Is the UK Online Safety Act Flawed?

This week on The Awareness Angle, we discuss the knock-on effects of the UK’s Online Safety Act, from free VPNs topping the app charts, to Sims characters and AI face-swapping being used to fool age checks. It’s a fascinating look at what happens when compliance meets real-world behaviour.

We also talk about a viral Reddit post where a new starter is facing the sack after failing phishing simulations that were so aggressive, they blurred the line between awareness and sabotage. And we run through four major breaches, Allianz Life, NASCAR, Orange France, and the city of St. Paul, all showing different shades of third-party risk and response failure.

Also: QR code suspicion, awareness tools with no sales pitch, intimate tech privacy leaks, and Ant’s ongoing confusion over his new bin schedule.

Plus, a quick plug, Ant will be heading to Chicago for the SANS Security Awareness Summit. If you're there or joining online, keep an eye out for the LinkedIn Lives.

New Website Now Live!

This week saw us launch our new website.  It's now easier than ever to view past episodes. You can also now sign up to become a member and buy Awareness Angle merchandise.  We've got new items coming to the store in the coming weeks so keep your eyes peeled.  Check out the site at riskycreative.com

🎧 Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube

Listen Now

Podcast · Risky Creative

Magic, Mindset, and Metrics - Harley Sugarman on Rethinking Training

          🎙️ Out Now On The Awareness Angle Interviews!

          Security awareness is often full of smoke and mirrors, and not always in a good way.

          In this episode, Ant chats with Harley Sugarman, founder of Anagram Security, about why traditional training falls flat, how bad metrics lead us astray, and what it really takes to change behaviour. They get into mindset shifts, nudge fatigue, and why calling people “risks” might be the worst move of all.

          People’s journeys into security awareness are rarely straightforward, and Harley’s has a twist that makes his whole approach make sense (you’ll see what we mean).

          If you want awareness that sticks (and maybe even amazes), don’t miss this one.

          🎧 This episode is available at https://riskycreative.com/supporters/video_embeds/146832, and wherever you get your podcasts and on YouTube.

          Previous Episodes - 

          To catch our previous episodes of The Awareness Angle Interviews - visit https://riskycreative.com/supporters/videos

          If you’ve got a story to tell, a lesson to share, or a perspective you think more people should hear, get in touch. We’d love to hear from you. Email us at hello@riskycreative.com

          VPN Chaos as UK Age Checks Go Live

          Watch the discussion - https://youtu.be/J3qw0NvSTgc?t=188

          The UK’s Online Safety Act is now in force, requiring age verification for access to adult content. Predictably, VPN downloads have skyrocketed, with free apps topping the App Store charts. But experts warn these apps often come with serious risks, from shady data practices to outright malware.

          The new law has triggered a wave of workarounds, from VPN use to AI-generated facial spoofing. Meanwhile, platforms like Spotify are threatening to delete accounts that fail to verify, and YouTube is testing AI that estimates your age based on your watch history.

          ∠The Awareness Angle

          • Free VPNs Are Risk Magnets – Popular free VPNs are often insecure, ad-supported, or even malicious. And now they’re being used by kids.
          • Tech Controls Are Being Bypassed – AI facial spoofing, game characters, and loophole-sharing on social media show how quickly people find ways around policy.

          • Compliance ≠ Safety – Platforms risk promoting tools that undermine the very rules they’re trying to follow. Time to focus on real outcomes, not just box-ticking.

                                Phishing Fail? You're Fired.

                                Watch the discussion - https://youtu.be/J3qw0NvSTgc?t=3308

                                A Reddit user shared their experience of joining a new company, only to be told months later that they were one phishing fail away from being terminated. They’d already failed five, but the real issue? The tests were borderline unfair. They used real branding, copied genuine internal emails (like PTO requests), and were sent from legitimate-looking addresses. One arrived on their first day. No warnings until failure number four. No support. No clarity. Just a countdown to being fired.

                                The user was new to MS Outlook had never even worked in a company that ran phishing simulations before. They were flagging genuine threats and excelling in their role otherwise, but that didn’t matter. They now live in fear of their inbox.

                                Read more - https://www.reddit.com/r/cybersecurity/comments/1mbwp26/are_my_companys_phishing_tests_in_bad_faith_or_am/

                                ∠The Awareness Angle

                                • Is This Really What “Awareness” Looks Like – If your phishing tests are causing fear, silence, or people gaming the system just to avoid punishment, your programme has failed, no matter what your dashboard says.
                                • Simulations Should Teach, Not Trap – First-day tests? Mimicking HR processes with no prior context? That’s not training. That’s entrapment. Especially for new joiners who don’t yet know what “normal” looks like.

                                • You're Measuring Fear, Not Resilience – You can scare people into compliance, but it doesn’t build better behaviour. It builds resentment, disengagement, and a toxic relationship with security.

                                Ant's Take - 

                                I'm not a fan of phishing simulations but they have their place.  I feel that while phishing simulations aren't the enemy, badly designed ones are. The goal isn’t to "catch people out." It’s to help them catch themselves before clicking next time.

                                As I said in this episode:

                                "Phishing simulations should support people — not entrap them."
                                "If your first experience at a company is being tricked by a phishing test on day one, something’s gone wrong."

                                We’re supposed to be building confidence and culture, not testing whether someone can read minds under pressure.

                                And it’s not just me. Simon Sinek is often quoted as saying, “A culture is strong when people work with each other, for each other.” I also hear Maxime Cartier from Hoxhunt speak often about the importance of psychological safety, and how fear-based training undermines it.

                                Fear doesn’t create better behaviour. It creates silence. It isolates people. And it makes security feel like a trap, not a support system.

                                If your programme relies on shame, secrecy, or silence, are you really managing risk or are you creating it.

                                                Four Breaches, One Theme?

                                                Watch the discussion - https://youtu.be/J3qw0NvSTgc?t=1626

                                                It’s been a rough week for security teams. Allianz Life, the city of St. Paul, NASCAR, and Orange France were all hit by serious breaches, exposing everything from Social Security numbers to city infrastructure.

                                                • Allianz Life lost personal and financial data of most US customers. The entry point? A third-party CRM tool.

                                                • St. Paul, Minnesota was hit so hard by ransomware, the National Guard had to step in to restore city operations.

                                                • NASCAR was extorted for $4 million after attackers accessed contracts, ID documents, and health data via a third-party vendor.

                                                • Orange France confirmed attackers accessed customer contracts and ID info through an IT services provider.

                                                ∠The Awareness Angle

                                                • Third-Party Risk Isn’t Abstract – Three of these breaches involved external systems or suppliers. If someone else has access to your data, their breach is your breach.
                                                • It’s Not Just Data, It’s Disruption – From payroll freezes to city-wide outages, the impact is more than reputational. Real people and services were affected.

                                                • Basic Access Still Gets Exploited – Weak passwords, slow detection, and social engineering continue to be the entry points. This is not advanced cyber-wizardry. It’s the same old doors left unlocked.

                                                            Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

                                                            Awareness Awareness

                                                            🎤 SANS Security Awareness Summit – Ant’s Heading to Chicago

                                                            The SANS Security Awareness Summit is happening August 14–15, live in Chicago and online, and Ant will be there in person, learning, and livestreaming bits of it from the floor.

                                                            Expect a couple of LinkedIn Lives, some behind-the-scenes moments, and maybe a few chats with awareness pros as they come out of sessions. If you’re joining online, definitely hop into the SANS Slack, the conversation there is always lively.

                                                            This summit is one of the best for anyone working on the human side of security. It’s all about behaviour, culture, and communication, not just policy and platforms.

                                                            🔗 Check out the Summit

                                                            SebDB 4.0 is live
                                                            Oz Alashe announced the latest CybSafe update to their Security Behaviour Database, now aligned to MITRE, NIST, and more. It’s open-source, and free to use.
                                                            🔗 See the announcement

                                                            A Free Maturity Model That Doesn’t Sell You Stuff
                                                            Jason Hoenich’s new tool at humanrisk.com gives you a benchmark across strategy, engagement, assessment, and training.  The best part is that there is no sales pitch attached (but you can reach out to Jason for guidance and support if you wish!!)
                                                            🔗 Try it now

                                                            FYI - Jason has made a bunch of updates since we recorded this, so it will have only gotten better!

                                                            🧪 Fable Comes Out of Stealth
                                                            There’s a new human risk startup on the scene. Fable Security just launched publicly, with big investment and even bigger promises around "agentic AI" for behaviour change. Think bite-sized nudges, deepfake detection, and phishing defence, all delivered with a sleek interface and some very polished branding.

                                                            It’s early days, but the pitch is bold: smarter, scalable human risk intervention with less noise and more action. We’ll be keeping an eye on it to see how it stands out in a rapidly growing space.

                                                            🔗 Check out Fable

                                                                            This Week's Discussion Points...

                                                                            VPN Use Surges After UK Age Checks
                                                                            Watch | Read

                                                                            Labour Rules Out VPN Ban, Warns Households
                                                                            Watch | Read

                                                                            Loopholes Used to Bypass Online Safety Act
                                                                            Watch | Read

                                                                            Spotify Threatens to Delete Unverified Accounts
                                                                            Watch | Read

                                                                            YouTube Using AI to Guess Your Age
                                                                            Watch | Read

                                                                            Google AI Search Launches in UK
                                                                            Watch | Read

                                                                            Lovense App Flaw Leaks User Emails
                                                                            Watch | Read

                                                                            Microsoft Edge Adds ‘Copilot Mode’ AI Assistant
                                                                            Watch | Read

                                                                            Allianz Life Breach – Personal Data Stolen
                                                                            Watch | Read

                                                                            City of St. Paul Hit by Ransomware, National Guard Deployed
                                                                            Watch | Read

                                                                            NASCAR Data Breach – $4M Ransom Demanded
                                                                            Watch | Read

                                                                            Orange France Cyberattack via IT Supplier
                                                                            Watch | Read

                                                                            Reddit Story – Harsh Phishing Test Penalties
                                                                            Watch | Read

                                                                            Hertfordshire Bin Chaos
                                                                            Watch | Read

                                                                            TikTok Clip – Hidden Messages in Birdsong
                                                                            Watch | Read

                                                                            📬 Subscribe to the Newsletter

                                                                            https://www.riskycreative.com

                                                                              Bin Watch 2025

                                                                              Watch - https://youtu.be/J3qw0NvSTgc?t=3647

                                                                              Ant recently found himself navigating a new local bin system. Five bins. Three different collection cycles. Two separate letters from the council, each giving different instructions. 

                                                                              It’s a small thing, but it stuck with him, because it’s exactly what happens when security controls get too complex.

                                                                              If people don’t know what’s expected, or the rules keep changing, they don’t follow the system, they work around it. Not out of laziness, but survival. They’re just trying not to get it wrong.

                                                                              In awareness, we talk a lot about risk, but confusion is its own kind of risk. If your policies feel like bin day maths, don’t be surprised when people stop engaging with them.

                                                                              Simplicity isn’t a shortcut. It’s the strategy.

                                                                              ∠The Awareness Angle

                                                                              • Complexity Kills Compliance – When people can’t understand or remember the rules, they stop following them. Confusion creates risk, even if your policy is technically sound.
                                                                              • Intent Doesn’t Equal Clarity – Just because you’ve communicated something doesn’t mean it landed. Conflicting instructions, like conflicting security messages, erode trust fast.

                                                                              • Simplicity Builds Behaviour – Clear, consistent guidance makes it easier for people to do the right thing. If security is intuitive, people won’t need a calendar, chart, or cheat sheet to follow it.

                                                                                  Thanks for reading! If you’ve spotted something interesting in the world of cyber this week — a breach, a tool, or just something a bit weird — let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

                                                                                  Chicago, We’re Coming In Hot!

                                                                                  In two weeks, I’ll be heading to the SANS Security Awareness Summit in Chicago, and I’m bringing The Awareness Angle with me.

                                                                                  I’ll be doing two live streams from the event, plus recording a special episode of the podcast with Luke while I’m there. Expect real-time reactions, honest takes, and plenty of behind-the-scenes moments from one of the biggest events in the awareness calendar.

                                                                                  Ill be catching up with some familiar faces in the awareness industry, founders, leaders and other pros finding out their thoughts of the event and getting some great insights.

                                                                                  Stream are planned for Thursday 14th and Friday 15th. Keep an eye out for stream times and podcast drops. It’s going to be a good one.

                                                                                  See you stateside!

                                                                                  Ant

                                                                                  Magic, Mindset, and Metrics – Harley Sugarman from Anagram Security

                                                                                  When it comes to security awareness, most tools are solving the wrong problem. That’s the starting point for this conversation with Harley Sugarman, founder of Anagram Security – and from there, we go deep.

                                                                                  Harley’s background isn’t your typical cybersecurity CV. Before launching Anagram, he worked in engineering and security, often wondering why awareness was treated as an afterthought. Despite being labelled the biggest risk in most organisations, people rarely get the investment or attention they deserve. And training? Too often it’s just a compliance box ticked once a year.

                                                                                  In this episode, Harley talks about how that disconnect pushed him to start building something different. Something that treats behaviour change as a core goal – not a side effect. Anagram’s approach? Short, engaging content, interactive puzzles, and mindset shifts that help people think like attackers. The result is more than knowledge. It’s habit-building.

                                                                                  We dig into:

                                                                                  • Why phishing click rates can be gamed – and why they don’t tell the full story

                                                                                  • What makes a good “nudge” (and what just becomes noise)

                                                                                  • How AI could enable contextual, real-time awareness – if used right

                                                                                  • The real reason security awareness gets such a small slice of the budget

                                                                                  • And why vague compliance standards might actually be a hidden opportunity

                                                                                  One of the most interesting parts of the conversation is around metrics. We’ve all been asked to prove impact. But most of the metrics we rely on – completions, clicks, reports – are poor proxies for real behaviour. Harley argues that many CISOs already know who their riskiest users are. The challenge is moving from identification to actual change. And doing it in a way that feels human, not punishing.

                                                                                  There’s also a brilliant moment where Harley talks about how much of today’s awareness training would be considered totally unacceptable in a classroom. If we taught children the way we teach adults about cyber, there’d be protests. He’s not wrong.

                                                                                  Oh, and somewhere in the second half of the episode, there’s a small detail about Harley’s earlier career that explains a lot about how he sees behaviour, storytelling, and audience engagement. Let’s just say it involves a certain flair for the unexpected. You’ll spot it when it comes.

                                                                                  Whether you work in security awareness, lead a team, or are just trying to make your organisation care a bit more about human risk, this episode offers a refreshing take on what’s possible – and a reminder that we can do better than "click here to complete your annual training."

                                                                                  Listen now and start thinking about what your awareness programme could be if you reimagined it from the ground up.

                                                                                  You can find Harley at anagramsecurity.com or connect with him on LinkedIn.

                                                                                  Hackers Asked for a Password... and Got It?

                                                                                  Episode 43

                                                                                  This week’s cybersecurity stories aren’t about elite hackers or advanced tools. They’re about people making very human mistakes. A helpdesk that handed over access without checking. A single weak password that brought down a century-old company. A startup selling stolen data like it’s just another subscription service. And tech giants pushing privacy boundaries in the name of progress.

                                                                                  Let’s start with Clorox. They’ve filed a lawsuit after being breached by the Scattered Spider hacking group. The attackers didn’t use malware. They didn’t exploit a vulnerability. They just called the helpdesk and asked for a password reset. That was it. According to the court documents, the support agent said, “Let me provide a password to you,” and handed it over. The result was $380 million in damages. Product shelves sat empty, systems were disrupted, and everything ground to a halt. It’s a perfect example of how dangerous it can be when frontline teams aren’t supported with the right training or processes. Social engineering is alive and well, and it’s often as easy as picking up the phone.

                                                                                  Then there’s the story of KNP Logistics, a UK transport company that had been operating for over 150 years. It shut down after ransomware hit their systems. The attackers got in using a single weak employee password. Once inside, they encrypted everything and demanded a ransom the company couldn’t pay. Hundreds of jobs were lost. The director said he knows whose account was used but hasn’t told them. And honestly, what good would it do? The damage was already done. These aren’t hypothetical risks. This is what a single password can cost.

                                                                                  Meanwhile, a US startup called Farnsworth Intelligence is selling data stolen from infected machines. Through their site, anyone can pay fifty dollars to search through browser autofill data, login credentials, and saved passwords. It’s marketed as “open-source intelligence” for debt collectors and investigators, but there are no real checks. This isn’t public data. It’s the result of infostealer malware pulling private information straight from people’s devices. If your system has ever been compromised, your data could be in there. No dark web, no hidden forums. Just a clean, modern website and a checkout page.

                                                                                  On the tech front, Microsoft is pushing forward with Copilot Vision. It’s a new feature in Windows 11 that takes continuous screenshots of your screen and sends them to Microsoft servers for AI processing. It’s opt-in, they say. It’s not used for advertising, they say. But the idea of your screen being watched in real time doesn’t sit well with many users. Especially in a business setting, where sensitive information is always at risk. For anyone with a bring-your-own-device policy, this could quietly introduce a serious problem.

                                                                                  Old software is also in the spotlight. Microsoft’s older, on-premise versions of SharePoint are being actively targeted after a flawed patch left them vulnerable. The exploit had already been shown publicly, yet many organisations remained exposed. Some even applied the patch and still got hit. This is what happens when patching is treated as a checkbox instead of a process. Older systems are harder to manage and often get ignored, but that just makes them more attractive to attackers.

                                                                                  And while the future is meant to be passwordless, passkeys still aren’t delivering the seamless experience they promise. Users are running into vague error messages, mismatched devices, and confusing prompts. Recovery is a nightmare if you change or lose your device. Until companies like Google and Apple improve the user experience, passkeys will remain a source of frustration. And when people get locked out of their accounts, it’s the IT teams who have to clean up the mess.

                                                                                  Put all these stories together and you see the same pattern. The biggest risks aren’t coming from some shadowy cybercrime syndicate. They’re coming from poor password practices, rushed technology rollouts, and simple, preventable human errors. A phone call. A missed patch. A forgotten process. That’s all it takes. And if you work in cybersecurity, these stories should be more than headlines. They’re warnings.

                                                                                  US Startup Sells Stolen Data for $50
                                                                                  Watch | Read

                                                                                  Weak Password Sinks 158-Year-Old Company
                                                                                  Watch | Read

                                                                                  Clorox Hackers Got In Just by Asking
                                                                                  Watch | Read

                                                                                  Hackers Exploit Old SharePoint Patch
                                                                                  Watch | Read

                                                                                  Copilot Vision Watches Your Screen
                                                                                  Watch | Read

                                                                                  Passkeys Still a Mess for Users
                                                                                  Watch | Read

                                                                                  UK Age Verification Now Enforced
                                                                                  Watch | Read

                                                                                  AI Tool Deletes Company Database
                                                                                  Watch | Read

                                                                                  The Login Alliance Rant (ft. Lance Spitzner)
                                                                                  Watch | Read

                                                                                  Reddit is Running Malware Ads
                                                                                  Watch | Read

                                                                                  QR Code Link Switched to an Ad
                                                                                  Watch | Read

                                                                                  Scammer Uses Netstat Scam with ISP Ruse
                                                                                  Watch | Read

                                                                                  Voting Email from East Herts Council
                                                                                  Watch | (No external source)

                                                                                  Scout Leader’s Email Compromised
                                                                                  Watch | (No external source)

                                                                                  Luggage Tags Could Expose Your Info
                                                                                  Watch | Read

                                                                                  Jason Street Finds… Fake IDs
                                                                                  Watch | Read

                                                                                  Did Ring Get Hacked or Was It Just a Bug?
                                                                                  Watch | Read

                                                                                  Why Was an Elevator Held Hostage by Windows?

                                                                                  This episode is packed with privacy fails, phishing scams, and one very unfortunate elevator ride. We kick things off with Fitify, a fitness app that left over 370,000 files exposed online, including 138,000 user progress pics and body scans. These were stored in an unprotected Google Cloud bucket and were accessible to anyone with a link. Many of the images were uploaded for Fitify’s AI coach, often featuring users in minimal clothing. It’s a sharp reminder that encryption in transit isn’t the same as being safe at rest. Hardcoded secrets in code can open up serious risks. Users trusted the app with personal data, and it let them down.

                                                                                  Then we talked about WeTransfer’s AI terms-of-service drama. After a wave of backlash from creatives, the company clarified that it wouldn’t use files to train AI models, just to help moderate harmful content. It’s a lesson in clear language, user trust, and why reviewing the fine print still matters. CapCut and Dropbox have faced similar scrutiny. Everyone’s watching where their data might end up next.

                                                                                  From there we moved into national security. A breach by Salt Typhoon forced US military networks to assume they were fully compromised. The espionage group reportedly accessed conversations from senior officials and spent nearly a year inside the National Guard’s systems. If Zero Trust wasn’t on your radar before, it should be now.

                                                                                  Closer to home, Reddit rolled out age verification in the UK ahead of new Online Safety Act rules. Users now have to upload selfies or government ID to access adult content, verified by a third-party firm called Persona. While it’s meant to protect kids, it raises fresh questions around online anonymity, privacy trade-offs, and whether VPNs will simply sidestep it all.

                                                                                  Pet owners weren’t spared either. Thousands received fake microchip renewal emails, even though microchips don’t expire. The scam messages were personalised, using real chip numbers, breeds, and names. Some pet databases allow you to search details without any real rate-limiting or security checks, meaning attackers could scrape info in bulk. This one blends phishing, poor platform security, and good old-fashioned oversharing.

                                                                                  In India, police raided a tech support scam call centre after an 18-month joint investigation with the NCA, FBI, and Microsoft. The centre had duped UK victims out of hundreds of thousands of pounds by using fake virus pop-ups and impersonating Microsoft. These scams are global, evolving, and still preying on fear.

                                                                                  We also discussed the UK data breach that forced a secret Afghan relocation scheme. Nearly 19,000 people had their details leaked when a British official emailed a sensitive file to the wrong recipients. So far, over 4,500 have been relocated under a programme that was kept quiet until a High Court judge lifted the super injunction. It’s one of the most extreme examples of real-world harm from a simple mistake, and a wake-up call for better systems that don’t rely on human perfection.

                                                                                  Louis Vuitton confirmed that UK customer data had been stolen in a cyberattack. No financial info was taken, but names, emails, and purchase history were. That’s more than enough for phishing. With similar breaches in their Korean, Italian, and Swedish operations, this seems to be a coordinated campaign, likely tied to the ShinyHunters group behind the Ticketmaster and Santander breaches.

                                                                                  We wrapped up with a few wildcards. A lift stuck mid-ride because of a Windows update, and a reminder that some companies are putting critical infrastructure on connected touchscreens. Not ideal. And finally, Luke brought a phishing scam that used white-on-white text to trick Google Gemini into producing fake warnings. Simple trick, big risk. AI tools are powerful, but they still fall for very old-school tactics.

                                                                                  This week’s Awareness Awareness focused on new hire phishing stats from Keepnet. New starters are 44 percent more likely to fall for phishing attempts, especially in their first 90 days. If you don’t show people what normal looks like when they join, they’re left guessing, and that’s a risky game.

                                                                                  Fitify Leaks 138K Progress Photos
                                                                                  Watch | Read

                                                                                  WeTransfer AI Terms Backlash and Retraction
                                                                                  Watch | Read

                                                                                  US Military Told to Assume Network Compromise
                                                                                  Watch | Read

                                                                                  Reddit Introduces Age Verification in the UK
                                                                                  Watch | Read

                                                                                  Fake Pet Microchip Renewal Scams Target UK Owners
                                                                                  Watch | Read

                                                                                  Indian Police Raid Tech Support Scam Call Centre
                                                                                  Watch | Read

                                                                                  Secret Afghan Relocation Scheme After MoD Breach
                                                                                  Watch | Read

                                                                                  Louis Vuitton Customer Data Breach
                                                                                  Watch | Read

                                                                                  New Hires More Likely to Fall for Phishing (Keepnet Report)
                                                                                  Watch | Read

                                                                                  Experiences of Victims of Cybercrime (Shared by Listener Boris)
                                                                                  Watch | Read

                                                                                  Anti-Phishing Training Might Be Making Things Worse
                                                                                  Watch | Read

                                                                                  Windows Update Traps Someone in a Lift
                                                                                  Watch | Read

                                                                                  Google Gemini Phishing Risk Discovered (Luke’s Topic)
                                                                                  Watch | Read

                                                                                  Marketing Muscle Memory - Lori Steuart on Making Cyber Second Nature

                                                                                  Marketing Muscle Memory and Synth Repairs – Lori Steuart on Making Cybersecurity Second Nature

                                                                                  We talk a lot about communication in security awareness, but not often enough with the people who do it for a living. That’s why I sat down with Lori Steuart – a content marketer with deep experience in the cybersecurity world – to talk about what really cuts through, and how we can stop awareness from being a one-off and start making it stick.

                                                                                  Lori isn’t your typical guest. She’s not a security awareness pro or a CISO. But she is someone who knows how to build trust, explain complex ideas clearly, and change behaviour over time. And that makes this episode packed with takeaways for anyone trying to make security second nature.

                                                                                  We cover a lot. From storytelling and content strategy to synth repair and password managers – yes, really – this chat is about what it actually takes to help people care about cybersecurity.

                                                                                  One of the big themes? Repetition. Lori introduces the idea of “marketing muscle memory” – the process of making ideas stick by repeating them in ways that feel relevant, emotional, and human. She points out that most people aren’t “in market” for cybersecurity. They’re not walking around thinking, “How can I be more secure today?” So it’s our job to plant the seed long before something goes wrong.

                                                                                  We also talk about trust. In marketing, if you don’t build trust, you don’t sell anything. In cybersecurity, it’s the same. If people don’t trust your message – or your tone – they won’t engage with it. Lori shares how security content can fail when it sounds like it’s written by a robot, and how the best stuff is grounded in real stories and lived experience.

                                                                                  There’s a brilliant section where Lori talks about her synth repair business. It’s not just a side note – it’s a live example of someone building secure habits into a team from day one. Password managers weren’t optional. Backups were part of the setup. And the people around her? They took those habits home. It’s a clear reminder that the behaviours we drive at work don’t just protect the business – they can make people more secure in their own lives too.

                                                                                  We get into nudges, habits, and tone. We talk about the trap of awareness being too “campaign-y” – a splash once a year instead of something ambient that people just live with. And we explore the idea that most users don’t need more training. They need fewer blockers and more relevance. Sometimes, a silly joke lands better than a serious warning. Sometimes, being human is the most strategic move you can make.

                                                                                  There’s also insight into content creation itself – how to get better by sharing your drafts, involving others, and not being precious about feedback. If you’re the only awareness person in your org, this part will hit home. You don’t need a full team of editors – just someone who can tell you when your message isn’t landing.

                                                                                  Finally, we touch on AI. Not as a threat, but as a tool. Lori shares her concern about people outsourcing their thinking to generative AI – not because it’s evil, but because writing is how we learn what we really think. The message? Use AI to help, not to replace your brain.

                                                                                  This episode is full of ideas you can use straight away. Whether it’s adjusting your tone, testing a new message, or just thinking differently about your role – Lori brings a fresh perspective from outside the awareness bubble that will get you thinking.

                                                                                  And yes, she also explains why burnt resistors smell like fish.

                                                                                  If you’ve ever wondered how marketing might just be the secret weapon for behaviour change – or how a synth repair shop became a model for cybersecurity habits – this one’s for you.

                                                                                  You can connect with Lori on LinkedIn right here.

                                                                                  Would You Sell Your Password for $920?

                                                                                  From teenage hackers to phishing flannel sales: what this week in cyber taught us about trust

                                                                                  This week’s episode of The Awareness Angle is a big one. Not just because we hit Episode 40 and gave the podcast a fresh coat of paint (hello purple), but because the stories we’re covering say a lot about where cybersecurity is heading and where the human element still matters most.

                                                                                  We kick off with the news that Call of Duty: WWII had to be pulled from Game Pass after it was found to contain a serious remote code execution flaw. Just joining a multiplayer match was enough to let attackers run code on your machine, no download or interaction needed. The game was using outdated peer-to-peer networking, and this old vulnerability became a very real problem once it was re-released. It’s a solid reminder that putting something on a trusted platform doesn’t automatically make it safe.

                                                                                  Then there’s Dylan, the teenager who reported a critical vulnerability in Microsoft Teams and ended up changing Microsoft’s bug bounty rules. At just 13, he wasn’t even old enough to take part, but Microsoft made an exception and rewrote the programme to include researchers his age. He’s now 17, still reporting bugs, and has become a key figure in responsible disclosure. His story shows how powerful it can be when we encourage curiosity instead of shutting it down.

                                                                                  Meanwhile, researchers have discovered a new tactic called “prompt injection for praise” where academic papers hide instructions designed to manipulate AI models into generating flattering summaries. It's another example of how AI tools, while useful, can be tricked and influenced behind the scenes. We talk about why trust in automation can be risky and how this could impact anyone relying on AI to summarise or assess content.

                                                                                  In the UK, emergency alerts are back. The government is planning another full-scale test of its mobile alert system in September, with phones expected to blare a loud warning even if they’re set to silent. These alerts can be life-saving, but they can also cause real problems for people in vulnerable situations, especially those who rely on hidden phones. We chat about how comms like this need to be handled with care and why a simple test isn’t always simple for everyone.

                                                                                  Then we dive into the sharp rise in phishing attacks using .es domains. A 19x spike in malicious campaigns was uncovered, with most attacks spoofing Microsoft login pages. These aren’t basic scams either. They use CAPTCHA gates, polished lures, and infrastructure like Cloudflare to appear legitimate. It’s a reminder that even trusted tools and clean-looking domains can be used for harm.

                                                                                  In Brazil, a massive $140 million bank heist started with a $920 bribe. One insider gave up their credentials and followed hacker instructions passed through a Notion workspace. It’s a classic case of insider risk combined with social engineering, and it shows how attackers don’t always need malware when they’ve got people.

                                                                                  Monzo also found itself in the spotlight this week, with a £21 million fine for letting customers sign up using clearly fake addresses like 10 Downing Street and even their own HQ. It happened during a period of rapid growth between 2018 and 2022, and while the systems have since been improved, it’s a strong example of why basic checks like address validation still matter.

                                                                                  Then there’s the fake Dixon flannel sale that nearly got Ant. A scam account on Instagram promoted a slick-looking website offering limited edition shirts at a massive discount. It used real branding, looked almost perfect, and even had stock numbers that changed depending on your clicks. But the site had only been registered weeks earlier and the whole thing was a complete fake. Dixon confirmed it wasn’t them. It’s a brilliant example of how scams are evolving and how easy it is to get caught out when you’re in a rush and see a brand you trust.

                                                                                  Speaking of almost getting caught, we also cover Victor Serban’s near-miss with a phishing scam posing as a new client. Victor is a well-known PPC expert who was contacted by someone claiming to work for a legitimate company. Everything looked fine until the Google Ads invitation came from a suspicious email address. MFA saved the day, and Victor spotted the red flags just in time. We talk about how this kind of scam could be used to compromise entire ad networks and why it’s more targeted than most people realise.

                                                                                  Then there’s McDonald’s, who used an AI-powered chatbot for recruitment, only to find out it was still using the admin password “123456.” Researchers got in and uncovered a serious IDOR vulnerability that let them access applicant data at scale. The vendor has since patched the issue and launched a bug bounty programme, but it’s a clear reminder that AI platforms still need old-fashioned security controls.

                                                                                  We also talk about Apple’s new scam warnings in Apple Cash. They’re only live in the US at the moment, but they pop up when a transaction looks suspicious and warn users to be cautious. The alert is smart but a little clunky in language, and we wonder how well it’ll land in a high-pressure moment.

                                                                                  We close with a lovely story from MK Dons football club, who have released a new away kit in tribute to the Enigma codebreakers of Bletchley Park. The shirt design includes a repeating pattern based on the Enigma machine and it’s a beautiful way to connect modern football with local tech heritage. Cyber meets culture.

                                                                                  And in this week’s Awareness Awareness, we cover KnowBe4’s free human risk maturity assessment. It takes five minutes and gives you a full report with benchmarks, suggested improvements, and action plans to level up your awareness programme. We also highlight a new internal comms report from Samantha Fletcher at Sainsbury’s that shows just how much people want authentic communication and clarity from leadership. It’s packed with stats and insights that are highly relevant to anyone working in security awareness or employee engagement.

                                                                                  Finally, Ant shares a preview of the next Awareness Angle interview with Lori Steuart, a content marketing pro who has helped security brands communicate better. They talk about what security teams can learn from B2B marketing, how storytelling helps drive behaviour change, and why your messages don’t have to be boring to be effective. It’s a conversation you won’t want to miss.

                                                                                  If you’re into human risk, behavioural security, phishing scams, or just want to stay sharp on what’s happening in cyber, Episode 40 is a good one.

                                                                                  M&S and Co-op Cyber Arrests
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=199
                                                                                  Read – https://www.bbc.co.uk/news/articles/cwykgrv374eo

                                                                                  Call of Duty WWII Hacked via Game Pass
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=356
                                                                                  Read – https://www.notebookcheck.net/Call-of-Duty-WW2-players-are-being-hacked-by-RCE-exploit-after-shooter-debuts-on-Xbox-Game-Pass.1050816.0.html

                                                                                  13-Year-Old Hacks Teams, Changes Microsoft Policy
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=620
                                                                                  Read – https://interestingengineering.com/culture/teenager-rewrites-microsoft-bug-bounty-rules

                                                                                  Researchers Trick AI Into Praising Their Work
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=789
                                                                                  Read – https://80.lv/articles/researchers-hide-prompts-in-reports-to-make-ai-praise-their-papers

                                                                                  UK Emergency Alert System Test Coming
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=1057
                                                                                  Read – https://www.bbc.co.uk/news/articles/c4ge9xk8wj0o

                                                                                  Phishing Surge Using .es Domains
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=1212
                                                                                  Read – https://www.theregister.com/2025/07/05/spain_domains_phishing

                                                                                  $920 Bribe Leads to $140M Bank Heist in Brazil
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=1510
                                                                                  Read – https://www.bleepingcomputer.com/news/security/employee-gets-920-for-credentials-used-in-140-million-bank-heist

                                                                                  Monzo Fined for Fake Customer Addresses
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=1717
                                                                                  Read – https://www.bbc.co.uk/news/articles/cqjqgxzz8gjo

                                                                                  MK Dons Honour Bletchley Park in New Kit
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=1916
                                                                                  Read – https://www.bbc.co.uk/news/articles/cx23djxn89ro

                                                                                  McDonald’s AI Hiring Bot Leak
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=2005
                                                                                  Read – https://cybersecuritynews.com/mcdonalds-ai-hiring-bot-leaks

                                                                                  KnowBe4 Culture Assessment Tool
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=2228
                                                                                  Read – https://blog.knowbe4.com/is-your-human-risk-management-program-creating-measurable-change-find-out-with-our-free-program-maturity-assessment

                                                                                  Internal Comms Report from Sainsbury’s Samantha Fletcher
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=2537
                                                                                  Read – https://www.ioic.org.uk/resource-report/ic-index-2025.html

                                                                                  TikTok Deepfake Identity Warning
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=2681

                                                                                  Apple Pay Scam Warning Prompt
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=2940

                                                                                  Dixxon Flannel Instagram Scam
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=3190

                                                                                  Victor’s Google Ads Phishing Close Call
                                                                                  Watch – https://youtu.be/jG9o0q2eDdQ?t=3614
                                                                                  Read – https://victorserban.com/

                                                                                  How Many Lost Laptops Is Too Many?

                                                                                  Episode note - In this episode, we mention that 26,000 public sector devices were lost or stolen. That number isn’t accurate. The real figure is still shocking, with just over 2,000 devices in the past year, according to FOI-based reports. We caught the error before the episode went live, but since we recorded it, we’re calling it out here to keep things straight. Always better to be accurate.

                                                                                  This week’s episode of The Awareness Angle is a deep dive into the strange, risky, and often ridiculous world of cybersecurity – from QR code scams to phone network hacks, doxxing in a video game, and why Microsoft thinks black is the new blue.

                                                                                  We start with something that feels almost sci-fi: organised criminal gangs using fake cell towers, known as SMS blasters or Stingrays, to send malicious texts straight to your phone. These attacks don’t need your phone number or your network – they just broadcast to everything nearby. Google’s latest Android update, rolling out on newer Pixel devices, includes features that detect when you’ve connected to one of these rogue towers. iPhones, meanwhile, can’t even disable 2G, making them far more vulnerable. It’s a worrying gap in mobile security that most users don’t even realise exists.

                                                                                  From phones to cameras, the next story takes us to Canada, where the government has officially banned Chinese surveillance tech from Hikvision and Dahua. While the headlines focus on national security and state ownership, the deeper message is this: cybersecurity isn’t just about software. The physical devices we install – webcams, CCTV kits, smart monitors – all carry risks based on who made them and how they operate. This is especially relevant as Prime Day approaches and cheap tech floods the market. Saving a few pounds upfront can cost far more later if your footage ends up somewhere it shouldn’t.

                                                                                  Speaking of misplaced tech, a recent report revealed over thousands of UK public sector devices have been lost or stolen in the past two years. These aren’t just phones and laptops – they’re potentially loaded with confidential data from civil servants, government contractors, and national infrastructure teams. Worse still, many departments didn’t know if the lost devices were encrypted. It’s not about the cost of a laptop – it’s about the data, the access, and the delay in reporting that creates the real risk.

                                                                                  While organisations scramble to secure data, Cloudflare has launched a new defence on the content front. Their latest AI bot blocker quietly watches for suspicious behaviour and stops bots from scraping websites without permission. It’s a big moment for creators, writers, and businesses whose work has been silently consumed by AI tools without credit or consent. Protecting content isn’t just technical now – it’s ethical.

                                                                                  From global AI battles to one woman’s personal crime spree, another story this week was almost cinematic. A former electrical engineering student at Western Sydney University began by gaming the system for free parking. But her access grew – and with it, her ambition. She’s now facing 20 charges for unauthorised access, data theft, extortion, and more, having stolen over 100GB of student and staff data. The case is a harsh reminder that small misuse of access can escalate fast if left unchecked.

                                                                                  Scams using QR codes – known as quishing – have now cost victims in the UK over £3.5 million. These codes show up in emails, on fake parking signs, or stuck to public walls, often leading to malicious sites or malware downloads. The problem is, they’re easy to trust. That’s why IKEA’s new checkout warning is such a win – a simple, well-placed message that encourages people to stop and think before buying gift cards for strangers.

                                                                                  Insider threats were a recurring theme this week. One IT worker, suspended from a Huddersfield-based company, used his privileged access to wreak havoc across systems in the UK, Germany, and Bahrain – all before his credentials were revoked. He was jailed, but the disruption caused hundreds of thousands in losses. It’s a stark reminder that offboarding processes need to be instant, especially for people with elevated access.

                                                                                  Even long-standing tech traditions aren’t safe this week. Microsoft has officially retired the iconic Blue Screen of Death, replacing it with a sleeker, less alarming black version. It’s a small design change, but it raises a big question: are we softening the signals that tell users something has gone very wrong? Familiar signs of failure – like that blue screen – carried urgency. The new one might look calmer, but will people still take it seriously?

                                                                                  One of the strangest stories came from Reddit, where a gamer was playing CSGO when someone on the opposing team dropped his real name and LinkedIn profile into the chat. He hadn’t shared his name or city on Steam – but years of reused usernames and scattered online activity had left enough digital breadcrumbs to find him. It’s a perfect case study in digital footprint awareness. What you post, what you reuse, and what you think is hidden often isn’t.

                                                                                  That’s not the only personal story we saw this week. Ant received a scam message on his private Instagram – complete with a tear-jerking cancer backstory and a $7 million “legacy.” He ran it through ChatGPT, which immediately flagged the red flags: poor grammar, dramatic storytelling, a suspicious URL, and zero account followers. Yet despite how easily the scam was identified by AI, Instagram let the message land anyway. It’s another example of where tech platforms still fall short on user protection.

                                                                                  And finally, shout-out to IKEA again. That gift card warning we mentioned earlier? It might seem small, but placing it right in the checkout flow is a perfect example of human-centred security design. It nudges people in the moment that matters – and that’s exactly how we make real behavioural change.

                                                                                  From rogue phones to phishing QR codes, university hacks to helpdesk revenge, this episode had it all. If you’ve ever worried about AI scraping your work, someone digging through your online past, or losing a government laptop full of secrets – you’re not alone. Stay aware, stay secure.

                                                                                  AJ King interview highlights

                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=90
                                                                                  Read – https://riskycreative.com/podcast/aj_king_on_phishing_present_bias_and_purple_cows

                                                                                  SMS Blasters and Google’s Pixel 10 protection
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=206
                                                                                  Read – https://www.forbes.com/sites/zakdoffman/2025/06/27/googles-next-pixel-update-apples-iphone-falls-behind/

                                                                                  Canada bans Hikvision over national security risks
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=567
                                                                                  Read – https://www.securityweek.com/canada-gives-hikvision-the-boot-on-national-security-grounds/

                                                                                  Thousands of UK public sector devices lost or stolen
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=904
                                                                                  Read – https://www.techradar.com/pro/security/thousands-of-pcs-phones-and-tablets-stolen-and-lost-by-uk-public-sector-bodies-prompting-fears-of-huge-national-security-risk

                                                                                  Cloudflare launches AI bot blocker
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=1239
                                                                                  Read – https://www.bbc.co.uk/news/articles/cvg885p923jo

                                                                                  Ex-student hacks university over parking, triggers breach
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=1468
                                                                                  Read – https://www.bleepingcomputer.com/news/security/ex-student-charged-over-hacking-university-for-cheap-parking-data-breaches/

                                                                                  Cornwall school cyberattack and UK education stats
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=1641
                                                                                  Read – https://www.bbc.co.uk/news/articles/clyz81k05l8o
                                                                                  Read – https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025-education-institutions-findings

                                                                                  £3.5m lost to quishing (QR phishing)
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=1873
                                                                                  Read – https://www.linkedin.com/posts/national-economic-crime-centre-necc_new-quishing-alert-35-million-lost-last-activity-7343222030034456576-Py3T/

                                                                                  IT worker jailed for revenge attack after suspension
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=2120
                                                                                  Read – https://www.dewsburyreporter.co.uk/news/crime/batley-it-worker-jailed-after-revenge-cyber-attack-costs-huddersfield-company-ps200000-in-lost-business-5198303

                                                                                  Microsoft kills the Blue Screen of Death
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=2303
                                                                                  Read – https://techcrunch.com/2025/06/26/windows-killed-the-blue-screen-of-death/

                                                                                  Awareness events: SANS Summit, IASAP, and Huficon
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=2520
                                                                                  Read – https://www.sans.org/cyber-security-summit/security-awareness/
                                                                                  Read – https://iasapgroup.org/
                                                                                  Read – https://humanfirewallconference.com/

                                                                                  Can we teach our mums to spot fake AI videos? (Corridor Crew)
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=2761
                                                                                  Read – https://www.youtube.com/watch?si=G8okAHs3_B_CjnVN&v=M4TXO4kQwSQ

                                                                                  Adaptive Security demo and the un-drinkable Yeti mug
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=4055
                                                                                  Read – https://www.adaptivesecurity.com/

                                                                                  IKEA gift card checkout scam warning
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=2886

                                                                                  WHSmith rebrands as TG Jones – phishing vibes
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=3027

                                                                                  Instagram inheritance scam analysed by ChatGPT
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=3247

                                                                                  AI chatbots recommending phishing links
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=3555
                                                                                  Read – https://www.theregister.com/2025/07/03/ai_phishing_websites

                                                                                  CSGO player doxxed via Steam OSINT
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=3849
                                                                                  Read – https://www.reddit.com/r/Steam/s/qXWYBdnH42

                                                                                  Digital footprints and parenting in a connected world
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=4127

                                                                                  Local business cyber day preview
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=4276
                                                                                  Read – https://www.hertsgrowthhub.com/events/07-2025/cyber-confidence-protecting-your-business-in-a-digital-age/

                                                                                  Weekly wrap-up and final thoughts
                                                                                  Watch – https://youtu.be/JTXkkILEW6Y?t=4331

                                                                                  "Is Your Brain Wired for Insecurity?" - AJ King on Phishing, Present Bias and Purple Cows

                                                                                  Why People Still Click – And What AJ King Wants You To Know About Behaviour

                                                                                  We spend a lot of time talking about behaviour in security awareness – but not always with the people who study it for a living. That’s why I sat down with AJ King, a UX researcher with a background in psychology and behavioural economics, for an honest conversation about what really drives behaviour, and why traditional awareness efforts so often miss the mark.

                                                                                  AJ’s not in the security world full time. And that’s what makes this episode so valuable. He brings an outside perspective, grounded in science and shaped by years of coaching, facilitation, and user research. He knows how people actually behave – not just how we wish they would.

                                                                                  This isn’t about criticising users or blaming culture. It’s about digging into the reasons people don’t do the “secure” thing, even when they’ve had the training. We talk about attention, habits, emotional state, and the simple truth that most people are just too busy to prioritise security when it doesn’t feel urgent.

                                                                                  So what do we get into?

                                                                                  First, we unpack why annual training rarely changes behaviour. Five minutes of training once a year doesn’t stand a chance against overloaded calendars, meeting stress, and the mental shortcuts we all take to get through the day. Even well-intentioned awareness campaigns can get drowned out by everything else fighting for attention.

                                                                                  We explore the idea of present bias – how our brains are wired to care more about now than later. It’s why people skip the gym, eat the extra biscuit, and click on the link that maybe, probably isn’t legit. It’s not stupidity. It’s being human.

                                                                                  And that’s the heart of AJ’s argument: behaviour isn’t just a product of knowledge. It’s shaped by pressure, context, emotion, and habits. If we want people to behave securely, we need to design environments that make the right choice easier – not just scold them when they get it wrong.

                                                                                  We also talk about nudging. Everyone loves to say nudges are the answer – but if you’re not engaged, a nudge is just noise. Like walking on a treadmill at 2 mph while watching Netflix – technically you’re there, but it’s not changing much. Nudges only work when the user is open to the journey.

                                                                                  And tone matters too. Whether it’s a phishing simulation landing page or a newsletter, the way you talk to people shapes how they respond. Fear might get attention, but it rarely builds trust. Sometimes, it just makes people close the tab.

                                                                                  AJ’s not offering silver bullets – in fact, he calls them out. But he does offer perspective. Especially for awareness pros working alone, trying to do meaningful behaviour change in a culture that just wants the box ticked. We talk about reframing the message, using personal relevance, and why it might be more effective to teach people how to protect their personal email than their work account.

                                                                                  There’s also a brilliant section on internal branding – why what you call yourself might matter more to senior leadership than to your users, and how to make the value of awareness clearer upwards.

                                                                                  This one’s full of laughs, relatable moments, and smart ideas. It’s not preachy. It’s not academic. It’s just two people talking honestly about the messy business of influencing human behaviour in the real world.

                                                                                  If you’ve ever wondered why people still click – or how to make your next campaign actually land – this episode is for you.

                                                                                  You can connect with AJ on LinkedIn right here

                                                                                  Listen on Apple Podcasts here

                                                                                  Listen on Spotify here

                                                                                  Military Secrets On A Gaming Forum?

                                                                                  What Pizza, Payouts, and PowerShell Have in Common

                                                                                  This week’s episode of The Awareness Angle is packed with stories that sit right at the messy intersection of tech, trust, and human behaviour.

                                                                                  We kick off with a juicy one. M&S is facing a class action lawsuit over last year’s breach. But before you jump on the claims bandwagon, let’s look closer. This wasn’t some catastrophic leak of passwords or payment data. It was a third-party supplier incident. Now law firms are urging customers to sign up for “compensation.” Is it really about protecting people? Or just another case of ambulance-chasing dressed up as justice?

                                                                                  Speaking of trust, Nexus Mods, one of the most beloved sites in the gaming world, just changed hands. No big announcements. No transparency. Just a quiet handover. And that’s all it took for the internet to lose its mind. It’s a sharp reminder that when communities feel left out, trust disappears fast.

                                                                                  We also look at the biggest DDoS attack ever recorded. 37.4 million requests per second. That’s like trying to stream 10,000 HD movies at once. Cloudflare stopped it, but it raises serious questions about how smaller organisations cope when the big guns aren’t there to help.

                                                                                  Then there's the pizza intel story. Yes, really. Before military action between the US and Iran, people noticed spikes in Google Maps activity around gyms and pizza places near air bases. Turns out open-source intelligence is less about hacking and more about watching. A reminder that your location data, even from a pizza app, can reveal more than you think.

                                                                                  Elsewhere, someone leaked restricted US military flight manuals on a gaming forum to win an argument. Again. That’s nine times now on the War Thunder forums. Not a hack. Not malware. Just people making terrible judgement calls. Passion beats protocol every time.

                                                                                  We dive into NHS doctors using unapproved AI transcription tools during consultations without telling patients. It's a privacy minefield. There’s a clear need for better tools, but the rollout can’t skip consent and governance in the process.

                                                                                  And then there’s the new FileFix attack. A twist on old-school shortcut scams. This one uses File Explorer and hidden PowerShell commands to deliver malware without raising any alarms. It’s a classic case of attackers using the tools already on your machine to stay undetected.

                                                                                  We also cover SMS blasters. These dodgy little devices let scammers send fake texts to whole areas, pretending to be your bank or the Royal Mail. These are real. They’re cheap. And they’re hitting phones near you.

                                                                                  A year on from the Synnovis NHS ransomware attack, it’s now being linked to a patient’s death. A stark, sobering reminder that cyber attacks don’t just lock up data. They can cost lives.

                                                                                  And a heads-up for anyone still on Windows 10. Come October 2025, it’ll be out of support. If you're relying on Cyber Essentials certification, you’ll need to pay for Microsoft’s extended updates or move on. This is one of those quiet compliance risks that can catch you out if you’re not watching.

                                                                                  Finally, we talk about a new malware campaign using fake developer job interviews and malicious npm packages. It's slick social engineering targeting tech-savvy people, and it's working.

                                                                                  Oh, and a personal one. Ant’s mum nearly fell for a fake M&S hamper scam on Facebook. It's the same recycled playbook as the North Face scam we talked about a few weeks back. Fake comments, countdown timers, and dodgy URLs. Thankfully, she phoned a friend. Or in this case, her cybersecurity-aware son.

                                                                                  This episode covers a lot, but the thread running through it all is simple. Trust is fragile. Humans are unpredictable. And security isn’t just about systems. It’s about people.

                                                                                  New episodes of The Awareness Angle are released every Monday, with interviews dropping every other Thursday. Subscribe via your favourite podcast app or visit riskycreative.com to sign up for the newsletter.

                                                                                  M&S data breach compensation claim

                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=81
                                                                                  Read – https://vm.tiktok.com/ZNdUh6vxj/

                                                                                  Nexus Mods sold (but to who?)
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=225
                                                                                  Read – https://www.reddit.com/r/gaming/s/tPzKAkElVs

                                                                                  The biggest DDoS attack ever
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=351
                                                                                  Read – https://www.tomshardware.com/tech-industry/cyber-security/massive-ddos-attack-delivered-37-4tb-in-45-seconds-equivalent-to-10-000-hd-movies-to-one-victim-ip-address-cloudflare-blocks-largest-cyber-assault-ever-recorded

                                                                                  Pizza shops and military intelligence (Pizzint)
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=549
                                                                                  Read – https://www.reddit.com/r/Damnthatsinteresting/s/rkBTFwbyEK

                                                                                  War Thunder forums leak military secrets… again
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=844
                                                                                  Read – https://ukdefencejournal.org.uk/classified-data-once-again-leaked-on-war-thunder-forums/

                                                                                  Doctors using unapproved AI tools in NHS
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=1061
                                                                                  Read – https://news.sky.com/story/doctors-are-using-unapproved-ai-software-to-record-patient-meetings-investigation-reveals-13387765

                                                                                  New FileFix attack via Windows shortcuts
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=1285
                                                                                  Read – https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-windows-file-explorer-for-stealthy-powershell-commands/

                                                                                  SMS blasters used in new smishing scams
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=1545
                                                                                  Read – https://cybernews.com/news/police-alerts-about-new-sms-blaster-scams-used-for-smishing

                                                                                  NHS ransomware linked to patient death
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=1789
                                                                                  Read – https://www.bbc.co.uk/news/articles/cd1gk9zqe4vo

                                                                                  Cyber Essentials warning: Windows 10 deadline
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=1995
                                                                                  Read – https://www.techradar.com/computing/windows/windows-10-users-who-dont-want-to-upgrade-to-windows-11-get-new-lifeline-from-microsoft

                                                                                  Malware hidden in fake job interviews (NPM packages)
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=2066

                                                                                  Comment section: NHS breaches, OneDrive sync, Jamf
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=2336

                                                                                  Metomic demo: Human firewall nudging tool
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=2762
                                                                                  Read – https://www.metomic.io/solution/human-firewall

                                                                                  TikTok Q&A: Are Groupon license keys legit?
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=2895
                                                                                  Read – https://answers.microsoft.com/en-us/msoffice/forum/all/license-tom-on-groupon-microsoft-partner-or-scam/a0a06003-e798-424b-becf-6e390fff1f9e

                                                                                  Facebook M&S hamper scam fools Ant’s mum (nearly)
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=3289

                                                                                  Scattered Spider retrospective timeline
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=3568
                                                                                  Read – https://www.linkedin.com/posts/rosslazer_scattered-spider-timeline-ugcPost-7343292142729011201-S8N4

                                                                                  Windows 10 extended support pricing update
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=3660

                                                                                  Experian “Dark Web” alert email
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=3845

                                                                                  16 billion password leak briefly discussed
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=4083

                                                                                  Weekly wrap-up and final thoughts
                                                                                  Watch – https://youtu.be/EntRmhcDOBM?t=4182