In our first two chapters, we explored how online life shapes the way we think and connect. Content showed how repetition turns misinformation into belief, while Contact revealed how digital relationships blur the lines between strangers and trust. Both reminded us that cybersecurity isn’t about code — it’s about people.
Now we turn to Commerce, the third C — where trust takes form.
Here, belief becomes behaviour. We buy, sell, approve, donate, and subscribe more often than we even realise. It’s the rhythm of modern life — automatic payments, instant approvals, contactless taps. What used to be an action has become a reflex. And in that reflex, something has changed.
Every click, every payment, every digital exchange now carries value — not just in pounds or data, but in trust.
Commerce has become the heartbeat of the digital world. It fuels business growth, supports schools, and connects families. But it’s also one of the most exploited spaces online, precisely because it feels so safe. We rarely stop to think before we approve an invoice, pay a supplier, or click a “renew now” link — and that quiet confidence is exactly what cybercriminals depend on.
This is the third part of our 4C’s of Online Risk series — Commerce: the risk hidden in routine — where trust and transaction meet, and where awareness becomes the most valuable currency of all.
The Quiet Rise of Invisible Commerce
Not long ago, commerce was something you noticed. There was a receipt, a signature, a moment of exchange that felt deliberate. Today, it happens behind screens and systems we barely see. A parent pays for a school trip through an app. A small business settles an invoice through a cloud portal. A freelancer pays for new software using stored card details.
It all feels routine — and that’s the danger. When something becomes routine, it stops triggering caution. Cybercriminals don’t have to breach your systems anymore; they just have to blend into them. They send fake invoices that look real, mimic supplier emails, or hijack payment pages that appear legitimate. And because everything about the interaction feels normal, it doesn’t raise alarm until it’s too late.
We’re not careless — we’re conditioned. The digital world trains us to trust what looks familiar. Each login, each email, each approval reinforces the idea that this is how it’s supposed to be. But familiarity can be the most effective disguise of all.
When Familiarity Becomes the Weak Point
The human brain loves patterns. When something looks, sounds, or feels like what we’ve seen before, our instinct is to move forward, not question it. That’s how cybercriminals slip through the cracks — not by hacking systems, but by hijacking habits.
An email that looks like last month’s invoice. A renewal notice for software you really use. A supplier email that just happens to arrive on the day payments are due. None of it feels suspicious because everything about it feels right. We respond automatically — we pay, approve, and move on.
The illusion of safety isn’t built on firewalls; it’s built on familiarity. In schools, that might look like a headteacher approving a payment request that seems legitimate. In small businesses, it might be an accountant processing an invoice from a regular supplier whose email domain has been subtly spoofed. In everyday life, it could be a text from a courier that looks exactly like one you’ve received before.
In each case, the threat isn’t extraordinary — it’s ordinary. That’s what makes it powerful.
The Human Element of Digital Money
Behind every transaction, there’s a person — a teacher approving a last-minute equipment order, a finance assistant juggling dozens of invoices, a small business owner paying suppliers while answering customer calls. Commerce, at every level, is human. It runs on trust, pressure, and the constant drive to keep things moving.
Cybercriminals know that. They understand not just how systems work, but how people feel while using them. They study behaviour — the morning rush of emails, the lunchtime approvals, the end-of-day urgency to clear the inbox before heading home. Their attacks are not written for machines; they’re written for moments.
A message arrives: “Can you just process this quickly before the deadline?” It looks familiar, polite, helpful. It uses names, tone, and timing that feel right. It lands when attention is low and good intentions are high. And that’s when decisions happen — not because someone is careless, but because they’re committed. They want to help, to move things forward, to be efficient and reliable.
This is the psychology of commerce in the digital age. We associate speed with competence, trust with teamwork, and approval with progress. Cybercriminals flip those instincts against us. They don’t hack; they persuade. They mimic legitimate behaviour so convincingly that the fraud doesn’t feel like a scam until the damage is done.
That’s why awareness training isn’t about fear — it’s about empathy. It’s recognising that anyone, no matter how skilled, can be manipulated in a moment of distraction. It’s about giving people the language and confidence to pause, verify, and question without guilt. Because every transaction has a heartbeat, and protecting it starts with understanding the person behind the payment.
The Threats Hiding in Everyday Transactions
Digital commerce has made life easier, but it’s also opened new doors for cybercriminals who understand how everyday systems work — and how people use them. These aren’t the spectacular, headline-grabbing hacks that bring down corporations. They’re quieter, more personal, and built around the routines that keep organisations and individuals moving.
One of the most common examples is invoice fraud — when an attacker poses as a trusted supplier and sends a message asking for new bank details. The tone is polite, the formatting familiar, and the timing perfect. The email might even reference genuine past orders. By the time the transfer clears, the money has disappeared, and the real supplier is still waiting to be paid.
Another major threat is business email compromise, where criminals impersonate senior staff or gain access to genuine email accounts to request urgent payments. The messages are written with authority and realism — often arriving just as someone is logging off or trying to clear their to-do list. In schools, this might look like a message from the headteacher. In businesses, it’s the “CEO” asking finance to act quickly and quietly.
Beyond email, there’s payment page cloning — convincing replicas of real websites built to steal card details or login credentials. These fake pages often appear after clicking on a phishing link, or through a malicious advert that looks identical to a trusted brand. They exploit how easily our brains recognise a logo and stop questioning what’s behind it.
There’s also a quieter, more mechanical threat: card testing. Rather than targeting people directly, attackers use automated scripts to test thousands of stolen card numbers through genuine checkout systems. It’s the digital equivalent of walking down a street and trying door handles until one opens. Each small, seemingly random transaction helps criminals identify which cards are still active before using them for larger fraud. Schools, charities, and small businesses with online payment portals often see this first as a sudden spike in tiny, failed transactions — the invisible warning signs of a much bigger criminal network at work.
Then there’s supply-chain compromise, where attackers infiltrate a trusted vendor or service provider to reach many targets at once. A single compromised account, software update, or shared platform can create a domino effect across connected organisations. It’s the digital version of poisoning a well — one breach spreading quietly through a community that never saw it coming.
And finally, for individuals, there are the everyday scams that blur into the background: refund fraud, charity impersonations, and fake courier messages that look routine but harvest personal or payment information. These low-value, high-volume attacks succeed because they mimic the pace and tone of modern life. They don’t shock — they persuade.
None of these threats are new, but they’ve become more sophisticated, more believable, and more embedded in our daily routines. The real danger isn’t the technology itself — it’s the trust we place in it. Attackers don’t break systems; they bend expectations. They know that commerce is built on repetition and reliability, and they use both against us.
Commerce risk becomes even clearer when we look beyond organisational systems and into the behaviours of everyday people. The same psychological triggers that drive business fraud — urgency, familiarity, emotional pressure and the illusion of legitimacy — shape the risks individuals face in their own digital lives, often long before those patterns ever reach the workplace.
When Everyday Consumers Become the Target
Commerce risk doesn’t only affect organisations. It reaches quietly into the routines and reflexes of everyday people — the parent scrolling through Facebook Marketplace, the young person buying cosmetic items in a game, the adult who answers a call because it looks like it came from their bank, or the shopper who follows a “too good to miss” deal without questioning the urgency behind it. The psychological patterns that shape high-value business fraud are present here too: pressure, familiarity, speed and the promise of convenience. The only difference is the scale — the mechanics remain identical.
These threats succeed because they slip into moments of normality. A second-hand pram at a good price. A limited-time in-game upgrade. A parcel redelivery request. A website selling branded trainers at 60% off. None of these interactions feel like risk; they feel like opportunities, bargains, or harmless tasks. Scammers rely on that sense of normality. They build their traps inside habits, not exceptions.
Facebook Marketplace is a perfect example. Its design encourages trust — local listings, friendly messages, profile pictures and a sense of community. It creates a psychological shortcut: this feels safe. Scammers exploit this instinct by acting quickly, using friendly language, asking for small deposits, sending forged payment screenshots and keeping the buyer emotionally engaged so they do not step back and reconsider. These aren’t sophisticated technical attacks; they’re rehearsed social scripts.
Vishing takes the same principle and adds urgency. People trust phone calls because they feel personal. When a voice on the line claims to be from the bank’s fraud team, or the courier service, or a government body, it taps into a lifetime of legitimate experiences. Scammers imitate the tone, terminology, pace and concern of real support staff — and they rely on people not wanting to make a mistake. The hesitation becomes the hook. Fear does the rest.
Fake retail websites close the loop. They borrow legitimacy through logos, layout and branding. They mimic the “flow” of real online checkouts so convincingly that the user doesn’t consider risk until the purchase is already complete. Some send poor imitations; others send nothing. Many vanish within days, reappearing under a new domain to repeat the cycle. What makes them effective is not technical brilliance but the power of design familiarity — people trust what looks recognisable.
But commerce risk reaches deeper still. It also appears in platforms considered legitimate — in-app purchases, downloadable content and microtransactions that use behavioural design to create spending habits. In gaming, children and adults alike encounter timed offers, reward loops and “fear of missing out” mechanics that make purchases feel small and necessary in the moment. Progress becomes linked to payment. Belonging becomes linked to cosmetic upgrades. Value becomes fragmented into tiny, frequent transactions that hide the real cost over time. These systems normalise impulsive spending, often long before a person fully understands how their behaviour is being shaped.
When Persuasion Becomes Profit
Today’s online platforms take this even further through behavioural advertising and data-driven targeting — systems designed to learn what captures attention and then use it to influence choices. Children rarely see neutral content anymore. What appears on their screens has been shaped by algorithms that understand their routines, their moods, their patterns of play and even the moments when they’re most likely to click. An advert for an upgrade doesn’t just “show up”; it appears precisely when a child has failed a level, paused a game or hovered over a reward they didn’t earn. Social feed promotions work the same way — offering discounts, bundles and “recommended for you” items based on everything from playtime to browsing to emotional engagement. Over time, this creates a digital environment where the boundary between fun, persuasion and financial pressure becomes almost invisible. Young people are not simply choosing; they’re being steered. And because this influence is subtle, personalised and wrapped inside platforms they trust, it becomes incredibly difficult for them — or the adults supporting them — to see where entertainment ends and commercial manipulation begins.
When we look across these scenarios, the pattern becomes difficult to ignore: commerce risk adapts to whoever is holding the device. It mirrors their routines, anticipates their impulses and uses platform design to accelerate decisions before critical thinking has a chance to intervene. A £2,000 invoice scam in a small business and a £20 fake listing on Facebook Marketplace are separated by value, not by method. Both rely on pressure, familiarity and emotional cues that push people to act first and reflect later.
For individuals, the consequences are personal — financial loss, embarrassment, a feeling of being “caught out.” For businesses, those same patterns become operational risk, because people do not simply change their behaviour at work. The shortcuts and reactions shaped in personal life travel with them: into the office, into inboxes, into procurement, into processes. Commerce risk is fluid. It crosses boundaries effortlessly because the behaviour that enables it crosses those boundaries too.
When we trace these behaviours across home, school and workplace environments, the pattern becomes impossible to ignore: commerce risk isn’t defined by the size of the transaction, but by the conditions that surround it. A young person pressured into a microtransaction, a parent misled by a social media listing, an employee hurried into approving a payment — all three experiences arise from the same environment of urgency, distraction and digital familiarity.
These are not just financial threats. They are psychological ones. They take advantage of attention stretched thin, trust placed in familiar designs, and the human instinct to act quickly when something feels important. And because these pressures follow people between personal and professional life, the behaviours they create follow, too. An employee who has learned to respond instinctively to urgency at home will carry that reflex into the workplace. A child who becomes accustomed to reward-based spending will find the same patterns echoed in the wider digital world. Commerce risk grows in the spaces where systems reward speed and emotion over clarity and control.
This is why commerce deserves to stand alongside the other Cs. It is not a niche concern or a technical footnote — it is a fundamental part of how digital environments shape human behaviour. When people understand the forces behind these everyday transactions, they gain something vital: the ability to pause before acting, to question design that pushes them forward, and to recognise when a decision is being influenced rather than chosen.
Shared Risk in a Shared Economy
There’s a dangerous misconception that cyberattacks target only large organisations with vast sums of money. But in the connected economy, the same systems that power a global enterprise also power a village school or a local café. Attackers don’t discriminate; they automate.
That fake invoice sent to a multinational might also reach a community trust. The phishing campaign aimed at a corporate finance team might also land in a small business inbox. A fraudulent donation request might be copied to thousands of parent emails.
Commerce has become borderless — and so has its risk. Every organisation, no matter its size or purpose, relies on digital transactions. Every individual participates in them. The more digital trust connects us, the more one breach can ripple across countless others.
It’s not about how much you have to lose; it’s about how interconnected your systems — and your people — are.
The Real Cost of Getting It Wrong
When a payment goes astray or a fraudulent transaction slips through, it’s easy to see it as just a financial issue — a mistake to fix, a lesson to learn. But the true cost runs deeper, rippling through the people, the processes, and the sense of safety that keeps everything moving.
In a business, it might start with an unexpected shortfall — a missing payment, a supplier chasing funds that were sent elsewhere. But very quickly, it becomes about something more than money. Colleagues begin to question each other. Teams hesitate to act without triple-checking. What was once an efficient routine becomes an anxious guessing game. Productivity slows, and trust — both internal and external — starts to fracture.
For schools or charities, the impact can be even more personal. A single incident can delay equipment orders, trip funding, or planned support for students and families. It can mean explaining to parents or donors why money disappeared, even when every person involved was simply trying to do their job. The financial loss hurts, but the emotional toll — the shame, the frustration, the sense of responsibility — often cuts far deeper.
And for individuals, the consequences can linger long after the transaction is over. The moment you realise your card was compromised or your details stolen, something changes. You begin to second-guess every email, every purchase, every click. Online life — once easy and automatic — becomes tense and uncertain. That lingering doubt is what criminals count on. They don’t just take money; they take confidence.
Recovering from a breach isn’t just about restoring funds or updating systems. It’s about rebuilding belief — in technology, in colleagues, in ourselves. And that takes far longer than any investigation or refund. It takes honesty, reflection, and a commitment to doing things differently next time.
Because the real cost of getting it wrong isn’t measured in pounds — it’s measured in trust. And once that’s gone, everything that depends on it starts to falter.
Safeguards in a World of Instant Payments
In a digital world built on instant transactions, convenience has become our default. But not all payment methods offer the same protection — and understanding the difference can make the gap between a temporary scare and a lasting loss.
When you pay by card, whether debit or credit, there’s a safety net working quietly behind the scenes. Card networks like Visa and Mastercard include built-in fraud protection systems that can flag unusual activity and even reverse payments if something goes wrong. Under UK consumer law, victims of card fraud are usually refunded once they report the issue, because liability often rests with the card issuer, not the customer. It’s one of the few areas in cybersecurity where a genuine safety cushion exists.
A bank transfer, however, plays by different rules. Once money leaves your account, it doesn’t pass through the same layers of protection. There’s no card provider to mediate, no chargeback process, and — in many cases — no way to reverse the payment. Even when refunds are possible under the UK’s Authorised Push Payment (APP) Scam Code, success depends on how quickly the fraud is reported and whether the receiving bank can intercept the funds. Criminals know this, which is why fake invoices, “urgent” payment requests, and impersonation scams almost always direct victims to pay by bank transfer.
Not all financial harm happens in the moment. Sometimes the damage arrives slowly — through identity fraud that begins with a data leak. When names, addresses, dates of birth or other personal details are exposed, criminals can use that information to open accounts, impersonate victims, or commit other forms of financial crime on someone else’s behalf. The result is often bureaucratic and long-running: unexpected debts, damaged credit records, and months of time spent proving you’re not responsible. It’s a reminder that data has real financial power — and that protecting information is as important as protecting money itself.
If identity fraud does happen, victims aren’t usually left carrying the cost. In the UK, people aren’t legally responsible for debts or credit accounts opened without their consent. Once reported, lenders and banks are required to investigate, remove the fraudulent accounts, and repair credit files. It can take time, but it’s fixable — another reason why awareness and early reporting are just as important as prevention.
For organisations, this makes verification and data handling inseparable from payment security. Every transaction, every stored record, every shared file represents both financial and personal trust. Protecting one without the other simply isn’t enough.
The speed of modern payments is one of our greatest conveniences — but also one of our greatest risks. Awareness is the safeguard that bridges the gap, helping people choose the method that keeps both their money and their identity secure.
From Awareness to Action: Making Commerce Safer
Awareness is only powerful when it changes what we do next. Knowing the risks — from fake invoices to cloned payment pages — is the first step. Acting differently because of that knowledge is where real resilience begins.
Every transaction, no matter how small, is a decision point. Do I recognise this sender? Have I seen this before? Should I take a moment to verify? These aren’t technical questions — they’re habits. And like any habit, they grow stronger each time they’re repeated.
For organisations, this means making awareness part of the workflow, not an afterthought. Verifying bank details before a transfer. Following a “two-person rule” for large payments. Using secure, approved systems instead of convenient shortcuts. The goal isn’t to slow people down — it’s to build natural moments of pause that protect everyone involved.
In schools, that might mean an administrator calling a supplier before approving new payment details. In a small business, it could be a manager reviewing any “urgent” request before acting. For individuals, it’s the quiet decision to double-check a link before entering card details. These pauses don’t just prevent mistakes; they build confidence. They remind people that security isn’t about restriction — it’s about awareness guiding action.
Technology plays its part, of course. Strong passwords, multi-factor authentication, and secure payment gateways create layers of defence. But technology alone can’t spot persuasion. Only people can do that. Every alert, every policy, every training session is there to strengthen one thing — the human instinct to question when something doesn’t feel right.
That’s why the most effective cybersecurity cultures don’t operate on fear or blame. They operate on conversation. When someone feels safe to ask, “Does this look right to you?”, that’s when a team becomes resilient. The best defence against digital crime isn’t a firewall; it’s a workforce — or a household — that shares awareness freely.
Making commerce safer isn’t about building walls; it’s about building habits. Habits of checking, verifying, and protecting both data and identity. Awareness turns into action when those habits become normal — when thinking before paying becomes second nature. And once that happens, security stops being a process and becomes part of who we are.
The Culture of Commerce
Every organisation, every classroom and every household runs on trust. We don’t just trade money — we trade confidence. Confidence that the systems we use will work. Confidence that the people we communicate with are who they say they are. Confidence that the data we share will be handled with care. When that confidence is shaken, it’s not simply a security problem — it’s a cultural one.
Commerce risk exposes the silent agreements we rely on every day. When a parent pays for a trip, when a school approves an invoice, when a team processes a routine payment, each action is built on the assumption that the environment around them is safe. But when psychology meets design — and manipulation meets routine — those assumptions become fragile. A single deceptive payment request or a convincing fake invoice doesn’t just disrupt finances; it disrupts relationships.
Cybersecurity culture doesn’t grow out of policies or instructions alone. It emerges from the everyday moments where people choose caution over convenience, clarity over speed, and honesty over embarrassment. It shows in the administrator who asks one extra question before sending money. In the teacher who checks a link before clicking. In the colleague who admits they’re unsure rather than pressing ahead. These moments are small, but they are the foundations of a secure environment.
And culture is built by example. When leaders normalise pausing before approving payments, others follow. When mistakes are met with understanding instead of shame, people feel safer reporting concerns. When security conversations happen in everyday language — not technical jargon — they stop feeling intimidating and start feeling shared.
At its heart, the culture of commerce is a culture of respect: respect for process, for data, for each other’s workload and pressure, and for the reality that nobody is immune to persuasion. Behind every incident is a human being who clicked or approved because they cared — about their job, their responsibilities, their role. A healthy culture doesn’t punish those instincts; it protects them.
Because secure commerce isn’t just about stopping fraud. It’s about reinforcing the relationships that make schools, charities, businesses and communities work. When awareness becomes a shared value rather than a personal burden, security shifts from being an obligation to being a strength.
Commerce connects everything. When it’s protected, trust grows. When it’s compromised, the ripple goes far beyond the money. That’s why the cultural part of commerce matters — because it’s where transactions become human, and where protection becomes collective.
Looking Ahead: Conduct – The Human Code of the Digital World
Commerce shows us how easily behaviour can be shaped by pressure, routine and design. But Conduct — the final C — is where those behaviours take form. It’s where our instincts, habits and decisions meet the digital world, and where the choices we make ripple out into relationships, communities and cultures.
Conduct is the most human of all the Cs because it isn’t about what happens to us — it’s about what we do. How we speak online. How we respond when stressed. How we react when anonymity removes accountability. How quickly we act when urgency feels real. Conduct is where psychology becomes action.
And this is why it deserves its own chapter. If Content influences what we believe, Contact influences who reaches us, and Commerce influences the decisions we make, then Conduct influences how we behave within all of it. It’s the C that shapes the tone of every interaction — the kindness, the cruelty, the impulse, the pause. It’s the digital “code” we write with our choices every day.
Conduct is also where safeguarding meets character. Because behaviour online isn’t separate from behaviour offline — it is simply accelerated, unfiltered and amplified. Understanding Conduct means understanding the pressures that make good people act out of character, the triggers that escalate conflict, and the online environments that reward reaction instead of reflection.
The final chapter closes the loop.
It explores not just risk, but responsibility — not in the punitive sense, but in the human one. How do we help people slow down when the internet speeds them up? How do we support better choices instead of blaming mistakes? How do we create cultures where digital behaviour is guided by empathy, not impulse?
Because in the end, cybersecurity isn’t just about stopping attacks or preventing fraud. It’s about the people behind the screens — their wellbeing, their interactions, their safety, their judgement, and the environments that shape them. Conduct is where all of that becomes visible.
And that’s where we’ll go next.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
