Certifyd
Certifyd
Book a Demo
← Back to PodcastEpisode 1

20 Years in Cybersecurity and I Almost Got Scammed

with Irfahn KhimjiField CTO, Backwatch··25:00
0:000:00
Chapters (8)
  1. 00:00Irfahn's Journey into Cybersecurity
  2. 03:38AI Is the New Cloud — You Can't Opt Out
  3. 06:10When Scams Get Too Good to Spot
  4. 09:52The Phone Scam That Almost Worked
  5. 13:51Gift Cards, New Starters, and Social Engineering
  6. 16:42Why Verification Still Comes Down to People
  7. 18:46The South Korean Pilots and Speaking Up
  8. 22:17What's Coming in 2026

A scammer called Irfahn Khimji offering a discount on his phone bill. He'd heard this pitch before — because a year earlier, his actual phone company had made the same call. That prior experience, the one time a company genuinely offered a loyalty discount, became the hook that nearly cost him his account.

Meet the Guest

Irfahn Khimji is Field CTO at Backwatch, where he spans the full customer lifecycle across a global cybersecurity customer base. With 20 years in the industry — from bank fraud departments to vendor-side architecture and leadership — he's seen phishing evolve from obvious Nigerian prince emails to AI-polished, behaviourally-targeted operations.

Key Takeaways

  • AI has flipped the detection script. Phishing emails used to be spotted by typos and broken grammar. Now AI writes flawlessly, meaning perfection itself can be the red flag.
  • Scammers exploit legitimate patterns. Irfahn's near-miss worked because it mimicked a real call he'd received before. The scammers weaponised a genuine customer experience.
  • Two-factor authentication saved him — but only because he read the email carefully. Auto-fill and notification fatigue mean many people would have handed over the code without thinking.
  • The real defence is cultural, not technical. Organisations need to build environments where anyone — especially new starters and junior staff — feels safe challenging authority on suspicious requests.
  • Social engineering targets emotion, not intelligence. Pressure, timing, and the desire to impress are more powerful than any technical vulnerability.

The Scam That Almost Worked

The setup was elegant. A year before the scam call, Irfahn's phone company had genuinely called to offer him a $20/month discount. No information required — just say yes. It made him a loyal customer.

Then came the follow-up. Same talk track, same company name (publicly lookable), same friendly tone. But this time, they needed a little more: name, address, and then a code sent to his email.

"The email that came in was, 'Hey, did you reset your password?' And I was like, I got you. The scam. It didn't match what they said."

They were trying to hijack his account by triggering a password reset and intercepting the 2FA code. Had Irfahn not read the email carefully — and with iPhone's auto-copy features, many people wouldn't — he'd have been compromised.

"I've been doing cybersecurity for 20 years and I almost got caught."

From Nigerian Princes to GoFundMe Scams

The conversation surfaced how dramatically phishing has evolved. The old Nigerian prince emails were deliberately crude — they filtered for the most gullible targets. Today's scams cast wider nets with lower asks.

AI-generated images of sad children on Facebook, paired with GoFundMe links asking for just a dollar. Everyone who comments "sending love" becomes a target. The genius is in the economics: a million people giving a dollar is a million dollars, and most people will risk a dollar even when they suspect a scam.

For enterprises, the same principles apply at higher stakes: invoice fraud, CEO impersonation texts to new starters, and carefully timed requests that exploit the chaos of someone's first week on the job.

Why Culture Is the Real Firewall

The most striking part of the conversation wasn't about technology — it was about organisational culture. Andrew drew a parallel to the Korean Air crashes of the 1990s, where co-pilots who spotted dangerous errors deferred to senior captains rather than speaking up, with fatal consequences.

The same dynamic plays out in corporate security. A new starter gets a text from "the CEO" asking for gift cards. They don't want to look stupid by questioning it. They don't know the culture well enough to know that no CEO would ask for that. So they buy 500 pounds in Amazon vouchers and scratch off the codes.

"You still need to create a culture of — it's okay to call out your seniors. You're never going to get in trouble if you say, can I just double check this?"

The solution isn't more firewalls or AI detection. It's building organisations where a five-second verification check is celebrated, not seen as a sign of weakness.

The Certifyd Angle

This conversation sits at the heart of what Certifyd is building. When Irfahn was asked what protections he's seen against these kinds of scams, his honest answer was: not much. Outside of face-to-face meetings and gut instinct, there's no reliable way to verify that the person on the other end of a call, email, or video is who they claim to be. That's the gap — certified identity for every interaction, so that "just checking" becomes instant, not awkward.

Listen to the Full Episode

The full conversation goes deeper into Irfahn's career path, the parallels between AI adoption and the cloud revolution, and his outlook for cybersecurity in 2026. Worth 25 minutes of your time if you're in security, HR, or anyone who's ever thought "that could never happen to me."