away. Operations were postponed. In some of the oldest hospitals in Britain, doctors went back to pen and paper because the records they needed were sealed behind encryption they could not break. The same malware was, at that moment, doing the same thing in roughly a hundred and fifty countries, to a German railway, a Spanish telecoms company, a Russian ministry.
I want to dwell on the detail that has stayed with me ever since, because it is the whole of cybersecurity compressed into a single fact. The flaw WannaCry exploited was not secret. Microsoft had released a patch for it almost two months earlier. Every organisation that fell had been handed the cure and had not taken it. The catastrophe was not, at bottom, a story about brilliant attackers. It was a story about an unremarkable Tuesday chore that did not get done.
That is the uncomfortable shape of this field. The gap between a quiet Friday and a national emergency is often something small and boring: an update deferred, a warning ignored, a box left unticked. Hold on to that idea. We will keep meeting it, in different costumes, for the rest of the book.
What We Actually Mean by the Word
Ask ten people what cybersecurity is and you will get ten answers, all of them partly right. To a man paying for his morning coffee with a tap of his phone, it is the invisible assurance that the money leaving his account is the money he intended to spend. To the woman who runs a small bakery, it is the quiet hope that her customer list and her till system stay hers. To a hospital administrator, it is patient confidentiality stretched across a tangle of machines that were never designed to talk to each other safely. None of them would use the same words, and none of them would be wrong.
There is a formal definition, and it is worth having: cybersecurity is the practice of protecting systems, networks, programs, and data from digital attack, unauthorised access, damage, or theft. Keep that sentence in your back pocket. But a definition is a photograph of something that will not hold still. The reason cybersecurity resists a tidy summary is the same reason it resists permanent solutions. It is not a state you reach. It is a position you keep having to defend, against an adversary who gets a vote.