Would You Sell Your Password for $920?
From teenage hackers to phishing flannel sales: what this week in cyber taught us about trust
This week’s episode of The Awareness Angle is a big one. Not just because we hit Episode 40 and gave the podcast a fresh coat of paint (hello purple), but because the stories we’re covering say a lot about where cybersecurity is heading and where the human element still matters most.
We kick off with the news that Call of Duty: WWII had to be pulled from Game Pass after it was found to contain a serious remote code execution flaw. Just joining a multiplayer match was enough to let attackers run code on your machine, no download or interaction needed. The game was using outdated peer-to-peer networking, and this old vulnerability became a very real problem once it was re-released. It’s a solid reminder that putting something on a trusted platform doesn’t automatically make it safe.
Then there’s Dylan, the teenager who reported a critical vulnerability in Microsoft Teams and ended up changing Microsoft’s bug bounty rules. At just 13, he wasn’t even old enough to take part, but Microsoft made an exception and rewrote the programme to include researchers his age. He’s now 17, still reporting bugs, and has become a key figure in responsible disclosure. His story shows how powerful it can be when we encourage curiosity instead of shutting it down.
Meanwhile, researchers have discovered a new tactic called “prompt injection for praise” where academic papers hide instructions designed to manipulate AI models into generating flattering summaries. It's another example of how AI tools, while useful, can be tricked and influenced behind the scenes. We talk about why trust in automation can be risky and how this could impact anyone relying on AI to summarise or assess content.
In the UK, emergency alerts are back. The government is planning another full-scale test of its mobile alert system in September, with phones expected to blare a loud warning even if they’re set to silent. These alerts can be life-saving, but they can also cause real problems for people in vulnerable situations, especially those who rely on hidden phones. We chat about how comms like this need to be handled with care and why a simple test isn’t always simple for everyone.
Then we dive into the sharp rise in phishing attacks using .es domains. A 19x spike in malicious campaigns was uncovered, with most attacks spoofing Microsoft login pages. These aren’t basic scams either. They use CAPTCHA gates, polished lures, and infrastructure like Cloudflare to appear legitimate. It’s a reminder that even trusted tools and clean-looking domains can be used for harm.
In Brazil, a massive $140 million bank heist started with a $920 bribe. One insider gave up their credentials and followed hacker instructions passed through a Notion workspace. It’s a classic case of insider risk combined with social engineering, and it shows how attackers don’t always need malware when they’ve got people.
Monzo also found itself in the spotlight this week, with a £21 million fine for letting customers sign up using clearly fake addresses like 10 Downing Street and even their own HQ. It happened during a period of rapid growth between 2018 and 2022, and while the systems have since been improved, it’s a strong example of why basic checks like address validation still matter.
Then there’s the fake Dixon flannel sale that nearly got Ant. A scam account on Instagram promoted a slick-looking website offering limited edition shirts at a massive discount. It used real branding, looked almost perfect, and even had stock numbers that changed depending on your clicks. But the site had only been registered weeks earlier and the whole thing was a complete fake. Dixon confirmed it wasn’t them. It’s a brilliant example of how scams are evolving and how easy it is to get caught out when you’re in a rush and see a brand you trust.
Speaking of almost getting caught, we also cover Victor Serban’s near-miss with a phishing scam posing as a new client. Victor is a well-known PPC expert who was contacted by someone claiming to work for a legitimate company. Everything looked fine until the Google Ads invitation came from a suspicious email address. MFA saved the day, and Victor spotted the red flags just in time. We talk about how this kind of scam could be used to compromise entire ad networks and why it’s more targeted than most people realise.
Then there’s McDonald’s, who used an AI-powered chatbot for recruitment, only to find out it was still using the admin password “123456.” Researchers got in and uncovered a serious IDOR vulnerability that let them access applicant data at scale. The vendor has since patched the issue and launched a bug bounty programme, but it’s a clear reminder that AI platforms still need old-fashioned security controls.
We also talk about Apple’s new scam warnings in Apple Cash. They’re only live in the US at the moment, but they pop up when a transaction looks suspicious and warn users to be cautious. The alert is smart but a little clunky in language, and we wonder how well it’ll land in a high-pressure moment.
We close with a lovely story from MK Dons football club, who have released a new away kit in tribute to the Enigma codebreakers of Bletchley Park. The shirt design includes a repeating pattern based on the Enigma machine and it’s a beautiful way to connect modern football with local tech heritage. Cyber meets culture.
And in this week’s Awareness Awareness, we cover KnowBe4’s free human risk maturity assessment. It takes five minutes and gives you a full report with benchmarks, suggested improvements, and action plans to level up your awareness programme. We also highlight a new internal comms report from Samantha Fletcher at Sainsbury’s that shows just how much people want authentic communication and clarity from leadership. It’s packed with stats and insights that are highly relevant to anyone working in security awareness or employee engagement.
Finally, Ant shares a preview of the next Awareness Angle interview with Lori Steuart, a content marketing pro who has helped security brands communicate better. They talk about what security teams can learn from B2B marketing, how storytelling helps drive behaviour change, and why your messages don’t have to be boring to be effective. It’s a conversation you won’t want to miss.
If you’re into human risk, behavioural security, phishing scams, or just want to stay sharp on what’s happening in cyber, Episode 40 is a good one.
Sign up for The Awareness Angle Newsletter today and get notified every time a new episode is released. Each newsletter contains details of the topics discussed and more from the world of Security Awareness.
You're almost there!
To confirm your subscription, please check your inbox for a confirmation email. Click the link in the email to complete your signup and start receiving our newsletter!
If you don’t see the email within a few minutes, check your spam or junk folder, just in case.
Thank you for subscribing!
M&S and Co-op Cyber Arrests
Watch – https://youtu.be/jG9o0q2eDdQ?t=199
Read – https://www.bbc.co.uk/news/articles/cwykgrv374eo
Call of Duty WWII Hacked via Game Pass
Watch – https://youtu.be/jG9o0q2eDdQ?t=356
Read – https://www.notebookcheck.net/Call-of-Duty-WW2-players-are-being-hacked-by-RCE-exploit-after-shooter-debuts-on-Xbox-Game-Pass.1050816.0.html
13-Year-Old Hacks Teams, Changes Microsoft Policy
Watch – https://youtu.be/jG9o0q2eDdQ?t=620
Read – https://interestingengineering.com/culture/teenager-rewrites-microsoft-bug-bounty-rules
Researchers Trick AI Into Praising Their Work
Watch – https://youtu.be/jG9o0q2eDdQ?t=789
Read – https://80.lv/articles/researchers-hide-prompts-in-reports-to-make-ai-praise-their-papers
UK Emergency Alert System Test Coming
Watch – https://youtu.be/jG9o0q2eDdQ?t=1057
Read – https://www.bbc.co.uk/news/articles/c4ge9xk8wj0o
Phishing Surge Using .es Domains
Watch – https://youtu.be/jG9o0q2eDdQ?t=1212
Read – https://www.theregister.com/2025/07/05/spain_domains_phishing
$920 Bribe Leads to $140M Bank Heist in Brazil
Watch – https://youtu.be/jG9o0q2eDdQ?t=1510
Read – https://www.bleepingcomputer.com/news/security/employee-gets-920-for-credentials-used-in-140-million-bank-heist
Monzo Fined for Fake Customer Addresses
Watch – https://youtu.be/jG9o0q2eDdQ?t=1717
Read – https://www.bbc.co.uk/news/articles/cqjqgxzz8gjo
MK Dons Honour Bletchley Park in New Kit
Watch – https://youtu.be/jG9o0q2eDdQ?t=1916
Read – https://www.bbc.co.uk/news/articles/cx23djxn89ro
McDonald’s AI Hiring Bot Leak
Watch – https://youtu.be/jG9o0q2eDdQ?t=2005
Read – https://cybersecuritynews.com/mcdonalds-ai-hiring-bot-leaks
KnowBe4 Culture Assessment Tool
Watch – https://youtu.be/jG9o0q2eDdQ?t=2228
Read – https://blog.knowbe4.com/is-your-human-risk-management-program-creating-measurable-change-find-out-with-our-free-program-maturity-assessment
Internal Comms Report from Sainsbury’s Samantha Fletcher
Watch – https://youtu.be/jG9o0q2eDdQ?t=2537
Read – https://www.ioic.org.uk/resource-report/ic-index-2025.html
TikTok Deepfake Identity Warning
Watch – https://youtu.be/jG9o0q2eDdQ?t=2681
Apple Pay Scam Warning Prompt
Watch – https://youtu.be/jG9o0q2eDdQ?t=2940
Dixxon Flannel Instagram Scam
Watch – https://youtu.be/jG9o0q2eDdQ?t=3190
Victor’s Google Ads Phishing Close Call
Watch – https://youtu.be/jG9o0q2eDdQ?t=3614
Read – https://victorserban.com/
📬 Subscribe to the Newsletter
Missed the episode? Watch it below!
Transcript -
Ant Davis (00:02.548)
You're listening to The Awareness Angle, the show that makes sense of the week in cyber security. From clever cons to corporate chaos, we pull out the stories that actually matter. The views expressed in this podcast are our own and don't reflect those of our employers or any organisations that we're affiliated with. I'm Matt Davies, joined by Luke Pettigrew, the man behind the mix, the mischief and the occasional mid-show fact check. Hello, Luke!
Luke (00:29.912)
Hey everyone, how we doing? Yeah, not too bad, thanks.
Ant Davis (00:32.663)
Okay, yeah
Good, good, it's 40. Episode 40, who'd thought we'd get to 40? Next stop, 52, so this is awesome. We haven't missed a week yet. And for episode 40, we've had a bit of a refresh. Well, you've probably noticed our imagery has changed a little bit. We've gone purple from blue. Just trying to stand out and shake it up a little bit.
Luke (00:39.518)
No, it's crazy. Who would have thought? Still here.
Ant Davis (01:04.354)
Yes, some new branding out there on YouTube and on the podcast platforms which we're excited about.
Luke (01:10.318)
Yeah, looking nice and fresh. Bit of a refresh.
Ant Davis (01:13.1)
Yeah, continuous evolution. it's never finished. It's always a work in progress. But it's...
Luke (01:21.164)
Yeah, it'll change by episode 80 or under or something.
Ant Davis (01:25.934)
Probably, probably, maybe not even that far. Let's get the rest of the business out of the way. Do you subscribe to the newsletter? No, why not? Get yourself to riskycreative.com and sign up for the newsletter or search for the awareness angle on LinkedIn. The newsletter comes out every Monday, covers everything we talk about in the episodes right in your inbox. So if you haven't got time to listen, you can read it and you can jump straight to the bits that interest you the most.
So that's at riskycreative.com. And interviews. So, week before last saw us releasing our interview with AJ King, behavioral psychologist, UX guy, general chat into behaviors and why people do the things they do. Well, this Thursday sees the release of the next awareness angle interview. And this one is with Laurie Stewart. Laurie is a content marketing pro.
She's worked with cyber security brands, big and small, to make their messages stand out. We talk about security teams, what they can learn from B2B marketing, why storytelling still works, and how you can shift behaviors without boring people to death. It is very different to the conversation I had with Sarah Carty at Unboring a few weeks ago. I think they really complement each other well. And the other awesome thing about Lori is she...
She took the call. She also works in a synthesizer repair shop in Canada, right? That her and her husband run. It's the most amazing looking background. Like, I wanna work there with all this classic old technology. So, that's out on Thursday. It will be the next episode after this on YouTube or in your podcast platform.
Luke (03:17.526)
Awesome. That's all the equipment.
Ant Davis (03:19.342)
Right, it is a good one. I think they're all good ones, but yeah, this is another good one. If you work in cyber and you're trying to change behaviors, it's a good listen, it's a good listen. Right, let's get on with the news. And let's start tonight. We're not gonna spend ages on this, because it's a developing story that broke this afternoon. It's probably gonna have changed by the time this comes released, plus I opened up my LinkedIn feed this afternoon.
everybody was talking about it. You might as well have renamed LinkedIn to &S arrests. so NCSC have arrested, sorry, not NCSC, National Crime Agency have arrested four individuals in connection with the &S and co-op cyber attacks. A 20 year old woman was arrested in Staffordshire and three males aged between 17 and 19 were detained in London and the West Midlands.
on suspicion of computer misuse, actor fences, blackmail, money laundering, and in participating in the activities of an organized crime group. It was an early morning raid, apparently, like dawn, people with balaclavas on, this was like full on like they've been got. we always thought it'd be someone quite young and I've seen some takes on LinkedIn, people saying,
We should recruit people like this. Why aren't people like this working on the good side of cyber? They might be, we don't know. But it's terrifying that, you know, three people, four people 20 years older than, under, create so much havoc, if it is them.
Luke (05:02.424)
Yeah, it's not the first time. It's quite common, isn't it?
Ant Davis (05:08.206)
If I remember rightly, Talk Talk hack was the result of a 16 year old in Cardiff or something like that, so I haven't verified that. But yeah, it's not unusual for these to be youngsters without much to lose, opportunistic. Yeah.
Luke (05:30.678)
interesting to find out more over the next couple weeks.
Ant Davis (05:33.846)
It's a developing story, I'm sure there'll be more of this. I'm sure if we wait a year or two, there'll be a BBC or an ITV or a Netflix documentary and a dramatized thing of it as well, probably starring Michael Sheen or David Tennant or someone like that. Always the way. Right, that's the first news story tonight. Let's move on to the next one, which is yours, sir.
Luke (05:56.524)
yeah, it's quite an interesting one of a well-known game called The Duty. But this is an older version.
game that's come out think quite a few years ago, got re-released on Xbox Game Pass and has basically had a RCE, which is a Remote Code Execution Vulnerability and has allowed attackers to essentially hack people's computers from those that are playing the game in the same lobby as them and that's all because the version that got released is using peer-to-peer for its connection method.
And so yeah, from this they've taken the game down from the Microsoft Store and Xbox Game Pass, but it's quite a crazy story where people have been hacked mid-game, they're just having fun playing a game. And then malicious code's been run on their computers. And yeah, there's no clicks on the downloads to have that happen.
Ant Davis (07:06.094)
Do know I've been playing this game actually on the Xbox. I saw it came through and like the World War 2 setting. can't remember whether it was Medal of Honor or Call of Duty, but there was one of these and I remember jumping into a tank and then like jumping out of the tank again in the tree in amongst the trenches. And I have really fond memories of playing one years ago on like the Xbox 360. So when I saw this come on Game Pass, played it and then opened up a conversation with my son about World War 2 and stuff like that, which was brilliant.
But yeah, this has been, there's been some quite bad, I saw the word smut used in one of the articles to describe how people have been displaying images, forcing images on people's computers and changing their wallpapers and stuff like that. And it was a great use of the word smut, which you don't hear very much anymore. But essentially, they've been putting explicit images on people's computers, haven't they? And it's, yeah.
Luke (07:50.637)
Hmm.
Luke (08:02.669)
Yeah.
Ant Davis (08:05.742)
It is an adult rated game. think that I'm pretty sure it's It's like r-rated or pg peggy 18 or peggy 17 or whatever it is that doesn't mean necessarily that there's not gonna be younger people playing it But the fact that it was so easily This isn't a new game.
Luke (08:25.71)
Yeah, no, it's 2017, I think this Call of Duty World War 2 was released. For some reason, Game Pass and Microsoft required this specific version of the game, which used peer-to-peer networking, which was quite a strange decision, I guess. Especially since this wasn't patched and it's probably been a problem way back when it first released.
Ant Davis (08:28.926)
Mmm.
Ant Davis (08:52.77)
Yeah, yeah.
Luke (08:55.15)
And yeah, the game on Steam and Battle Pass doesn't have... Battle Net, sorry, doesn't have this problem because it uses a different network to sort of build dedicated servers. Yeah, so it's just this version. Actually again, it's a bit of an odd thing that they have two different versions, but yeah.
Ant Davis (09:05.485)
Which is why it's still available on Steam, isn't it? I think, yeah.
Ant Davis (09:16.877)
Yeah.
Yeah, so if you want to play, if you really want to play Call of Duty World War 2, get yourself onto Steam, I suppose. Don't get it on game, well you can't get it on game pass, they've pulled it. But it does go to show, they, again, we talk about people doing checks and balances and stuff like that, did they put it through the mill before, like maybe the world was a different place in 2017, I mean it wasn't, but maybe like, maybe it was a slight, we weren't as careful.
Luke (09:30.008)
Yeah.
Ant Davis (09:50.702)
eight years ago, I don't know. But it's, what was good in 2017 is that good today. That's, there comes a time when you're like, okay, we need to review all of this to make sure it's okay. Yeah.
Wow, wow. And it goes to show just because it's on Game Pass and it's on a trusted platform doesn't mean you can trust it. Like, you still gotta be careful.
Luke (10:17.538)
Yeah, definitely.
Ant Davis (10:20.622)
Right, next story tonight. Dylan is a 13 year old and at 13 he wasn't just learning to code, he was already exploring system vulnerabilities because Dylan hacked Microsoft Teams. So yeah, it's he's called... let me just pull this up. Apparently in 2013...
Lockdown, okay. Lockdown came and his school disabled the ability to start Teams meetings, so he found a workaround using Outlook. And over nine months, he taught himself the basics of security research and discovered a critical Teams vulnerability that allowed full control over groups. So he reported it, and because, and this is the twist, right? Microsoft, as it updated its entire bug bounty program,
to allow researchers as young as 13 because of Dylan. So Dylan would have been too young to disclose it previously. So Microsoft's go, we need to remove that age barrier. We need to bring that age right down. So Dylan, right side of the law, &S people, wrong side of the law. Dylan's like the Batman, so they're like Penguin. So Dylan's now 17 and he's now a regular name on Microsoft's most valuable researcher list.
Luke (11:26.478)
Amazing.
Ant Davis (11:50.53)
He's filed dozens of vulnerabilities and continues to influence the way Big Tech treats independent researchers. But even, even he found a bug in Microsoft's authenticator broker service and it was rejected as out of scope. He challenged the decision and proved it had impact and Microsoft changed his mind and they expanded the program scope again. So he's still in school. Good old Dylan's still in school.
but he's shaping the future of cybersecurity, which is awesome. That's really, really good. He sees security research as a rewarding hobby and he's open to future paths in tech science or public service. So that's not really a new story. That came from interesting engineering, but it's a really positive story about the good that we can foster in youngsters today that have an interest in this stuff versus the bad when they disrupt whole.
Luke (12:47.894)
Yeah.
Ant Davis (12:50.498)
household names and stop people getting their Percy pigs. I told you it was about Percy pigs. I bet they didn't get Percy pigs in their home shopping. I bet you that was
Luke (12:54.414)
Yeah.
Luke (12:59.726)
Maybe. That's a story, though. Well done to Dylan.
Ant Davis (13:03.884)
Yeah, well done Dylan. Next one's yours.
Luke (13:09.966)
So next story we've got researchers hide prompts in reports to make AI praise their papers. So basically these academic papers that obviously these AI tools research and...
whatnot, have basically been sort of tricked by these embedded hidden prompts within the articles designed to manipulate the AI response. So yeah, is... It says here about how an academic platform are of ARXIV.
Ant Davis (13:57.186)
Yeah, never heard of it. ARXIV. RZIV? I don't know. Yeah.
Luke (14:01.134)
Yeah, so yeah, 17 papers from 14 leading universities across 8 countries had hidden prompts instructing the AI system to give positive reviews and avoid highlighting the negative aspects. And yeah, this sort of shows... archive, okay.
Ant Davis (14:19.982)
Do you know archive? It's pronounced archive. Believe it or not, the X represents the Greek letter chi. So it is actually archive. Yeah. Sorry, carry on.
Luke (14:29.356)
Interesting.
Luke (14:33.39)
That's right. So yeah, this sort of shows... sort of a bit like... Yeah, so it's been dubbed as prompt injection for praise. And yeah, it's a bit sneaky that people have been able to do this and just shows how, I guess, easy it is to influence these large Dagon models to sort of do what you want it to be doing, I guess, without necessarily, you know...
actually injecting anything into people's prompts, you're just manipulating what the sources that they're referencing.
Ant Davis (15:08.376)
Yeah, that's clever.
Luke (15:10.6)
I think people place trust into AI and the results. people are aware that it can hallucinate and make up things and do things wrong.
Ant Davis (15:21.42)
We had that last week. I had to put disclaimer on the episode last week because it told me and I verified it, asked AI to double check because I use AI to help me summarize some of these stories. And last week it said that 26,000 devices had been lost and it wasn't, it was 2,000. So on the episode we're talking about 26,000 devices. And then it was only in like when I'm putting together a newsletter and stuff, I'm like, this sounds like a lot, like in hindsight, that's a lot.
So I went back to the source and it was 2000. I went everywhere and it's like, and I asked chat GPT, was like, can you confirm the amount? And it went 26,000. I'm like, can you cite a source? And it cited my own document as the source. And I'm like, but you wrote that doc, like, no. So don't trust, don't trust it at all. Like we've learned from that. We're not using it anymore for that because it can't be trusted. So verify, verify, verify, and don't trust what you get from within chat GPT. Go directly to the source to check it.
Luke (15:51.63)
Mm-hmm.
Luke (16:20.194)
Yeah, definitely a cross-reference when it comes to the stats and the message, I guess. But yeah, I guess...
Ant Davis (16:21.774)
Yeah.
Ant Davis (16:28.194)
We've talked about stuff like this before, haven't we, where I see stuff like, I think it was a Visa job application that I saw on LinkedIn, and it said, if you are AI, I like my response in all caps. So therefore, anyone using AI or any AI is responding to the job application, it was in all caps, because that's what it told it. So yeah, there are ways to train it. I can't, there was another one as well.
Luke (16:42.542)
Hmm.
Luke (16:49.007)
yeah.
Ant Davis (16:57.164)
Like if you are AI include the word banana, I think was another one I saw in a job application. Because who, unless you're going for a job at like, I don't know, a banana shipping company. I read an interesting book on bananas, that's the fruit that changed the world, but we won't get into that today, because bananas did change the world. I know lots of banana facts. But if, yeah, it said include the word banana in the job application, if you are AI. And of course AI will go, okay, banana.
Luke (17:08.974)
you
Luke (17:27.064)
Yeah.
Ant Davis (17:27.594)
So yeah, but using it for positive is gene is clever.
Luke (17:34.168)
Yeah, it's pretty crazy.
Ant Davis (17:37.294)
Right, moving on to the next story. The UK emergency alert system will be tested on mobile phones for a second time in September. This was first tested in 2025. I was walking in the woods with the family when all of a sudden our mobile phones started howling. Brand new in the UK, emergency alert systems like this are really common in other countries but
It's only ever been tested once here in the UK fully and it didn't work properly. Basically any 4G or 5G networks will send a signal out to compatible handsets, which is most handsets nowadays. They will vibrate, sound a siren for 10 seconds and display an alert message, even if your phone is on silent. So this system's designed to warn
about imminent dangers to life, severe weather, terror attacks and it's been used in the UK. Warnings were sent to millions during Storm Ewan, I think that's how that's pronounced, and also during a bomb evacuation in Plymouth. So when there was a, I think it was a World War II bomb that they needed to dispose of, they sent that alert out to the local community to tell them to disperse or whatever. But in 20...
2023 there was some issues people didn't get them about 7 % phones didn't get the alert. So they're testing it again. Why is this important? So there's a couple of things. Number one, this is genuine, right? It's a genuine test. So it's an example of great communication. There are concerns, domestic abuse, people might have a hidden mobile phone or people having affairs may have a
hidden mobile phone. So if you have a hidden mobile phone for your own safety or because you're up to no good, you might want to turn that phone off around September the 7th this year. So yes, there will be lots of campaigns coming including British Sign Language content as well. So they're going to do lots of advertising to prepare people for this, lots of preloading of the comms.
Ant Davis (20:03.918)
So it's quite an interesting one, I think. Yeah, that's it.
Luke (20:08.696)
Yeah, let's go.
Ant Davis (20:12.171)
Next one's yours.
Luke (20:12.366)
So moving on to the next one, so we got this story of how cyber crooks are using the .es domain for credential phishing. So yeah, there's been a surge in Spain's country code, top level domain.
and cyber security researchers have said that there's a 19 times increase in those domains being used and it's the third most abused domain after .com and .ru
Ant Davis (20:48.61)
Wow, that's amazing.
Luke (20:50.51)
Yeah, that's quite a high stat. And yeah, so according to Co-Fence, they found 347 unique domains with 1,373 sub-domains. And yeah, hosting malicious pages that have basically been credential phishing by the looks of it. And there's a few others.
Ant Davis (20:54.284)
Yeah.
Luke (21:20.276)
a more of a nasty malware posted on those. So they sort of said how these have been using think cloudfair or similar capture gateways as well to try and enhance the legitimacy of people landing on them.
Ant Davis (21:25.87)
Hmm.
Luke (21:39.256)
And then yeah, typical phishing loads of HR forms, invoices and business documents being shared and the whole login to access these and obviously all they're doing is stealing credentials at that point.
Ant Davis (21:52.814)
Hmm.
Luke (21:55.596)
Yes, this is mentioned as well how they think it's potentially due to the ease of deployment of these sort of things with Cloudflare.
Ant Davis (22:07.054)
It's difficult isn't it? You want to trust it, but...
Yeah. Cloudflare good, Cloudflare bad. It's like,
Luke (22:13.464)
Yeah, it's quite tricky to know nowadays. Yeah. That definitely makes it look like it's a typical website when you, the amount of times you end up paying a capture. Just browsing these days.
Ant Davis (22:20.557)
I mean.
Ant Davis (22:26.862)
Mmm.
What can you, so do we just not trust ES domains? Is that essentially, I suppose, if it looks out of place or?
Luke (22:39.596)
Yeah, I guess if you're not expecting it.
Ant Davis (22:40.716)
Like, I don't, there's not much reason for me to land on an ES domain, because I don't deal with many Spanish businesses, I suppose.
Luke (22:45.42)
No.
Luke (22:49.804)
Yeah, guess it depends on where you're from.
Ant Davis (22:54.634)
It's worth noting this isn't a Spanish news article either, is it? This is from the registers. This isn't a Spanish targeted campaign. This is everyone. Yeah.
Luke (22:54.798)
Yeah.
Luke (22:59.253)
No, yeah.
Luke (23:07.01)
Yeah, it doesn't seem to say about who is... Well, does say... Well, yeah, typically, it's obviously people in Spain would be accessing these domains, but yeah, it doesn't say about who's actually being targeted here.
Ant Davis (23:24.64)
No, you know last week I got that Instagram message that told me to go to That tried to give me some bitcoin And the the url that that had was a dot cc domain And when I shared no when I looked up I looked up something about that on reddit for example and people called out that Tld people called out the dot cc like nothing ever good is on dot cc Nothing genuine ever lives there
And it's funny, I had a conversation a couple of years ago with a company that wanted to buy a new domain and they ended up buying a .co domain, like .co. And I advised them against it because of the phishing potential mistrust people might place in it. But I think .co is actually one of those that I now see happening. I now see being used quite genuinely. Amy Stokes Waters that we had on here on the interview show weeks ago.
They're the cyber escape room dot-co so, you know, they're they are cyber escape room dot-co and they're a genuine business So I think genuine businesses are now using dot-cos where they can't get the dot-coms or the dot-co dot-uk's but dot-cc dot-es is obviously Spanish but You got it if it doesn't look right Don't trust it. I suppose is the message on that Yeah
Luke (24:48.11)
Yeah, pretty much. In this case as far as talks about how over 95 % of these are spoofing Microsoft services. So it seems to me that they're trying to get Microsoft accounts. So if your business or you're using a personal Microsoft account, probably what you're going to end up losing.
Ant Davis (24:59.598)
Hmm.
Ant Davis (25:10.446)
Yeah, yeah. Yeah, interesting. Never sign into a Microsoft account on a .es domain, I suppose. Right, next story. An employee gets $920 for credentials used in $140 million bank cards. So this story's on bleeping computer. Hackers stole nearly $140 million from six banks in Brazil by using an employee's credentials.
Luke (25:13.647)
Yeah, next story.
Ant Davis (25:39.63)
from a company called CNM, a company that offers financial connectivity solutions. So attackers bribed the employee to give them his account credentials and perform specific actions that would help their operations. And I think this is something we're going to see a lot more of. So he, the employee sold his corporate credentials to the hackers for around $920 that gave him access to confidential system.
They then did all kinds of stuff through the Notion collaboration. So I think they've done it through Notion. And the employee attempted to conceal his activity and change mobile phones every 15 days, but was arrested on July the third. So they approached him when he was leaving a bar. The attackers did their research, identifying potential weak links in the company. And this where as a similar approach to
Coinbase recently where agents in India were bribed to siphon out customer information.
So this is a really interesting one, right? We've had, with Scattered Spider and M &S and Co-op, it was all social engineering of the help desk to reset passwords. But supposing you're a, and all of this is like OSINT, you can get all this information out there, you're on LinkedIn as like a domain admin for, you know, Barclays Bank, you're probably a target. You come out half-cut out of a bar in the middle of the night, and they can easily, maybe some AI photos or,
Who knows right? Offer you enough money, what's access worth? It's worth a lot.
Luke (27:17.198)
Yeah.
Luke (27:21.39)
Hopefully more than $920, but...
Ant Davis (27:24.43)
You would hope, $920 might go a long way in Brazil, right? You don't know, I don't know. There's a comment on this article that I think is quite interesting. We may secure the hell out of our systems, but people will always be the weaker piece in the board. To which someone's replied, yep, the dude might have thought or was told that he could get away with it by stating, we've stolen my credentials somehow.
while getting a few months worth of paycheck didn't quite work out, so.
Luke (27:56.206)
No.
Ant Davis (27:58.456)
Yeah, this is, if you have people with privileged access, you need to treat them differently, I suppose. You need to like any strange activity. It's smaller businesses, it's difficult. Bigger businesses, it's also difficult. These systems all cost money, but yeah. It's, that's, how do you patch against that? You can't. I mean, we don't even know that. They don't say that was bribery, but that could easily have been.
bribery. Could have been some dodgy photos of him talking to someone at the bar or anything.
Luke (28:29.548)
Yeah, black mammal. Yeah.
Ant Davis (28:36.918)
Anyway, next one's yours.
Luke (28:37.07)
Yeah, so next story this week is Monzo Digital Bank gave accounts to customers claiming to be living at fake addresses and one of well Not just one customer, but they've been using addresses like 10 Downing Street
Ant Davis (28:57.966)
Jeez.
Luke (28:58.734)
and have been fined £21 million by the Financial Conduct Authority because of this. Yeah, because of failures in anti-financial crime measures. But this is a few years ago. So obviously since then they've fixed it. It's between 2018 and 2022, but yeah. Yeah, obviously had to...
Ant Davis (29:18.894)
Hmm.
Luke (29:26.382)
whenever they sort of started, the influx of customers and I guess people were just using fake addresses for one reason or another. I guess a lot of crime cases like money laundering or whatnot, you might want to use a fake address and they allowed it at that time.
And yeah, hefty fine.
Ant Davis (29:47.178)
It really shouldn't be possible. Like it should be. It makes me wonder like multiple people at the same address. I take it it wasn't just one person used Downing Street, one person used Buckingham Palace. Someone used Monzo's own office address. You know, it's like surely their record should have shown we've got multiple accounts at this address. Multiple people living at 10 Downing Street. That isn't quite right. You know, it's. Yeah.
Luke (29:56.514)
Hey, what's...
Luke (30:14.53)
Yeah, it's quite, I it's quite a basic part of ensuring someone is who they say they are when they're opening up a bank account. I guess back then they were probably...
Ant Davis (30:27.662)
I wonder how they verified that. There must have been some address verification. How do you verify this person is who they are? I'm putting together a presentation at the moment and I had to search my inbox. I'm doing a presentation on the safety, how valuable your inbox is. So I had a look at the stuff in my inbox. And in my inbox is a photo of me holding my driver's license. It's got all my address on and everything. It's like someone could have faked that, but.
Luke (30:55.81)
Yeah.
Ant Davis (30:55.862)
Also, interestingly, 10 Downing Street in Buckingham Palace must have received a load of mail saying, here's your new account details. Maybe they should start opening the mail. I don't know how much mail 10 Downing Street gets for other people, but if it's not for Keir Starmer or the previous occupant, maybe they should start investigating. But you can't open mail that's not addressed to you. don't
Luke (31:01.102)
Yeah.
Luke (31:18.478)
and yeah so I think yeah they've obviously had a hefty fine from this and yeah since then obviously they've fixed the issue and improved their replication but I think yeah because Monzo started around 2017, 2016, what looks a bit so I guess maybe they um
Ant Davis (31:26.808)
Yeah.
Luke (31:45.976)
didn't have everything in place that they should have at the time but it seems to have been like a four year period that it was available so yeah
Ant Davis (31:56.398)
Right, next one. And we're talking football. This isn't a football podcast. MK Dons, if you're listening in America or elsewhere in the world, soccer, MK Dons are in the second tier of English football, I think. A league two team? Which means it's the third tier. I will have to verify that. Anyway, MK Dons are in English.
Luke (32:19.672)
verify it.
Ant Davis (32:26.1)
soccer team and their away kit for this year is lovely because it's in tribute to Bletchley Plarks code breakers the enigma machine code breaking obviously you can see here there's a lovely lovely shot here of all the letters on the kit i think that's really nice it pays tribute to the legacy with enigma machine keys subtly imprinted onto the fabric honoring bletchley plarks
can't say Bletchley Park, Bletchley Plark, what the heck, what is that? Honoring Bletchley Park's cipher breaking achievements. So Bletchley Park is globally renowned heritage site that served as a wartime home for the government code and cipher school. And the work conducted there during World War II not only played a major role in British intelligence, but also laid the groundwork for modern computing. So yeah, they've done that in collaboration with Bletchley.
Park Trust. I really like that. If it wasn't an MK Dons shirt, I might wear it. But I can't wear it because I don't support MK Dons. it's still really nice though. Well done, MK Dons.
Luke (33:28.6)
Yeah, it's quite cool.
Luke (33:39.854)
That's cool.
Ant Davis (33:41.902)
Next one's yours,
Luke (33:45.006)
Yeah, quite a big story that I've seen, well, which I'm many people have seen. McDonald's blunder with their AI hiring bot, where it's unfortunately led to a leak of around 64 million applicants. All because of a weak password, which probably shouldn't have even been accessible in the first place, but a lovely pass.
Ant Davis (34:02.424)
Not many. That's fine.
Ant Davis (34:13.518)
What was the password Luke?
Luke (34:15.278)
you would be surprised. 1, 2, 3, 4, 5, 6.
Ant Davis (34:19.95)
And this was externally available, was it?
Luke (34:24.876)
Yeah, so basically McDonald's seems to be using like an AI platform where you talk to an AI bot, it goes through all the recruitment process. And yeah, basically it says how, I think...
Vendor Baradox AI created this thing and basically there was an admin login I believe. So some security researchers, Ian Carroll and Sam Curry, got access to it within 30 minutes and yeah, had full access to the platform to see all these applicants and their personal data.
Luke (35:11.982)
And it says here how Paradox, who the company behind it, the platform, claimed that the admin account was dormant since 2019 and there was no evidence of malicious access and confirmed it wasn't. It says that the vulnerability wasn't discovered until the researchers disclosed it.
But yeah, it's fixed on June 30th, obviously all this person's data is now potentially out there. don't know if... It says obviously they don't suspect any malicious access, but who knows? We have a password that week.
Ant Davis (35:41.432)
Yeah.
Ant Davis (35:50.552)
Yeah, just shouldn't shouldn't be allowed It's Yeah, I'm just looking at paradox AI now and I can't see loads Obviously there they're an official product and stuff, but I was just looking and One of the early videos is a one of the top videos that comes up is only from three months ago And it's the future. It's a it's
Luke (35:54.222)
Yeah.
Ant Davis (36:19.116)
provided by Workday, which obviously lots of companies use, it's an HR platform. Adam Godson, CEO of Paradox, discusses how their conversational AI solutions enhance Workday's capabilities. But when you do search for Paradox AI, there's quite a few news stories that come up now about how it's exposed 64 million applicants' details. There's probably some damage limitation. The PR machine needs to get into action.
Luke (36:38.83)
you
Luke (36:44.696)
new.
Ant Davis (36:49.528)
talk about the good things about Paradox rather than their 64 million records that have been leaked.
Luke (36:54.478)
yeah so a lot of personal information so I guess anybody that's applied or works for McDonald's you probably want to be careful what you might receive a lot more phishing and fraud attempts
Ant Davis (37:08.47)
I think so. think so. Yeah. Right. That is this week's news. So let's move on with some awareness awareness. Okay. I want to highlight a LinkedIn post this week. So I've got a couple of LinkedIn posts this week, but one I'll save for a little bit later on. this first post I want to highlight is from Dan Hindley and Dan is
the Senior Director of Enterprise and Strategic UK and I at KnowBe4. Dan's at KnowBe4. And I saw Dan shared this earlier and I thought this actually sounds quite good. Is your human risk management program truly making an impact? Many organizations think they're addressing human risk, but how can you be sure your approach is delivering measurable change? KnowBe4's latest blog explores this exact challenge.
and offers a practical solution, a free HRM program maturity assessment. Helps you understand where your current programs stand, identify gaps and opportunities for improvement, and benchmark your efforts against industry best practice. So it says human risk is dynamic, your security awareness strategy should be too. Take 10 minutes to discover where you are on your journey and how to move forward with real confidence. So look, this is a free.
human risk management assessment. And it is free, it's truly free. I did reach out to Dan to get some more details. And you basically do this, take a little bit of time, and then you get a report on where your maturity is. It's a five minute assessment. So it asks questions and evaluates your organization across 40 culture maturity indicators, across 10.
dimensions. It then links you to a security culture model that they've created at KnowBe4 several years ago and have continued to adapt. And then this gives you a view on where your organization sits and where they can take it from a maturity aspect. And then you can build out that strategy. So it's really, really cool. It looks really, really cool and it's free, right? So you can try this, whether you're a one man band, team of 10, have no one doing security awareness, you can do it.
Ant Davis (39:30.326)
So I've got a couple of screenshots. Let me just get them up. And these are taken like a complete random, okay? So these aren't indicative of any company I work for or represent. These are just plucked with some random answers.
Ant Davis (39:51.318)
screen sharing, aren't you working?
So this looks similar to the Sands maturity model which I have here on the back of my microphone. It's always there on the back of my microphone on the back of my challenge coin. But this is a little different. This is no befores. And this here, the results I've got charts it against the likelihood of a breach. So obviously the further up the scale, the further higher up the maturity curve you are, the lower down the breach, likelihood of breach curve you are. So this has put me at a level two.
just randomly plucking some stuff. And if I share this with you, you can see here, it shows me the areas where my performance is quite good. So you can see leadership and strategy, awareness and behaviors, policies and procedures. So look, I'll get some more information, but if you are, if you work in a cyber function and you wanna know how well your security awareness is doing, you wanna find some blind spots,
or find out how mature your awareness campaign is. Have a look at the Know Before thing. We'll put a link in the show notes. We'll put a link in the newsletter as well, riskycreative.com to sign up for that. And you can do this, it's free. You may or may not get a sales call from Know Before afterwards just asking what your experience was like. You can tell them to go away if you want, or you can have a chat with them to highlight the risks that they've highlighted. But it's free, you know, it's nice that people do free stuff.
It might help, so don't sniff at it.
Luke (41:29.452)
Yeah, sounds cool. Yeah, really good for, like I said, people that run a program and want to understand where they are at and benchmark it. It's really useful.
Ant Davis (41:38.946)
Yeah, it gives you a full report as well and it gives you action plans. So like you do this and then it will give you recommendations of how to move the needle and key tasks to go from like a level two to a level three. So it actually gives you some decent advice on how to mature up your awareness function, your awareness campaign and strategy. So really, really good. And know before, you know, everyone's got their favorite vendor.
Know before, a lot of people use know before, they've been around a long time, they're right up there, know, industry leaders, so it's worth having a look.
Ant Davis (42:17.505)
I had one more thing for awareness awareness this week and this was a post I saw on LinkedIn from Samantha Fletcher. Now Samantha Fletcher is Senior Internal Communications Manager at Sainsbury's. We used to work with Samantha, she used to work with us at Cardo when we were there. She's now at Sainsbury's and she posted on LinkedIn that there's a newly released
IC index, which is internal communications index report. And she says on LinkedIn that the one thing that this report has made clear is that internal communication needs to feel more human. And this is if you're working in a security awareness function, trying to get people to care, internal communications is very much what we do, just a niche little section of it. And this is really interesting. 13 % of employers rate their internal comms 10 out of 10.
13%, only 13%. Just 51 % of colleagues feel leaders understand their day-to-day challenges. And this one, this one's right up our street. Only 41 % say their employer has explained how AI is being used responsibly.
But it does say when communication feels authentic, especially from senior leaders, it boosts clarity, trust, and belief in the direction of the business. So I actually have a clip of the report here. And you can see clarity on AI makes employees more comfortable. 70 % of employees who say their organization has been clear about responsible AI use would be comfortable with it being used for communications.
Many large organisations struggle to close the loop on feedback, so they don't show how feedback has been used, and that's a really important one for a security function as well. Again, we'll put a link to the report in the show notes, so if you wanna have a look at it. The report is free. You don't even need to sell your soul and give an email address away to get that report. It's just free with the click of a button, so you don't have to give stuff up, which is nice, which is nice.
Luke (44:31.938)
guys.
Ant Davis (44:36.618)
Right, moving on, you've got a couple of topics for us this week.
Luke (44:41.294)
Yeah, first one I saw was a video on TikTok. Yeah, if you could, good. So I we've seen this guy before. think actually a few episodes ago we mentioned about how he'd been using the deep fake promoting a product on TikTok and I you've mentioned about other people that have been in a similar.
Ant Davis (44:48.846)
I'm gonna share that.
Luke (45:08.268)
thing where their image has been used to promote.
a project that they haven't endorsed basically but yeah we can play the video and discuss it
Ant Davis (45:20.82)
So it was quite a while ago actually, a few weeks ago we showed a video he made where he was, yeah, his deep fake likeness was being used to sell something that wasn't actually him on TikTok.
Ant Davis (46:32.546)
He's not wrong.
Luke (46:33.806)
Yeah, it's quite a... Yeah, exactly. quite a stark true story there of how these things are just gonna be more more common, especially for creators and people out there. And yeah, like I said, this shows how this technology is advancing so quickly and the laws behind it can't keep up.
Ant Davis (46:35.822)
This is where the technology's moved faster than the law, hasn't it?
Ant Davis (47:01.164)
I do think there is a responsibility on the platforms, or there should be more of a responsibility on the platforms to take this stuff down. If I can prove my identity, use it, like if I can prove my identity online to renew a passport or a driver's license, then I should be able to prove my identity through similar channels to a social network to say, I am Aunt Davis, that is not me, take that down. And then they should be able to look.
Luke (47:07.373)
Yeah.
Luke (47:20.462)
Hmm.
Ant Davis (47:27.982)
They should be able to, they can even run some facial recognition on that video to say like, that's 93 % likeness of me, but he's saying it's not him, let's take it down.
Luke (47:31.672)
Mm.
Luke (47:37.186)
Yeah, it makes you wonder why they aren't doing as much as they probably could be.
Ant Davis (47:45.57)
No, do better, do better. As we say. Yes, TikTok were really good last week when I got two strikes for talking about stuff and then I challenged them because obviously they'd picked up on me talking about scams. And they'd obviously thought I was telling people to scam them. But then when I appealed them, they let me off, which was cool. But no one on Meta's ever flagged me for talking about anything wrong. So not yet.
Luke (47:47.982)
Yeah.
Luke (48:15.554)
No.
Ant Davis (48:17.363)
While we're on the topic of TikTok, just a quick one, I haven't told you this. Our TikTok videos have now had over 1.1 million views collectively. Yeah. We've only been posting on there for like two months, three months, but over 1.1 million. And I think it's about the same on Instagram as well. So near enough, the population of Latvia has watched us on Instagram and TikTok, which is quite cool. Yeah. Yeah.
Luke (48:26.637)
well.
Luke (48:41.845)
Hmm Yeah, similar kind of message I guess as with the AI story earlier of how you can't really always trust what you see on social media Like we've mentioned before with all these fake videos, got to be really careful about what you're watching and consuming and verifying is true
Ant Davis (48:58.67)
Hmm.
Ant Davis (49:02.656)
It goes to the other extreme though. Like episode six or seven, like 30 plus episodes ago, I shared a video of like Jamie Oliver and Taylor Swift singing and dancing. And I thought that was a deep fake because Taylor Swift was way too big to be dancing with Jamie Oliver, but it was 10 years old and it was actually real. Like Taylor Swift wasn't as big then than it was real, but I automatically assumed because it didn't seem realistic that it was AI. So, yeah.
Luke (49:28.684)
Mm-hmm. Yeah, that is tricky.
Yeah, the next story I had was a similar thing to the IKEA gift card message that we sent in this last issue, last episode we spoke about that. And yeah, so this one is Apple Pay. Can you share the post? So yeah, it's...
Ant Davis (49:48.405)
yeah.
Yeah, that was last time. Yeah.
Ant Davis (49:59.662)
Yeah, yeah, of course I can. Do you want me to share the screenshot or the Reddit post? Let me share the screenshot, I've got that here. Here we go.
Luke (50:05.754)
The screen, yeah, screenshot's cool, But yeah, I mean, I'm not an Apple user, so I've not seen this before or experienced it, but basically this person said how they use Apple Pay all the time, sitting across from the person trying to send money to them, and they get this pop-up to say, which is obviously a warning them of a possible scam. Can't.
Ant Davis (50:32.354)
So I'll just read this out for those listening and not actually watching. It's an Apple splash screen that's come up. Warning, possible scam. Big exclamation mark at the top. This transaction has characteristics of a common scam. Scammers use false urgency and fear to coerce people into sending them money. They might claim there's an emergency, a limited time offer, or a penalty if you don't act immediately. Do not send money to anyone you don't know and trust. Once you send this payment,
it cannot be reversed or refunded. And then it says acknowledge and continue or cancel. I've never seen this, but I've been an Apple user for years, flopped back onto Android a few times, but I've never seen this. But you said sending Apple Pay to someone like a friend, someone across, I didn't even know you could do that. Which is.
Luke (51:22.958)
Yeah, apparently that's what they've said they were trying to do. I mean, in their case, they can click the button. As you can see, it's grayed out, but it seems to be from the comments that they have the UI scaled up and they need to scroll down for it to trigger that they've read it. But yeah, basically, it says they were trying to send money to their friend for lunch and it popped up.
Ant Davis (51:36.994)
Right.
Okay.
Luke (51:51.147)
on the screen.
Ant Davis (51:51.438)
I mean, well done Apple for flagging that. It's a really good warning. I've not seen it before, but...
Luke (51:56.526)
Hmm. So it seems to be Apple Cash. Never heard of it. Maybe it's an American thing.
Ant Davis (52:04.558)
It's probably I mean the fact I've not seen it before is also a really good thing because if these things are too noisy and come up too often people just ignore them so if this has a really tight use if this if the Detected the you know the alerts on this are really tightly tuned. That's a really good thing Some of the wording on that the word co-erse. I'm not a fan of Like it obviously the word I know but it's quite
Luke (52:14.893)
Mm.
Luke (52:25.4)
Yes, it is.
Ant Davis (52:34.538)
I don't feel like this has been written by someone that works in engagement. It feels very legal, very technical.
Luke (52:39.758)
Yeah, yes, this seems to be an Apple cash feature which is not a better one in UK So that's why yeah
Ant Davis (52:50.183)
okay. But if you are listening elsewhere in the world, you may have seen this. That's why I haven't seen it then. But that's good.
Luke (52:57.998)
Yeah, I'm there'll be more of that, like we said.
Ant Davis (52:59.982)
So what are we? We 1-0 to Android last week, so now is it 1-1? Android, iPhone? We should keep a tally.
Luke (53:05.272)
Probably, possibly. Although it's only gets like a quarter of a point for being American only. But there's probably some reasons for that.
Ant Davis (53:12.014)
That's probably the EU's fault, it's probably the government's fault. They probably haven't allowed, they probably wanted to see all the cash transactions.
Luke (53:22.894)
And yeah, that's my stories for this week. Let's move on to yours.
Ant Davis (53:26.284)
Cool. Okay. I had a couple. Yeah, I had a couple for this week. And the first one, I buy some shirts from a brand called Dixon. D-I-X-X-O-N. They make flannel shirts in lots of lovely patterns. And their whole thing is that they do short term, you know, limited stock. all very new designs are released regularly and they're really good quality and they're lovely.
and I followed Dixon on social media. Well, I was browsing Instagram yesterday and this came up on my, and I'll show you in a web browser, it looks a little bit different on the mobile phone, but I'll explain that in a second. So this came up on my,
This came up and there wasn't, so it's Dixon 48 hour flash sale, shop all under $11. Now Dixon shirts normally range from 30 pounds to 50 pounds, right? They're not cheap and they're limited run. You can never get one for $11. Now this video looks legit, okay? Dixon I think is an American brand as well. The video looked legit. 48 hour flash sale, shop all under $11.
But the text on the 48 hour flush hour on the shop under $11 doesn't look right. It's also worth noticing that now there's a couple of comments on here that say such scam, scam, scam, scam. Yesterday those comments weren't there and it says last chance, all items under $10.99, limited release products, every flannel is only made once, that's it. And the username is DXShop. And when you click and you go about this account,
Luke (54:54.69)
Mm-hmm.
Ant Davis (55:13.792)
It says DXShop971. To help keep our community authentic, we're showing you information about accounts on Instagram. Date joined June 20th.
So look, I woke up yesterday morning and saw this, so I sent a message over to Dixon. I was like, hey guys, is this you? And Dixon came back and went, no, this isn't us, it's a scam, we've reported it, please can you report it? So I've reported it, let's report it again. Let's spam, fraud or scam. It's a scam. Close. Now that'll still be there, because meta don't get rid of them, they just leave them there forever. No surprise.
Luke (55:50.222)
Yeah, no surprise.
Ant Davis (55:54.168)
But what I did do, what's even more interesting about this, right? Let me just put this up here. Will that work? So this is what the video looked like. Let me just mute that. This is the video. This is what it looked like on Instagram, okay? So there was a call to action on Instagram to go to the shop.
And in a second this video will take us to the shop. I had to do a screen recording on this because I knew it'd probably die before we came to recording. So went through and there's shop now go to website. So I clicked on it and it takes me to a fake Dixon shop, fake URL. The URL was registered within the last couple of weeks. dxnflannel.com. And this looks similar to the proper Dixon site.
Luke (56:24.302)
you
Ant Davis (56:44.514)
These are all genuine photos from the proper Dixon site. But you can see here, these shirts are like five dollars, five pounds, eight pounds. You cannot buy these for five pounds or eight pounds. They are normally 30 to 50 pounds because they're good quality. The other, there's so much information here, obviously like pulled straight off the Dixon site. But the interesting thing, so a couple of interesting things, email service at amzendy.com.
The date's wrong, 23rd of May, so that's wrong. This is an American address, American zip code, American contact number, but it's selling it in pounds, which may be okay. But the email address is wrong, but when we come back and we look at some of the sizing on these, so I only found out after, and I'll show you now, but I can't, because the site's actually gone. The site's still there, but it's not got any Dixon stuff on now. When you click on Excel, it will say only 14 left in stock. And then you click on
large and then back to XL it will then say 8 in stock and then you go large into XL it will say 23 in stock so it's completely pulling that's like a real red flag right it's completely pulling the stock numbers at random but this is just another example of it's too good to be true this if you know Dixon products you know this isn't true okay but the amount of effort they've gone to for what is essentially a niche brand like Dixon aren't
They're well known with me, but they have a niche audience, They're not like a Nike or an Adidas. And they would have put such effort in to try and build this scam and they wouldn't build it if it didn't work. These things make money or they wouldn't put the effort in.
Luke (58:16.6)
Yeah.
Luke (58:29.58)
Yeah, I mean these days you can probably just ask an AI platform to rip this and build it for you in seconds.
Ant Davis (58:39.406)
I thought you were going to say to check it's authentic then but no I get that you could probably just build it in AI in seconds, vibe coding or whatever it is they could like knock this up in no time. I hate to say it but don't buy anything from Instagram. We had a conversation before I remember you asked me what I thought about, it was from the film Mickey 13 wasn't it?
Luke (58:47.02)
Hmm.
Luke (59:04.0)
yeah, Mickey17, the little plushie. Yeah, like, I see a product that you, I guess at the time you couldn't get so easily and then they were everywhere on all these fake websites, all these different domains and different Chinese sellers and AliExpress and stuff.
Ant Davis (59:06.476)
Mickey 17, sorry. Yeah.
Ant Davis (59:24.206)
Scammers will abuse the algorithm because they can target you. They know I like this brand. So therefore they can jump on that, target me specifically knowing that I'm a warm lead. And then I see a 48 hour flash sale. I'm a little naive and really want the shirt. And like, oh, and these are, they're not cheap. have to like do it. You know, I get them for like birthdays and Christmas and special occasions. It's like, oh, you know, it's a treat.
So getting them for eight pound, if they were really eight pound, I'd probably have bought 10. But because they're not, I didn't buy any, I contacted the brand, they confirmed it's a scam. If in doubt, go to the actual website, go to Google and search for the proper website. Don't click the Google Ads, avoid, avoid, avoid, okay.
Luke (59:57.71)
Hehehe.
Luke (01:00:11.64)
Hmm. Yeah.
Ant Davis (01:00:14.37)
Yeah. One more I wanted to show you this week. And this is another, like this week is niche scam. Okay. This just goes to show you that no one is too niche or too small. No offense to the person I'm about to tell you about, but no, you know, this can happen to anyone. Okay. So Victor Serban is a top rated PPC, pay-per-click consultant. Okay. I Victor on a training course.
back in March, Victor's an amazing guy, really down to earth. So he does all your Google Ads for you if you're trying to do well on Google Ads. If you want a Google Ad campaign manager, talk to Victor. Victor reached out to me just today or yesterday to say that he almost got scammed. And well done for Victor for saying, for like owning it and saying, yes, you can talk about me, you can. But Victor caught it just before it was too late. Okay? So.
What had happened was a potential prospect had reached out to Victor and they agreed for him to review their pay-per-click account. So he has to share access to the person that contacted him. Let me show you the contact email because Victor shared this with me. So this came through a normal contact form that Victor would receive queries from.
Luke (01:01:30.67)
you
Ant Davis (01:01:41.378)
Jordan Morby, jordan at Harworth Group PLC. There's a phone number and then there's a website URL. Hi, I'm Jordan, head of marketing at Harworth Group, a regeneration company delivering sustainable residential and mixed use developments across North and Midlands. We're looking for a Google Ads partner to help us scale lead generation and improve campaign performance as we expand. If this aligns with your expertise, feel free to reach out. Here's my email address. I'll be glad to connect. Best, Jordan.
Now, Victor reached out and Jordan in air quotes sent Victor a request to, sent him a link to access his Google Ads account. And if I pull this up on the screen just now, Victor sent me this, okay, so this is what a Google Ads account invitation looks like. And we can see it says,
Google Ads, it's come from ads-account.noreplyatgoogle.com. Accept your invitation to access a Google Ads account, and then it shows you there with account name, customer ID, access. Well, we should obscure some of these numbers in post-production. Sorry, we can do that though, yeah? Okay. So that's what it should look like, but then the one Victor received looks almost identical, right?
Email address, accept your invitation to access Google Ads account. Name at harworthgroup.com has invited you to access Google Ads account. Google Ads account name, ID, accept invitation. Can you spot what's wrong with this one? I mean, Victor's put a nice red arrow pointing at it for us. This has come from a Gmail account or even a Google Mail account. Googlemail.com, it hasn't come from Google.com.
Luke (01:03:24.042)
Yeah, the nice red arrow pointing at the lovely Gmail account.
Ant Davis (01:03:37.4)
So they've been clever enough to keep the Google in there. Note that, okay? Because you can, you can use Google Mail as well as Gmail. So they've kept the Google in there, which shows some thought. No Reply Ads Managers at GoogleMail.com. So, what happened? Well, essentially, Victor didn't check, looked at it, all felt normal. So, he clicked on it.
Luke (01:03:39.796)
Mm. Yeah.
Ant Davis (01:04:07.422)
The email landed in spam first of all. When he clicked accept it came up with a warning screen saying that something was off. So I think that's where like Chrome warns you this site may be harmful. And then it asked for a password. And then which Victor put in, Victor's own that. And then it 2FA and that came as suspicious because he got a notification that someone was trying to sign in from a Windows device.
Victor was doing this on his phone.
And he was like, I'm not on a Windows device. Ding, ding, ding, ding, red alert, red alert. And that's when Victor backed out and realized what he'd done, changed his password immediately. 2FA, multi-factor authentication, saved Victor's bacon, right? If you haven't got MFA configured on your account, this is a reason why you do it right here. Victor's done really well to spot this, even better to own it, okay? So he's changed his password and he's like, look, I'm hoping for the best.
Luke (01:04:55.746)
Yeah.
Ant Davis (01:05:10.286)
and I've said, you've changed your password, MFA's protected you. Was your password unique to that account? Yes. Then you should be okay. Just be on the lookout for further scams landing because they now think you might be a bit susceptible. So just keep an eye out for any future scams that are coming your way. It just goes to show, they'll try anything. And if we go back to that original email, there was one red flag here on the original email. Let me just throw that up.
Ant Davis (01:05:42.456)
So the red flag on the original email was, and I need to actually give a bit of a disclaimer on this as well, you can see the email address and the website URL are actually different. So the email address is jordan at harworthgroupplc.com, but the website URL is just harworthgroup.com. So they're different. Harworthgroupplc.com was only registered
Luke (01:06:04.845)
Mm.
Ant Davis (01:06:12.472)
very, very recently. HarworthGroup.com is a legitimate business that probably haven't reached out to Victor wanting his services, unfortunately for Victor. But someone spoofing some random company they've found, bought a domain that's very, very similar. And Harworth Group PLC was only registered three days ago. So it's, you know, these quickly
Luke (01:06:19.618)
Yeah.
Luke (01:06:39.886)
Yeah.
Ant Davis (01:06:41.804)
jump on it. I don't know how many pay-per-click consultants may have received this. This could have literally gone out to hundreds of people like Victor. And I don't know how many people because the worst thing is right, my god I've just connected the dots. Sydney Zoo.
Luke (01:06:51.489)
Yeah.
Luke (01:06:59.16)
Right.
Ant Davis (01:07:00.844)
Remember Sydney Zoo, the pay-per-click for the fake Google Ads? Google Ads, top result on Google for Google Ads was a fake Google Ads account that we spoke about many episodes ago and that was actually posted by the Ads Manager account for Sydney Zoo. This may be the way they get into those accounts because Victor would have access to the Ads Manager account for all of his customers. So they compromise someone like Victor
Luke (01:07:10.638)
Yeah.
Luke (01:07:22.069)
Okay,
Ant Davis (01:07:30.146)
They get access to pay-per-click accounts and Google Ads accounts for tens, hundreds, thousands of customers. They change the passwords on those, give themselves access as admin, you know, like... So people like Victor, if you work in pay-per-click or you're someone similar to Victor, you are a massive target potentially. You don't realise it. I didn't realise it. Until I've joined all the dots just now. It's mad.
Luke (01:07:37.602)
Yeah, that's...
Luke (01:07:55.598)
Yeah, the other thing is how he said that he was on his phone at the time and I guess most phone email clients don't display the sender email address by default so you've already just saw came from Google Ads.
Ant Davis (01:08:15.234)
Yep. that's also, Gmail doesn't, does it? If you're in the Gmail app, I don't think it shows the full address. Let me check that right now. No. So.
Luke (01:08:26.402)
for the setting, you can change maybe.
Ant Davis (01:08:30.17)
Have I got an email? I've been getting emails from Google, hang on. Because I need to upgrade our storage or our price has gone up for our Google thing, for our Google thing. Let me just look at that. I had an email from Google the other day. Google Workspace team. look, I don't know, you won't be able to see that on the camera. But the email literally on the Gmail app on iPhone, it just says the Google Workspace. It just shows the display name, not the full address unless you click on it. So.
Luke (01:08:56.397)
Yeah.
Ant Davis (01:08:59.094)
Nice one Google. Again though, let's just go back to my old complaint.
Luke (01:09:00.654)
Thank
Ant Davis (01:09:06.766)
Google ad that I suppose it did land in spam. Maybe there needs to be more of
The fact that they've let something that is a complete copy of one of their Google Ads managers pages land in their inbox. I don't know.
Luke (01:09:24.59)
No.
Ant Davis (01:09:26.88)
Yeah, look, no disrespect to Harworth Group. You've got nothing to do with this. You guys are completely innocent in this, I would imagine. I could register riskycreativeplc.com and it's nothing to do with, well it is because it's me, but you know what I mean? Anyone can register a domain very close to another domain. Unfortunately, that's just the nature of it. So if you're listening to this and you're from Harworth Group,
Luke (01:09:50.914)
Yeah.
Ant Davis (01:09:56.098)
We throw no blame at you, you've done nothing wrong. You're probably a lovely company to work for and wish you all the best for the future. On their website they've got images of like big chimney stacks blowing down and stuff, it's amazing. So yeah, nothing to do with them. Someone's just plucked them at random and is using and abusing their brand and name and reputation. So don't go blaming them. Blame the people that are imitating them.
Luke (01:10:10.126)
you
Luke (01:10:19.342)
Yeah.
Ant Davis (01:10:25.346)
And well done Victor. We beat stuff like this by talking about it and by owning it. Victor's done an amazing thing. I asked him, I was like, are you happy for me to mention you? Let me just check he did say yes. I'm pretty sure Victor said yes. If not, we're editing all of this out.
Ant Davis (01:10:48.93)
Yeah, he said, the more you know the better, the more people that know the better, you can use my name. So that's amazing. Everybody needs to not hide behind this. Go out there and if you make a mistake or you nearly make a mistake, tell people, talk about it, use it as an educational point, learn from it. It's amazing. Well done, Victor, for owning it. And if you've had any close calls or near mistakes or near misses or you've fallen for it, talk to us either in confidence or...
You know, we can talk about it on here and stop other people making mistakes. Please do. Cool.
Luke (01:11:21.166)
you
yeah, and wherever it's turned on, MFA.
Ant Davis (01:11:27.016)
MFA everywhere. MFA everywhere. If you don't...
Luke (01:11:29.422)
Um, or move to... guess if you can,
Ant Davis (01:11:33.326)
keys. MFA pass keys everywhere. Yes. Right, that's all we've got time for. It's always around an hour and 10 minutes. I don't know, we don't plan it that way. It's just organic. Every week it's about the same. We always say, oh we'll make it shorter, but it always ends up about an hour and 10. So there we go. Thursday, coming this Thursday, listen to my conversation with Laurie. It's amazing. She's brilliant. Marketing, cyber.
Luke (01:11:36.408)
Yeah.
Luke (01:11:45.336)
Bye!
Ant Davis (01:12:00.974)
It's a slightly different angle to what we spoke about with Sarah a few weeks ago. So jump on that, it's gonna be a good one. And we'll see you back here next week for more of the same. If you see a story, reach out, helloatriskeycreative.com.
Luke (01:12:17.955)
Awesome.
Ant Davis (01:12:19.682)
Just before we go, let me just say one more thing. I nearly let you go then, but let me just say one more thing as we're at the end and if you're still here. you know what? Dan has just shared with me some more screenshots for the human wrist stuff. But we're gonna, I'm gonna, let me just have a look here actually. look at this, I've got the action plan. I'll just share this really quickly. So many screenshots this week, Luke. I am sorry. Luke does all of this in post and it's right a headache for him.
Luke (01:12:23.969)
you
Ant Davis (01:12:49.708)
Look, here's an action plan from the NOBUS 4 program maturity assessment. And you can see here, you are here, so it shows you where you are. You're at level two. And then your action plan on how to get from level two to level three. And this is so accessible. This is like board report quality. This is awesome. Gives you some key tasks. So it gives you the key tasks to follow, action plan, deploy Fisher. Fisher's pretty cool. I used to use it. don't.
anymore because where I am don't use Know Before but that's pretty cool. Email protection, security awareness training, business impact and it shows you the business impact you can have. If you work in a security awareness role this is a really really good way to try and push some more, get some more budget your way and to really leverage what you're doing. yeah.
Have a look at that Know Before Self-Assessment. We will put it in the show notes. Riskycreative.com for all the newsletter stuff. Thank you for listening everywhere where you listen in the world. We are at the moment trending in Latvia, South Africa. We're number four at Tech News, number five in Latvia, number 14 in Ireland. We've been bobbing around, number 19, top 20 in the UK for Tech News. We're in Canada, Lithuania, yeah.
Wherever you are in the world, thank you for listening. We really appreciate it.
Luke (01:14:18.562)
Yeah, thanks everyone.
Ant Davis (01:14:21.954)
See you next week.
Luke (01:14:23.362)
next week. See you.