“The Visa reports make clear that it is user gullibility that is the attack vector,” Michael Levy, former chief of computer crimes at the U.S. Attorney’s Office for the Eastern District of Pennsylvania, wrote in an email. “A network may be hardened against an outside assault, but if you can get an employee inside the company to click on a link, and that link causes the employee’s computer to download malware, you have tunneled under the moat and [fire]wall. It was my guess that the perpetrators accomplished the Wawa breach in a similar fashion.”