Did That Freelancer Just Steal $88 Million for North Korea?
What’s the cost of a Counter-Strike skin? Apparently $1.2 million.
This episode is packed with cyber stories, from fake AI tools and North Korean fraud to deepfake investment scams and dodgy booking messages. We also look at the UK government’s Windows 3.1 problem, Steam's not-so-scary leak, and why your Windows 10 machine just got a few more years of life.
Let’s break it all down...
🎮 Steam Panic That Wasn't
Reports claimed 89 million Steam accounts were leaked, but Valve confirmed no breach. Just some expired SMS codes with no link to passwords or account info. Nothing to do here—but maybe time to stop relying on text messages for your 2FA.
🪟 Microsoft Extends Windows 10 Support
Microsoft’s changed its mind. Office apps and Defender on Windows 10 will now be supported until 2028. That gives users more time to upgrade and hopefully means fewer devices heading straight to landfill.
🧥 Dior Breach: Names, Numbers, and Purchase Histories
No credit cards stolen, but Dior confirmed customer data was exposed in South Korea and China. Just another reminder that even luxury brands are vulnerable. Support your users if they’re affected, especially when it comes to phishing risks.
💣 North Korean Freelancers Infiltrate Tech Firms
Using fake LinkedIn and Upwork profiles, North Korean operatives posed as US tech workers and raked in $88 million—straight into missile funding. This wasn’t hacking. It was hiring fraud. And it worked.
🧠 AI Malware Masquerades as AI Video Tools
Fake ads for video generators like "Dream Machine" are tricking people into downloading a new info-stealer called Noodlophile. Spoiler: it steals everything. Don’t download tools from Facebook ads. Ever.
🏛️ Government Still Using Windows 3.1
A new report found that 28% of public sector IT systems are outdated, with some still running Windows 3.1. That’s software from the 90s, unsupported since 2001. Apparently we’re aiming to fix that... by 2030.
📱 Google Pushes Passkeys and Scam Protection
Android 16 brings scam detection right to your device and warns users if they open a banking app while on a dodgy call. Google is also testing a feature to convert saved passwords into passkeys automatically. Passwords, your days are numbered.
🧠 The Awareness Angle – This Week's Takeaways
-
Trust Is the Attack Vector – From North Korea’s job scams to fake Booking.com chats, social engineering is the real risk. Tech is just the delivery method.
-
Old Systems, Big Risks – If your infrastructure is still running legacy systems, it’s not just inefficient. It’s vulnerable.
-
Training That Doesn’t Stick – Abnormal Security’s latest report says SAT is effort-heavy and impact-light. Maybe it’s time to rethink how we engage people.
🎙️ Quick Plugs
-
We’ve been nominated for the European Cybersecurity Blogger Awards! Voting’s open until 27th May. Vote for us at riskycreative.com
-
Our interview with Amy Stokes-Waters from The Cyber Escape Room Co. drops this Thursday. It’s full of fun, reality checks, and a bit of colourful language. Headphones advised!
Sign up for The Awareness Angle Newsletter today and get notified every time a new episode is released. Each newsletter contains details of the topics discussed and more from the world of Security Awareness.
You're almost there!
To confirm your subscription, please check your inbox for a confirmation email. Click the link in the email to complete your signup and start receiving our newsletter!
If you don’t see the email within a few minutes, check your spam or junk folder, just in case.
Thank you for subscribing!
💬 Episode 25 Discussion Points
Microsoft's Windows 10 U-Turn – Support extended to 2028
Watch the discussion - https://youtu.be/1gP3YwQD1ew?t=290
Read - https://www.extremetech.com/computing/microsoft-extends-windows-10-support-for-office-apps-until-2028
Google Starts Auto-Upgrading Your Passwords to Passkeys
Watch - https://youtu.be/1gP3YwQD1ew?t=1728
Read - https://www.androidpolice.com/google-may-auto-convert-passwords-to-passkeys-on-android/
North Korean Hackers Infiltrate US Tech Companies
Watch the discussion - https://youtu.be/1gP3YwQD1ew?t=1100
Read more - https://hackread.com/north-korean-hackers-stole-88m-posing-us-tech-workers/
Steam “Leak” of Expired SMS Codes
Watch – https://youtu.be/1gP3YwQD1ew?t=460
Read – https://www.bleepingcomputer.com/news/security/steam-user-data-leak-just-expired-verification-codes/
Dior Cyberattack – Customer Data Exposed
Watch – https://youtu.be/1gP3YwQD1ew?t=646
Read – https://www.bleepingcomputer.com/news/security/dior-discloses-data-breach-customer-purchase-data-exposed/
Co-op and M&S Cyber Incidents
Watch – https://youtu.be/1gP3YwQD1ew?t=729
Read – https://www.bbc.co.uk/news/articles/cwy382w9eglo
Fake AI Tools Spreading Noodlophile Malware
Watch - https://youtu.be/1gP3YwQD1ew?t=1292
Read - https://www.bleepingcomputer.com/news/security/fake-ai-tools-spread-noodlophile-malware-stealing-data/
UK Government Still Running Windows 3.1
Watch – https://youtu.be/1gP3YwQD1ew?t=1536
Read - https://www.theregister.com/2025/05/10/uk_cybersecurity_legacy_systems_report/
Android 16 Adds Scam Detection and USB Lockdown
Watch – https://youtu.be/1gP3YwQD1ew?t=1859
Read – https://www.cyberscoop.com/google-android-16-security-anti-scam/
Booking.com Chat Scam Targeting Travellers
Watch – https://youtu.be/1gP3YwQD1ew?t=3090
Read – https://vm.tiktok.com/ZNd6sahwo/
GoDaddy’s Fake Bonus Phishing Test (2020 Throwback)
Watch – https://youtu.be/1gP3YwQD1ew?t=3490
Read – https://www.cbsnews.com/news/godaddy-apologizes-insensitive-phishing-email-offering-bonuses/
Phishing Passkeys Using Device Code Flow
Watch – https://youtu.be/1gP3YwQD1ew?t=1957
Read – https://denniskniep.github.io/posts/09-device-code-phishing/
Abnormal Security Awareness Report
Watch – https://youtu.be/1gP3YwQD1ew?t=2055
Read – https://abnormal.ai/resources/state-of-security-awareness-training
Missed the episode? Watch it below!
Transcript -
Anthony Davis (00:07.926)
Welcome to the awareness angle where we break down the latest cyber security stories and look at what they really mean for awareness, behavior and staying safe. This week we have Microsoft is keeping Windows 10 Defender and 365 support until 2028. Steam's data leak was just expired SMS codes. The all have been hacked, co-op dodged ransomware. &S is still recovering.
North Korean hackers and $88 million. There's fake AI video tools. The UK government's stuck on old systems. What a shock. And Google Android 16 brings scam blockers and pass keys all into ditch passwords. hoo. We break it all down. No jargon, no drama. Just what you need to know on this week's The Awareness Angle. This is an independent podcast. Our views are our own. So if we say something you don't like, blame us.
not the people that pay us. And two more things to mention. Have you listened to our interview series? It complements our regular podcast. The first two episodes are out there in the wild, in the same podcast stream that this is. Our first episode with Erin Gallagher, She Doesn't Fish, and our last episode that we released with Jasmine Eskenzi from The Zensery, all about cyber mindfulness. We'll this Thursday, see you then next.
Episode and it's with amy stokes waters from the cyber escape room co she's convinced me that escape rooms are actually a good idea and scalable, but we get into a whole bunch of other stuff including being your true authentic self And if you've ever spoken with amy, you'll know that that's the version of amy you want probably Get that this thursday on youtube or wherever you get your podcasts. There is a little bit of colorful language in this one, too. So it's
best to put your headphones in if you're listening with young ones around but yeah that's it with me as always is Mr Luke Pettigrew hello Luke
Luke (02:19.412)
Hi everyone.
Anthony Davis (02:21.089)
I do.
Anthony Davis (02:24.747)
Yeah, I'm good. It's been a busy week. Anyone working in retail and cyber, it's a busy week. I would imagine. Yeah. Lots of stuff going on all like, you know, nothing, nothing bad or good or constructive or, you know, proactive rather than reactive, which is the way you want it to be. think we all have, of course it would be, it would be rude of us not to mention that.
Luke (02:31.892)
Yeah.
Luke (02:45.555)
Yeah.
Anthony Davis (02:53.165)
We were obviously nominated for a prize, award, nominated for an award in the European Cybersecurity Blogger Awards of 2025. I want to thank everybody, me and Luke want to thank everybody that voted for us already in the awards. I've also been recognized as contributor as well with some big names and had some lovely words from Graham Cluley and Javad Mallid this week that I thought, wow, I'm like very, very, very, very touched.
Luke (02:55.305)
Yeah.
Anthony Davis (03:22.955)
These people are talking about me. It's They know I exist. I know. And I'm not just that annoying bald guy with a beard that keeps appearing on their LinkedIn feed. look, thanks for everyone who supported the podcast, our work or listened in. Voting is open until the 27th of May. Please cast your vote at riskycreative.com. Big button at the top of the page. Details of it are there. The winners are announced.
Luke (03:25.052)
you exist.
Anthony Davis (03:51.342)
on the 4th of June. So there's not long to go. You don't have to wait long to find out who the winners are. And they're announced at the Cyber 100 Club event in London, which is part of Infosec Europe. So if you're at Infosec Europe, I'll be there on the 4th of June. Come and say hi. That'd be really, really good. And yeah, we'll find out who wins. Fingers crossed. mean, like, no, no. I'm convinced it's not gonna happen. So I'm not writing a speech.
Luke (04:12.532)
if you've written your acceptance speech already.
Luke (04:21.886)
Yeah. You know how that's going to go.
Anthony Davis (04:22.261)
Yeah, so it's weird. How does every episode of this go when it's not scripted? It's never scripted and how does it go? It goes far too long. Doesn't get to the point quick enough. Just like what I'm saying now. Yes, probably. Give me that back. We're giving it to someone else. Anyway, don't forget along the podcast, we obviously have the newsletter comes out every Monday. Sign up at riskycreative.com. Right. That's like all the blurb.
Luke (04:26.558)
you
Luke (04:31.058)
Yeah. They'll be kicking you off the stage and booing you.
Anthony Davis (04:52.173)
Should we get on with the news? Brilliant.
Luke (04:53.618)
Yeah, that's good to know.
Anthony Davis (04:57.439)
Right, we've got a whole bunch of stuff to get through this week, but I feel like we've done this. Okay, the first story, I feel we've made this change. We spoke previously about how Windows 10 support was ending 240 million devices falling out of support, awful, awful, know, the e-waste that was being generated, the 240 million devices, all of a sudden vulnerable to any kind of cyber attack.
Luke (05:07.348)
Thank
Anthony Davis (05:27.809)
Microsoft have changed their mind. They've extended support for Windows 10 until October the 10th, 2028, which is amazing. So this does provide users with additional time to transition to Windows 11. I think what it also means is that over the next three years, a number of those computers that are currently running it will die. So.
People will buy a lot more new machines. That figure of 240 million will probably greatly reduce, which is amazing. So yeah, they've basically, O365 app support continues, which is lovely. They do still recommend upgrading to Windows 11 to ensure optimal performance and compatibility so you can get all the nice new co-pilot tools and stuff like that.
Luke (06:15.113)
Yeah.
Luke (06:22.62)
It's pretty good that they've gone to 2028.
Anthony Davis (06:25.983)
Yeah, they could have done a year, two years, but no, they've gone for three years, which is, which is great.
Luke (06:31.39)
And that's the Defender updates as well, so you'd hope personal computers might be a more safer.
Anthony Davis (06:38.879)
Yeah. Yeah. It does mean you can now plan. You've got three years shockingly on this is, and I won't get into this too much, but when I shared this on my TikTok, our section about this ending, so many of the comments were like, I'll just carry on using it unsupported or I'm still running Windows XP. And there's certain amount of trolling in that I'm sure, but the amount of people that didn't really see the problem.
Luke (07:09.34)
Yeah, they were potentially logging in, well, let alone their personal accounts in their banking, but their work accounts potentially, if they're able to.
Anthony Davis (07:09.451)
You know, the fact that your computer.
Anthony Davis (07:17.281)
the fact your PC is not going to receive updates anymore. Surely that's a problem.
Luke (07:23.986)
Yeah.
Anthony Davis (07:25.175)
You'd think, yeah. So well done Microsoft for turning the tide, sparing a load of devices from obsolescence, which is brilliant, forced obsolescence.
Anthony Davis (07:43.79)
The next story tonight, 89 million Steam accounts reportedly leaked. Okay, Steam told you to change your password. Steam, we've talked about Steam before. Steam is the game distribution system, game marketplace that Valve have. Valve have confirmed there was no breach of Steam systems despite reports of a leak involving 89 million accounts.
The leaked data consisted of expired SMS authentication codes and phone numbers, but these aren't linked to any steam account credentials, passwords or payment information. So these codes were time limited and couldn't actually be used to compromise accounts. are investigating the source of the leak, which may or may not involve a third party vendor. But they've reassured users that accounts are secure. There's no need to do anything actually. So the initial reports was like,
Luke (08:41.64)
Yeah.
Anthony Davis (08:41.965)
But now the reports like stand down, everything's fine. It's not on fire. It's not a problem. So that's good. The target market of steam as well. Like steam is one of those. I bet there's loads of reused passwords. I bet loads of users kind of don't really think about it. But the amount of hours people invest into games and stuff like that. If you lost your account, there'd be a lot of sad upset people there.
Luke (08:47.379)
Yeah.
Yeah, no.
Luke (09:08.36)
Yeah.
Yeah, especially when there's some games out there that have items that are worth real world money and value and even the games just on the account probably have some value. It's hi-lux as well about SMS codes. Time to move away from those.
Anthony Davis (09:25.549)
We should all be moving. I mean that's deserves a special mention. I'll get on to that a bit later. Um, it's funny you say that I haven't really dawned on in-game items like I knew it but I'd forgotten the in-game items are worth real-world money and I remember years ago someone I know someone I knew and I'm going back like 14 years They bought a world of Warcraft character off someone like 14 years ago for a decent chunk of money
Luke (09:40.296)
Yeah.
Anthony Davis (09:55.873)
because of the stuff that came with it.
Luke (09:55.956)
Hmm.
Yeah.
Anthony Davis (09:59.47)
And this was like 14 years ago. And it was like, wow, this, because obviously you level them up and you earn good stuff and stuff like that.
Luke (10:03.145)
Nice.
Luke (10:06.452)
Yeah, a lot of hours and stuff going into that. Just quickly Googled, this is for Counter-Strike, one of the skins in that game. Guess how much it's sold for? The highest one. $1.2 million dollars. Apparently.
Anthony Davis (10:10.22)
Yeah.
Anthony Davis (10:19.776)
No idea.
Shut up.
For a skin for a game? 1.2 million dollars?
Luke (10:29.352)
Well, I don't know that's gonna show a sold value of what it's estimated, yeah, some of them have been sold for thousands of hundreds of thousands of dollars. It's insane. So yeah, they are worth something.
Anthony Davis (10:38.529)
Yeah, yeah, yeah, that's amazing. That's why you protect your steam accounts people. Yeah.
Moving on tonight, let's talk about another cyber attack. Dior, Fashion House Dior has confirmed a cyber attack that exposes customer data straight off the bat. Like, yep, customer data is exposed, names, contact details and purchase histories. The breach was discovered on May the 7th this year and it affected customers in South Korea and China.
No financial information, such as bank or credit card details was compromised. The or say they've contained the incident, enlisted cybersecurity experts for investigation, and is notifying affected customers and regulatory authorities. So names, contact details and purchase histories are exposed. No financial information has been compromised. And it's only people in South Korea and China.
that are impacted. if any of your people are those people, you might want to offer them support on this. You know, the typical support is like Equifax or Credit Expert, you know, that kind of, you know, those credit referencing agencies just to keep an eye out for anything weird or any additional phishing attempts or stuff like that.
Anthony Davis (12:12.183)
I mean, that leads us neatly onto a co-op and &S update for this week. We won't dwell on this for ages. There's a couple of interesting takes on this though. the BBC reported that the co-op narrowly avoided a more severe cyber attack by pulling their own plug. Now you and me have done awareness in the past on ransomware for end users.
Luke (12:39.634)
Yeah.
Anthony Davis (12:41.197)
And we've basically said at the sign of it, just you wink the plug, pull the network cable, isolate the device in whatever means necessary. You're literally like pull them. I was surely like anything, but just stop it. Just get rid of it. So apparently because co-op were quick to identify and contain, they went for self-sabotage rather than enforced sabotage.
Luke (12:48.18)
Snap the laptop in half.
You
Luke (13:07.45)
Mm. Yeah.
Anthony Davis (13:11.393)
we're like, right, burn it all. Let's us control this and do it on our terms rather than someone else's terms.
Luke (13:17.458)
Yeah, definitely an interesting way to do it.
Anthony Davis (13:20.961)
Well, it definitely appears like &S have done the opposite. Because from the reports that we're seeing, co-op are recovering a lot quicker than &S are.
Luke (13:24.5)
Mm-hmm.
Luke (13:29.288)
Yeah, I guess they must have spotted it sooner. Didn't have time to be dwelling around in there.
Anthony Davis (13:37.196)
Yeah, so &S, I mean, they're still grappling with the aftermath of the attack. Co-op's response, and co-op actually, like in the whole comms front, co-op, it feels like co-op been a lot more transparent, a lot more communicative. &S have been a lot more closed shop. Yeah, even today I saw people applauding &S for their clear communication.
it's I don't want to get into it because I think this is where the blurred lines come between a cyber team and a PR team because at some point, this is a PR exercise rather than a cyber exercise. Like you and me know, in situations like this as an awareness person, you're nowhere near this end point this messaging, you can, you might have a seat at the table, you probably haven't in all fairness. And this is now off to like the the
Luke (14:15.837)
Yeah.
Anthony Davis (14:29.697)
big PR people that you'd probably never speak to. So yeah, it's up to public relations how they handle it. I saw some comments this week. What did I see?
Anthony Davis (16:51.277)
There was one more thing regarding M&S that I saw on Reddit this week. So it was when they announced the breach, someone on Reddit posted a screenshot of the comms that went out to customers. And it said, no payment card details at least. And then the comments on that post were quite interesting because the top comment was, has anyone else who shops with &S online noticed an increase in spam calls or emails over the last couple of weeks?
I said to my partner the other day that I've been receiving a substantially increased amount. I'm wondering whether this is why. Now, obviously the comments back where, yeah, I've had more spam calls than definitely from a different source. Are the ones, are you getting ones asking you to add to the WhatsApp? I've never had ones like this before. Yes, the calls are automated and say, please add me on WhatsApp. Someone says that their Google call screen, call it. So well done Android for doing that.
And then someone said, yeah, 14 phone calls and countless emails, masses of spam emails. I keep getting them. So now it could be that people are just a bit more aware and are noticing it more. I'm well aware of that, but someone also comments and says no usable card details is what they say. And they're calling out the the phrase usable. So some card details have been taken.
but probably partial or encrypted. So it's, yeah, this is the problem, isn't it? You end up deciphering every little turn of phrase and stuff and reading into it. This is one reason why transparency is nice, but at the same time, not necessarily. Yeah. There was some uncertainty around the, who had actually done it as well, the way the naming around it.
Luke (18:24.702)
Yeah.
Luke (18:39.314)
Yeah.
Anthony Davis (18:49.889)
Like people are saying Dragonforce hackers, Scat Spider, Dragonforce is a ransomware as a service run by some of Dragonforce. It's like there's still, I feel like this is all, this will all afterwards. It'll be interesting looking back at this in six months time.
Luke (19:10.45)
Yeah, there'll be some nice reports I'm sure which covers it all.
Anthony Davis (19:13.537)
Yeah, yeah. My LinkedIn feed is full of co-op and &S at the moment. Everybody's got an opinion on it. And I know we're doing exactly the same here, but everybody's sharing an announcement and news reports and it's everywhere. Yeah, yeah. From a brand perspective, know, everyone's gonna remember co-op and &S for this, which is at least for a while.
Luke (19:30.078)
Yeah.
Luke (19:40.148)
Yeah.
Anthony Davis (19:42.155)
Yeah. Some people will get some really good talking gigs off this. Those people involved or, you know, in the trenches will be on the talking circuit for six months, six years, you know, after this.
Luke (19:52.052)
there. There'll some silhouettes in the room talking with a disordered voice.
Anthony Davis (19:57.87)
We've never done that. Never done
Right, moving on from Carp and &S, because that took way longer than it should have done. We'll probably be talking about it next week as well. Still nothing on Royal Mail's breach. A few weeks ago, we spoke about Royal Mail and there's been nothing on that. That's interesting.
Luke (20:15.218)
Yeah, it's a weird one.
Anthony Davis (20:22.317)
Wouldn't it be funny if that was like the beginning of like, if that was dragon force, like if that happened now, we'd all be talking about it. Royal Mail were lucky with that timing if that actually happened. yeah. No. Right, next story. North Korean hackers posing as US tech workers, $88 million stolen. So this was one I saw this week.
Luke (20:27.134)
Yeah.
Luke (20:35.57)
Yeah. Still don't know, right?
Anthony Davis (20:51.839)
North Korean IT workers posed as freelance developers targeting the US tech industry through remote work platforms like Upwork and LinkedIn. Using fake or stolen identities that infiltrated legitimate companies accessing sensitive systems and earned an estimated $88 million, funneling the money back to North Korea's missiles and weapons systems. Don't know that for a fact. That's just what reports suspect.
not inside, I don't know where the money went. But as part of the takedown, over $3 million was frozen from 17 individuals accounts. So this wasn't a typical cyber attack. Boom, just like everything else, social engineering and fraud, exploit and trust in remote work. It's posing gaps in background checks and identity verification. like state back attackers are evolving.
moving beyond data theft to make money from within organizations. Let's get in there. And then someone in there can funnel the money out. So they used stolen identities, stolen US identities to get remote jobs. So identity theft probably could be from a breach or something. You know, they've got, there was a massive breach in the US and it was literally the crown jewels of stuff a little while ago where was social security number. You think about,
Luke (22:10.568)
Yeah.
Anthony Davis (22:19.789)
I've never worked in the US, but you think about what you need to get a job in the UK, need National Insurance number, bank details, form of ID.
Luke (22:27.956)
Or something that could be from a breach or faked and stolen.
Anthony Davis (22:34.701)
But if someone got access to your Google drive, for example, you may or may not have a copy of your, a picture of your passport or driver's license on there. Definitely in your email, like most people would cause they've probably sent it somewhere. Like I'm, you know, if I'm in the process of like buying a new house and like the amount of, I said to my solicitor, I said, um, you want me to email the data over and she's like, yeah.
Luke (22:45.086)
Yeah.
Anthony Davis (23:02.893)
I'm like, do you want me to like put it in Google? She's like, no, send it an email. And I'm like, don't want to cause like, how do I do your password could be like, I am the best solicitor, you know, or something. Do you know what I mean? I think it's.
Luke (23:10.664)
Yeah, you have to. There's a level of trust that you have to put in there, but yeah, you know that it's probably not handled very well.
Anthony Davis (23:19.433)
Yeah. Yeah. Yeah. It's tricky. Yeah.
So don't forget details of all these stories are in the newsletter. More information, links to the articles that tell you everything you need to know about these can be found in the newsletter. You can get the newsletter by searching LinkedIn for the awareness angle, or you can subscribe and get it in your inbox by going to Risky Creative.
Right. Next story, sir, is yours.
Luke (23:52.424)
Yeah, first of a few. this one was a pretty interesting one. It's a fake AI video generator, which is called Nudelophile. Well, that's the malware, sorry. It's called the Nudelophile. Yeah, it's interesting name. It's info is still in malware. So yeah, hackers are distributing this through a fake AI video generator called Dream Machine.
Anthony Davis (24:06.176)
Nudelophile.
Luke (24:22.1)
and yeah, these are being posted on Facebook as adverts to sort of promote this, this tool. I'll bring it up on screen just so we can sort of see what that looks like. So as you can see here, it's something we've sort of seen before with the whole Facebook page. Fake looking advert is pretty obvious, right? You look at that. You'd kind of have an inkling it's not, not real, but obviously there's people out there that are going on here.
Anthony Davis (24:49.154)
Yeah.
Luke (24:51.892)
And yet they're their source material trying to get a video generated. Basically they're downloading malware by doing this, which is pretty terrifying. And yes, they're infocusing malware. obviously it takes what it can.
Anthony Davis (25:14.283)
Now, just to comment, Luma Dream Machine is actually a video AI with a website, Dream Machine by Luma Labs, but it's a different URL to the one that was on that screenshot.
Luke (25:26.588)
lucky it says a spoofed spoofed sort of thing there.
Anthony Davis (25:30.369)
So it's someone like imitating the brand is yeah with it with a fake website like it's normally Luma labs AI forward slash dream machine Yeah
Luke (25:35.252)
Right, yeah.
Luke (25:40.242)
Yeah, I thought I'd recognise the name. DeadLumaLabs. But yeah, so it's using downloading a zip file that's supposed to be the AI video. But upon opening it, Windows extracts it and automatically starts installing this malware and steals all the data and sits there, I guess, was waiting for some sort of further props by these cyber criminals.
So yes, a thing to point out, guess. Be careful where you're downloading your AI tools. Make sure it's the real website.
Anthony Davis (26:19.573)
I really, really need to flag.
ads on Facebook. Like I've got a story to tell you in a minute about something from Instagram.
Luke (26:33.884)
Yeah, it's not just Facebook as well, right? Every social media has got, even Google, Google sponsored ads.
Anthony Davis (26:39.945)
Even Google, think reputationally, I've got no evidence of this and Facebook, please don't sue me because you've got more money than me. But I'm sure I've read or heard that like Facebook is like everyone thought exit got rid of all their like, checking people like it went to community checking and like to get stuff removed off X was difficult. But this stuff like Facebook should know meta could do better.
Luke (27:00.788)
Hmm.
Anthony Davis (27:10.551)
There's a there's a slogan meta do better. But like, yeah, Facebook, Instagram, WhatsApp scams, like, we should be doing better than this. They could do better, but it doesn't make money. So they don't need to unless their hand is forced. But I've got one I've got an Insta example for Insta to show you later that again, you're like, how is this even allowed? It's mad. So yes, if you see an ad on Facebook for anything,
Luke (27:11.324)
Yeah.
Luke (27:28.883)
Yeah.
Luke (27:35.826)
Yeah.
Anthony Davis (27:42.241)
Google it and you'll probably get, but don't ignore the Google ads. But Google it and find out if it is legit. Don't click the links in Facebook because they're likely just gonna steal all your details.
Luke (27:46.342)
Yeah.
Luke (27:53.928)
Yeah. The next story we've got is the UK government, a road to wake up to serious cyber threats as a report by the Common Public Accounts Committee has warned that some of their systems are still running Windows 3.1, apparently. So it's an independent review that's revealed that 28 % of public sector IT systems are outdated.
And yeah, some of them are still running Windows 3.1, which hasn't been supported since 2001. Which seems like a... I feel like that's... I would have thought like 90s for Windows 3.1, but yeah. Crazy.
Anthony Davis (28:39.245)
Windows 3.1, so yeah, when did... So yeah, XP was like late 90s, wasn't it? So, 3.1...
My first, I think my first piece, did the first, I remember Windows 3.1, but we had like DOS before that, DOS 6.0 or whatever it was, was I think the first proper computer we had before like Commodore 64 and stuff. That's mental. That's mental. I remember last year with the crowd, when the CrowdStormic stuff happened last summer, I remember,
Luke (28:49.62)
That's a very old thing.
Luke (29:05.682)
Yeah, that was crazy.
Anthony Davis (29:20.301)
everybody was affected apart from Southwest Airlines in the States because they ran Windows 3.1. So they didn't run CrowdStrike because CrowdStrike wasn't compatible with Windows 3.1. It's like, Yeah.
Luke (29:25.854)
That's crazy
Thank
Yeah, so yeah, it just talks about further about how obviously, there's a significant security risk with this. it says about efforts to secure these systems that have been delayed for various reasons there. And they expect to be sort of updated by 2030.
Anthony Davis (30:00.283)
five years time.
Luke (30:01.684)
So yeah, plenty of time for something to go wrong.
Anthony Davis (30:05.099)
Yeah? Wow.
Luke (30:07.048)
Yeah, crazy.
Anthony Davis (30:09.461)
Yes, absolutely crazy.
Luke (30:13.752)
I was what Windows 10 would be out of date, they better be all in Windows 11.
Anthony Davis (30:18.253)
I knew a company going back years and again, I digress completely going back a few years a Company that was planning a Windows Vista rollout to like large multinational Big massive American company that someone I knew worked at were rolling out Windows Vista But by the time the program had been greenlit and was going ahead Windows Vista had reached the end of support and Windows 7 was out
Luke (30:34.153)
Right.
Anthony Davis (30:45.517)
So they, but they were so invested in windows Vista deployment that they were deploying windows Vista and it was already out of support. was like mad.
Luke (30:51.828)
Well, yeah.
Luke (30:55.795)
Yeah.
Anthony Davis (30:56.877)
I used to like Windows Vista. I think they got some bad press.
Luke (30:59.188)
Yeah, I had a good aesthetic, but other than that, it was pretty terrible.
Anthony Davis (31:04.075)
Yeah, yeah.
Luke (31:05.876)
Cool. A couple more stories both around Google and Android. So this first one was a story that originally was about how Google may start auto converting passwords to pass keys for you with supported and compatible devices and websites and accounts. But it seems now that this is a rolling out feature. yeah, it automatically will convert your saved passwords in your Google.
account security automatically for you. Obviously, Parse keys are something that's a lot more modern authentication method, users biometric to authenticate is really you. And obviously far more resistant to phishing and credential theft because obviously there are no actual credentials being shared with them. And yes,
And it is out there now, but it's an optional opt-in feature for your Google password manager. I'm not sure if it's going be everyone. It's probably being rolled out to certain users at first. But yeah, it's a push towards a passwordless feature with Android and Google Chrome.
Anthony Davis (32:20.179)
It's pass keys are coming on like this. No, they're coming and they're coming fast. We're going to do a pass keys special in a few weeks.
Luke (32:24.66)
Yeah.
Luke (32:28.116)
you
Luke (32:32.296)
Yeah, once you've brushed up on it.
Anthony Davis (32:35.273)
some time to prepare and get all the all the unique parts but yeah.
Luke (32:38.45)
Yeah, I slowly started using them. I always get pop up now. I mean, I use Google and Android and it's always popping up saying, do you want to create a passkey? A lot of websites are doing it now, seems. And obviously, as we mentioned, I think the last episode about how Microsoft, new accounts for Microsoft, all password lesson, passkey by standard. So it's happening right now.
Anthony Davis (33:03.155)
It's yeah, it's there they're out there. It's frustrating that there's not I don't think anyone's selling them well. But we'll get into that. That's not a conversation for now. No.
Luke (33:12.948)
Yeah. And then, yeah, the final story is another Google Android topic around the new Android 16 that's going to bring major security upgrades with built-in scan protection and expanded access for the Advanced Protection Program, which will use AI to detect these scam messages and whatever else on the device. So it can help to...
block crypto fraud and fake SMS messages and I guess other parts of your device and other Google apps are probably going to be better protected with this. I mean obviously they already do like screening call screening features and stuff but this seems to be even more advanced there where it can like detect your banking and
if it's a scam banking call and stuff like that. So it's going to get quite sophisticated apparently.
Anthony Davis (34:14.121)
That's good. Do you know what? I feel like Google, if Google brought all of their intelligence together across their whole stack, which historically they never did and I imagine they still don't do, like Android will, the team working on Android are probably just working on Android, but like they could spread this, if they could spread this across the stack, like it'd be amazing.
Luke (34:16.628)
there.
Luke (34:38.77)
Yeah, imagine it would come to like Chrome, some of the features.
Anthony Davis (34:42.413)
Gmail would be a good one. Fishing is still like the number one. Yeah.
Luke (34:44.519)
Yeah.
Luke (34:48.564)
So yeah, definitely, yeah. See, that was the stories.
Anthony Davis (34:50.722)
Yeah.
Cool, cool. was one, there's one I wanted to just quickly add. saw a report this week. I just pulled it up and it was a blog post from someone called Dennis, I'm gonna pronounce his surname wrong. Dennis Neep, I think, K-N-I-E-P. We'll put a link to it in the newsletter. And this basically talks about a way to fish pass keys. Now I haven't tested this. I'm not technical enough to like,
fully go out there and do it. But essentially, Parsky's are meant to be secure. use biometrics on your device, obviously, and they're tied to the website you're on. but there's a thing called device code login, which is what smart TVs or command line tools use. So that gives you a short code, you know, like if you sign into what I do just tonight, I signed into YouTube on my TV with a QR code.
And it gives me like a short code. Well, attackers are abusing that to bypass signings. They generate a code from their device and then trick you into entering it on the real site. There's a write up about it, it's some pass keys are fish resistant. Yes, they are, but it's worth remembering that there was many smart people out there trying to work out ways around it. And it could be anything. It could be.
Luke (36:18.204)
Yeah, it'll be the next thing when it's going to get hacked eventually. Or at least there can be ways to manipulate people to expose in them.
Anthony Davis (36:22.827)
Yeah. Yeah.
Anthony Davis (36:27.565)
Yes, yes. Right. That was the news.
Luke (36:34.814)
Yeah.
Anthony Davis (36:35.885)
So let's move on to awareness awareness. There was a couple of things that I wanted to mention on this. I saw a report this week, Abnormal Security, Abnormal released their 2025 state of security awareness training report. It's PDF, it's available for free. We'll put a link in show notes and stuff. Essentially it says, and it was largely focused around security awareness training. So the headline finding,
was that security awareness training isn't living up to its potential. Almost every organization, 99%, had had a security incident in the past year caused by something a user could have avoided. Now that's an interesting way to like, security awareness isn't working because 99 % of organizations had an incident that was created by a user. Like, let's... So...
Luke (37:34.356)
Quite a general, quite wide sort of statement, isn't it?
Anthony Davis (37:38.542)
It's yeah, yeah. The report basically, the core themes say 83 % say security awareness tools are hard to manage. 53 % say the effort outweighs the impact. 49 % say the impact is minimal. 57 % say training effectiveness is reduced because employees share answers. That's not possible in any training we've ever built.
It isn't always easy to measure the impact. The unfortunate truth is that they can't. So it says, interesting, the most over reliance on traditional tactics to the most use phishing simulations, 81 % topic related modules, 80 % and email tips, 71 % underused. Only 61 % of people are using just in time training. I'm surprised it's that much. You know, it's because it's not always easy to implement.
Luke (38:33.812)
Hmm.
Anthony Davis (38:37.005)
Only 26 % of people are using gamification and 43 % video.
Anthony Davis (38:45.719)
There's no denying, I think that there's some useful data in that report.
Luke (38:52.712)
Yeah.
Anthony Davis (38:52.905)
It could, I mean, these reports in some way are typically a bit of a sales pitch. So yeah, it's, the claim is that AI is the missing link to shift from reactive to proactive defense. There's a, programs are designed for compliance, not behavior change. And I think I'd agree with that in many cases.
Luke (39:19.756)
I imagine most start from that point, right? You're to have to do it for compliance reasons and then it never maybe doesn't evolve.
Anthony Davis (39:25.547)
That's the one.
Anthony Davis (39:29.805)
If you get right down into like the weeds of it, why you do training, then most people will say that they do training for compliance rate. Like, why do you really do training? Cause compliance says we have to. Do you know what I mean? Like abnormal do have a AI fishing coach. Um, I didn't realize they did fishing. Um, so it delivers personalized fishing simulations, just in time coaching. know, all the stuff we've just highlighted isn't done well.
Luke (39:30.846)
Wait.
Anthony Davis (39:59.662)
So yeah, it might be worth, if you're in the market for something, we haven't used it. I don't know if it's any good, but there's an interesting report with some nice stats in, and there's no hackers in hoodies and it's not blue. So it's kind of a nice purple color. So yes, go have a look at the abnormal 2025 state of security awareness training report. Maybe we should write a report.
Luke (40:25.8)
Maybe one day.
Anthony Davis (40:26.199)
I know. The last thing I wanna mention is a reminder in just under four weeks on the 12th of June, I will be talking at the Future of Cybersecurity Virtual Conference. I've got an interesting little slot with an interesting little story to tell, but the lineup is really good. We've got Marcus Hutchins, who's the guy that saved the internet and stopped WannaCry wreaking havoc across the world.
Holly Foxcroft and Lee Morton from GBG. So yeah, that's gonna be really good. Virtual conference, future of cybersecurity on the 12th of June. Details are in the newsletter and in the show notes. Comments. We some comments. we share our content. We spliced down the podcast.
Luke (41:10.834)
Awesome.
Anthony Davis (41:23.977)
And we share some short videos now on YouTube. And we share some stuff on TikTok. So there was a couple of comments, do you want me to read these out? Do you want to read these out?
Luke (41:35.506)
Feel free.
Anthony Davis (41:37.526)
So last week, a few weeks ago, we spoke about the NHS SMS text message, whether or not it was real or fake. Luke, Luke brought a text message to an episode and asked me if it was real or fake. Mr. Tallin said, I had the same thing happen to me a while back and I was super wary of it for ages. And now I get them semi-regularly. I have a lot of health issues, but every single time I get one, it still feels dodgy.
and incubi Axta on YouTube two days said, I would never click that link and have it as spam, stroke forward. So he wouldn't trust it completely. He, she wouldn't trust it at all. So that's good.
Luke (42:19.826)
Yeah.
Luke (42:23.156)
No, it's not great when you, for the first one, especially if you're in that sort of mindset of being worried about them, even though you know they're there could easily be something that comes through that's a little bit different and you think, oh yeah, it's just the dodgy looking real NHS email and text message, but then you click it and it's a scam. So yeah.
Anthony Davis (42:43.457)
Yeah. Dr.
Luke (43:05.278)
Yeah.
Anthony Davis (43:12.971)
let people in or unlock it a little bit. Do know what I mean? It's possible. We had a comment on what happens when Windows 10 support ends in 2025. It's not happening anymore, so that's brilliant. But James is my friend, 4403, said, OMG, no way. This info needs to be much more widespread. Thank you for helping get the message out though. So you're welcome, James.
Luke (43:39.474)
Yeah, we're to do a follow up one now.
Anthony Davis (43:41.998)
We should probably, we will do a full one, but we should probably comment back to James that it isn't a problem anymore because he might be out buying a new PC. So, um, I had a couple more comments. Um, we had a video go like semi viral on tick tock this week, nearly 200,000 views, which is incredible. 200,000 people. That's, that's insane. Um,
Luke (43:48.862)
Yeah.
Luke (44:02.004)
That's going up.
Anthony Davis (44:06.669)
So on the OneDrive feature, we spoke about last week about how OneDrive was enabling OneDrive sync for personal accounts and corporate accounts. Someone called new to Microsoft 365 commented and said, I completely agree. I've been disabling this for various companies ages ago. So I'm quite surprised how many people have not. Regarding last week's WhatsApp scam, the Highman WhatsApp scam.
Dronies and listen to this people, if you're an awareness person, listen to this. Dronies on TikTok said, we have had a talk as a family about this Hi Mom scam and we have code words and we will always send a picture. So really, really good, really positive that they've gone out there and done that. Lastly, I posted a video on about Patch Tuesday, because Tuesday just gone was Microsoft Patch Tuesday.
at five zero days, 72 bugs patched. Geordie Jeff commented and said 72 bugs updated, 72 new ones introduced. So Microsoft have got a great reputation for that. Someone else also said that the update broke their device. I don't know, like Microsoft updates, they're always interesting, aren't they?
Luke (45:21.47)
Nice.
Luke (45:27.122)
Yeah.
Anthony Davis (45:29.417)
Right. Next up tonight, I've got a couple of things that I just wanted to mention. So I've got a video to show you and I just want to say a big hello, hang on. And let's just get this right. A big hello to Hayden. Hayden from Know Before. Thank you Hayden Taylor for reaching out to us. Hayden's like long time supporter of the show. He often reaches out with.
Stuff he sees likewise, if you see anything that you think is interesting, you think we want to know about, give us a shout. you can send us an email. Hello at risky creative.com or just tag me or Luke message me and Luke on LinkedIn or something like that. But, Hayden sent me this video and, he said AI impersonations got his attention and then he went into Instagram and he ran into an AI scam for investing.
And then it asks him whether he has any investment accounts, but he didn't dig any further. So let me just work out how I can screen share this and we'll get this.
Anthony Davis (46:42.733)
Right. You can see that, can you? Excellent. Let me just turn it down a little bit, because it's quite loud. So on the screen now, we have a gentleman, David Costin from Goldman Sachs Research. This is a screenshot of Instagram. And there's a button here that says, join David Costin's investment group. Apply now.
Luke (46:45.086)
Yep.
Anthony Davis (47:29.645)
and it says, you have a stock account? Yes, I have. No,
Luke (47:34.078)
Wow.
Anthony Davis (47:36.075)
Now there might be some lagging. We'll get as sharp as possible. If you're watching this on YouTube, we'll insert a a sharpest version of we've got. It's definitely a deep fake. Like you could tell, cause the lips and the teeth go all a bit. Yeah. I mean, it's two different angles, two different cameras.
Luke (47:48.563)
Yeah.
face was moving a bit wasn't it? Bit funny. It's pretty good for, yeah that was a nice, nice feature to put in there. So that was it a bit more.
Anthony Davis (47:59.052)
Yeah. I've seen similar. I've seen similar on TikTok. My TikTok, I don't TikTok a lot. I post on TikTok, but I have the, like the algorithm doesn't know me. So the algorithm thinks I want this oud aftershave because it just keeps showing me people advertising this oud aftershave, which apparently has been worn by all these celebrities. Tom Hardy appeared on my newsfeed.
telling me about the aroma and how he selected it and how it's a distinct aroma. Tom Hardy sponsored by Joe Malone aftershave. Like Tom Hardy has a deal with them. He has his own aftershave. I think he's in the adverts for it. And I Googled it and Tom Hardy, there's video out there of Tom Hardy talking about Joe Malone aftershave and this 10 pound oud aftershave has basically stolen that footage and doctored it in some way.
Tom Hardy's not promoting a 10 pound TikTok aftershave. It's also, I saw another footballer, like there was a football has been interviewed and it was like, yeah, he always smells good. Yeah, he smells amazing, blah, blah, blah. And it's like no premiership footballer is wearing a 10 pound TikTok aftershave, guarantee it, guarantee it.
Luke (48:59.47)
No.
Luke (49:14.008)
No, it reminds me as well, saw a new story about a typical like AI scam with George Clooney. don't know if you saw it. An Argentinian woman was duped out of 10,000 pounds after falling victim to this fake George Clooney Facebook account. Yeah, lots of badly deep faked video footage but...
Anthony Davis (49:25.098)
No.
Luke (49:40.66)
Obviously it's working right? People are getting scammed out of a lot of money.
Anthony Davis (49:42.604)
I feel like we've been doing this podcast for ages now. Do remember the Brad Pitt one? Where we spoke about fake Brad Pitt, AI generated photos of Brad Pitt in hospital, doesn't have access to any money. I mean, I was close to laughing there. It is sad, right? These are vulnerable people that losing out on large sums of money. Yeah. Yeah.
Luke (49:47.74)
Yes, very similar.
Luke (49:54.92)
Hmm.
there.
Luke (50:04.434)
Mm-hmm. Yeah, it's working. Yeah, there's people out there that are vulnerable to these sorts of things.
Anthony Davis (50:12.843)
Yeah. I've got one more thing and it's only a quick thing I wanted to show you this week. And it's not, it's not current, but I thought it was interesting because it's interesting about data and permissions. I'm going to share this video. So this is a video that I've seen. It's from a YouTube shorts account called go to.
It's not you can just listen to it. There's not really much to say but I'll for the purpose of the video I'll share it
Anthony Davis (50:52.311)
need to it helps if I turn it up all these platforms some of these aren't very desktop friendly so here we go
Anthony Davis (51:08.937)
He means IMEI, IMEI. But he's talking about the IMEI. So that's the identifier of your phone.
Anthony Davis (52:18.455)
It's mad, isn't it? When you think about one decision in one app like Angry Birds, that decision, the chain reaction that that had on a global surveillance program.
Luke (52:19.092)
That's amazing.
Luke (52:30.152)
Yeah, that's incredible.
Anthony Davis (52:35.157)
I don't know if any of that's true. Tin hat, no tin hat. I don't know. But he sounds like a guy that's probably a bit convincing. But Hubert.
Luke (52:38.836)
I mean if it is you can't... yeah. If it is true you can't, to show you can't trust even the these popular apps that are out there. It's crazy. I imagine that was fixed.
Anthony Davis (52:53.271)
Yeah. So that was Bert Huber. Bert is the founder of
But Bert's the founder of PowerDNS, software that powers a significant fraction of the internet. So I believe that. So yeah, it's interesting.
Put a link to that in the show notes as well, newsletter. I keep saying show notes is more the newsletter than the show notes. Although all the episodes are available on our blog. If you go to riskycreative.com and all the links are on there. Right, Luke, what you got for me this week?
Luke (53:14.95)
Yeah.
Luke (53:18.74)
you
Luke (53:30.804)
Um, yes, this is a TikTok I saw. It's probably a couple of weeks old now. I mean, it's, it's a thing that's been happening for a while, it seems, but it's a, um, booking.com, there's chat, like the online chat feature being abused. Um, as a TikTok video, you want to play it, it's probably not the best explained video. This seems like the person in the video is probably rushing a bit, a bit panicked, but
You can play a few seconds of it and then we can discuss it.
Anthony Davis (54:03.841)
There is a...
There's a little bit of language, fluffy language in this. So if you're listening with young ones in the room, you might want to kick them out or put your headphones in or look, might work some magic in post. I don't know, but just a warning. There may be a few bad words. This is from Rian Hudson on TikTok on the 5th of May.
Luke (55:59.102)
So yeah, quite a scary story that these sorts of things happen to anybody. yeah, seems to be the hotel accounts are being compromised, By cyber criminals and sort of like a business team are compromised type thing. These accounts probably aren't well protected and scammers are getting in there and sending messages to these people that booked for the hotel.
Anthony Davis (55:59.168)
interesting isn't it?
Anthony Davis (56:12.331)
Mm.
Anthony Davis (56:28.781)
If you read the comments on this, the comments on this, you have to take the comments with a pinch of salt, obviously, because none of them are validated. The top comment on that though, is booking.com is not apt to protected. you don't like apt to protected, obviously gives you some protection for your order. So all companies should have their apt to logo present on their website as well as at all protected.
Luke (56:29.108)
for the official thing.
Anthony Davis (56:57.483)
app to protect your holiday if travel doesn't go ahead, company ghost bust, et cetera. Someone else said it happened to me in Jan. It was such a sophisticated scam as well because your name details and hotel with dates. Same happened to me. The message also showed on my messages in the booking app. same thing happened to me last year. It takes screenshots and messages to hotelonbooking.com. My bank gave me the money back. Book with a credit card would be the advice.
Every time the hotel texts me through booking.com, I just don't answer for this exact reason. Scammers just hack the hotels booking.com accounts and basically write whatever they want says one of them. So that's an interesting way. Like as an attacker, there's an amazing way to get a load of money. Cause like new people are checking in every day. How good is the security at hotel? That's yeah, that makes a lot of sense.
Luke (57:38.739)
Yeah.
Luke (57:49.882)
Mm-hmm. Yeah. So yeah, seems to be that's the way, these accounts have been taken over through phishing. Credentials are getting exposed and, yeah, criminals are logging into these genuine accounts and pretending to be the hotel. Yeah, and that's quite scary. There was a, there's an action fraud thing, article talking about it.
Anthony Davis (58:00.846)
Mm.
Anthony Davis (58:09.09)
Yeah.
Luke (58:19.476)
for obviously a more UK related but they've received between this is quite an odd, this is like a January news story but between June 2023 and September 2024 they've received 532 reports on this scam combined £370,000 being lost so yeah it's one to look out for if you've booked with Booking.com and really any out of the blue
Anthony Davis (58:21.645)
Hmm.
Anthony Davis (58:47.618)
Yeah.
Luke (58:47.764)
message from a hotel, right? Compared to any, anything.
Anthony Davis (58:51.127)
Again, back to the feelings, right? Straight away when she was talking about, she was talking about fear, uncertainty and doubt. You know, there's a fear that a holiday won't be booked. They've put time pressure on her to get something done in time. And it felt the minute something feels funky, pause. And if you've listened to the episode we had, the discussion I had with Jasmine, like just pause, take a few deep breaths.
Luke (59:05.981)
Mm-hmm.
Anthony Davis (59:20.833)
And you'll get a moment of clarity probably. it's like, actually don't when, well, this is a prime example of when the body's stressed, we do, we don't think straight. So you need a reset. So you need to like, just take a deep breath, reset and think clearly, you know, you don't have to act straight away. So yeah, yeah.
Luke (59:23.508)
Yeah, I think this is actually real.
Luke (59:42.64)
No, even if they're pressuring you to. No, yeah. And a reminder as well, yeah. Reach out directly to the actual hotel or whatever through a different way. I mean, obviously if they're in most compromised as well, you could be talking to a scammer. So it's a pretty tricky thing to be in, situation to be in. But if you've paid for it already, maybe think this can sort of wait a bit. Don't need to pay again.
Anthony Davis (59:51.467)
Yes.
Anthony Davis (01:00:08.875)
I would email, I would email and ask for additional confirmation. My guess is that quite often it's going to be their booking.com account that's compromised. but yeah, email verifies the keyword here. Yeah. Yeah.
Luke (01:00:20.442)
Even phone them directly as well, Speak to them.
Yeah.
Anthony Davis (01:00:28.619)
I want to finish on one last thing. And this is an old one, but I feel I wasn't going to mention it because I thought it was too old. But actually, I think this is quite relevant again. Everybody in the awareness industry of late of the last few weeks seems to be talking about social engineering and vishing. Okay. Social engineering, we it's widely acknowledged that
&S were compromised by social engineering, co-op were compromised by social engineering. You know, that's one of the attack vectors that scattered spider and dragon force, whatever you want to call them, use is social engineering. So I think a lot of awareness professionals are going to be putting training out on social engineering or going to be doing campaigns on social engineering over the coming months. We're going to be asked to as awareness professionals, our CISOs are going to be asking.
us to protect ourselves from the threat that's out there, especially if you work in retail. I just want to remind everyone that in December, 2020, GoDaddy, the domain name registrar and website host, they ran a phishing campaign in December, 2020. Okay. Let me just, let me just get this up. So GoDaddy sent an email to
employees in December 2020 promising a Christmas bonus. Now in the middle of the pandemic economic troubles.
And was a phishing attempt. they offered $650 as part of a phishing campaign.
Anthony Davis (01:02:17.005)
Yeah, it was the message was part of a phishing test designed to educate staff on social engineering tactics. Employees interacted with the email were informed that failed the simulation and were directed to complete additional training. The company faced a load of criticism. I remember this being in the news company issued an apology to employees. But they didn't pay any bonuses. And I actually remember off the back of this.
Luke (01:02:44.82)
you
Anthony Davis (01:02:46.359)
This was the one where you and me went through and pulled bonus related. I think we were with Cybersafe at the time. And I'm pretty sure we went through, we spoke to Cybersafe and they acknowledged that they'd removed it. They were like, no, we've removed anything that could be controversial out of our platform. Cause everything was very sensitive at the time. So well done Cybersafe for doing that. But if you're running,
Luke (01:02:55.572)
Mm.
Luke (01:03:08.723)
Yeah.
Anthony Davis (01:03:14.539)
fishing campaigns or you're running awareness campaigns. Don't try and trick people and be considerate of people. That would be my only advice. Don't just go out there and try and catch everyone out because you're not going to win any fans. Fishing.
Luke (01:03:27.508)
I definitely vet the templates and don't just think, there's a thousand, 10,000 templates here. I'll just enable them all. They're amazing. Cause I'm thinking they've got hundreds of them like this.
Anthony Davis (01:03:37.934)
Right now, I don't think I'd be doing fishing simulations right now. I think I'll be talking about social engineering. I think we need to educate, all of this M &S co-op, all of this, it's so in the news, especially here in the UK. Now's the time where we can just talk about it and we can have these conversations and tell the stories. I don't think we need to simulate it right now. Show people what it sounds like. Maybe try and do some.
Luke (01:03:44.284)
No.
Anthony Davis (01:04:07.137)
voice clones of people in your business that they may know, but I wouldn't be right now. No, just don't rush into things. Take, take a breath and see what you can do. I heard today, Hawkson have got some interesting stuff on vishing. but I haven't seen it. So maybe we should, maybe I'll have a chat with someone. But yeah.
Luke (01:04:10.462)
Mm-hmm. They're good. Yeah, they're good talking people.
Luke (01:04:25.555)
Right.
Luke (01:04:30.29)
Yeah, it's not very unpopular simulation. Everybody does email.
Anthony Davis (01:04:37.633)
This space has all moved so quickly and now it's being used. I mean, it's not necessarily voice phishing, but now social engineering is being used. You know, verbally phishing people. doesn't need to be a clone. You know, just acting like, hi, I forgot my password. Can I, you know, just putting pressure again, help desk employees, fear uncertainty and doubt. Just be really considerate before you go and simulate that. think education and awareness is where we should be at the moment rather than simulation.
Luke (01:04:55.656)
Yeah.
Anthony Davis (01:05:07.789)
But yeah, if you're a vendor and you're listening to this and you've got awesome voice phishing or awesome, you know, social engineering stuff, talk to me. Let's talk to us. We'll talk about it. So that'd be cool.
Right, the top comment on Reddit on that GoDaddy one was, I've only failed one fishing attempt and it was for a fake hot dog truck menu outside our office. Food and beer, we call everyone beer, long time ago. Cider. Right, that's it for this week, I think. Is that it? Awesome, right. Don't forget, sign up for the newsletter at riskycreative.com.
Interview with Amy comes out on Thursday. It's a really good one. It's quite fun, quite lighthearted. Yeah, so listen to that and we'll see you next week.
Luke (01:06:04.158)
See you next week. See you.
Anthony Davis (01:06:05.773)
See you next week. Bye.