I was sitting on a train, and a stranger sat next to me. He worked the entire journey.
As far as I know, I had never met him before. I wasn’t his colleague. I’m not a hacker either, but through my work I know quite a lot about cybersecurity—and how a real hacker can piece together surprisingly large amounts of information about a person just by combining small details, simply by sitting next to them during a train ride. With this information, a hacker can get closer to their goal: a data breach.
What did I learn during a two-hour train journey without even wanting to do so?
His first and last name when he answered the phone
Which company he worked for, when he used his laptop without a privacy screen
The names of several clients
The hourly rate of their company
That an important client meeting was scheduled for the following week
Not because I hacked anything—but because he told everything to the people around him.
Many people think of cybersecurity as a technical issue: strong passwords, multi-factor authentication, keeping software up to date. These are the foundation, but not enough on their own. The biggest security risk is almost always the thing between the keyboard and the chair—you.
When you open your work laptop on a train, the person next to you can easily see email subject lines, Teams conversations, CRM data, calendar entries…
Often just a single accidental glance is enough—and in many cases it isn’t even intentional. Your screen may be visible several rows away.
You don’t need to stop working while traveling. But next time you work in a public space, remember:
Use a privacy screen. If you don’t have one, show this blog to your manager and ask if you can buy this inexpensive but valuable security measure at the company’s expense.
Avoid handling sensitive data in open spaces
Sit so that your screen is not facing the aisle
Assume that one or more people nearby can hear everything you say
This is perhaps the most common mistake.
The phone rings.
The conversation begins:
“Simon Peter speaking! Yes, that Doe Ltd. project… I logged it in Dynamics.”
“Yes, Customer Ltd. has been having issues with Salesforce…”
“The offer is around €200,000…”
Suddenly, the entire train car hears more than intended—such as which systems your company and the client use.
Most organizations would not allow customer information (even just names) or project statuses to be publicly visible. Yet the same information is often spoken out loud in a full train carriage.
If you must take the call:
Avoid using customer names
Avoid mentioning monetary amounts
Avoid discussing systems
If possible, move to the space between cars or a quieter area
Again, assume that one or more people nearby can hear everything you say!
What can a hacker—or “bad actor”—do with all the information they gather just by sitting close to you?
If I were a hacker, I would now know my neighbor’s name and that they use Microsoft 365, Salesforce, and a particular project management system. From the call, I heard that the client is a large industrial company. From a calendar entry I saw the project name, and from an email the project manager’s name.
Within fifteen minutes, I would already have enough information to send a highly convincing targeted phishing message:
“Hi Matthew, I need some additional details for the proposal. Could you please fill in this form?”
Or I could impersonate a “system specialist” and ask the person to log in again to a system. I’d send a link to a page I created (which is extremely easy to do these days with AI) that looks completely legitimate—but is actually designed to steal login credentials.
In so-called “CEO fraud” attacks, the attacker often impersonates company leadership and makes urgent requests—such as transferring money, filling out forms, or paying invoices. The pretext might be an urgent business deal or some exceptional situation.
These messages typically emphasize urgency and the need for strict confidentiality. These elements are designed to bypass the recipient’s judgment and push them to act quickly.
What makes these messages convincing is that the attacker may already have a surprising amount of real information: the right systems, the right names, the right context—in other words, information that is not publicly available. The more an attacker knows in advance, the better their chances of succeeding. According to the National Cyber Security Centre in Finland, holiday periods—especially the summer vacation season—are particularly favorable times for this type of fraud.
That’s why awareness alone isn’t enough—you also need to recognize situations where someone might be trying to exploit this information. If you notice even one of the following signs in a message, pause—this could be a scam:
The message emphasizes urgency (“needed immediately”, “act now”)
You are asked to log in, make a payment, or share information
You are contacted via an unofficial channel, such as WhatsApp
You receive a link or attachment from an influential person that you weren’t expecting
The sender looks familiar, but the tone or context feels unusual
The message stresses confidentiality (“between us”, “keep this confidential”)
If you recognize any of these signs, act as follows:
Do not open links directly from the message
Verify the request through another channel
Report the suspicious message to IT (we at Context& can help review email security if a phishing message has reached users’ inboxes)
Trust your instincts—if something feels off, repeat the first three steps
These attacks are rarely built through technical hacking, but through reconnaissance. Attackers gather information from LinkedIn, company websites, social media, and public spaces.
In cybersecurity, it is often said that the first phase of an attack is not intrusion, but information gathering. The more attackers know about you and your organization in advance, the more convincing their messages become—and the higher their chances of success.
Employees need training and support in how to act, so they don’t accidentally expose sensitive information or fall victim to well-crafted phishing attempts.
Stay safe this summer!