Home About Episodes
Members only
Posts Perks
Shop
All Products CLICK. HAPPENS. CTRL + ALT + HUMAN The Awareness Angle
Jul 14, 2025
Would You Sell Your Password for $920?

From teenage hackers to phishing flannel sales: what this week in cyber taught us about trust

This week’s episode of The Awareness Angle is a big one. Not just because we hit Episode 40 and gave the podcast a fresh coat of paint (hello purple), but because the stories we’re covering say a lot about where cybersecurity is heading and where the human element still matters most.

We kick off with the news that Call of Duty: WWII had to be pulled from Game Pass after it was found to contain a serious remote code execution flaw. Just joining a multiplayer match was enough to let attackers run code on your machine, no download or interaction needed. The game was using outdated peer-to-peer networking, and this old vulnerability became a very real problem once it was re-released. It’s a solid reminder that putting something on a trusted platform doesn’t automatically make it safe.

Then there’s Dylan, the teenager who reported a critical vulnerability in Microsoft Teams and ended up changing Microsoft’s bug bounty rules. At just 13, he wasn’t even old enough to take part, but Microsoft made an exception and rewrote the programme to include researchers his age. He’s now 17, still reporting bugs, and has become a key figure in responsible disclosure. His story shows how powerful it can be when we encourage curiosity instead of shutting it down.

Meanwhile, researchers have discovered a new tactic called “prompt injection for praise” where academic papers hide instructions designed to manipulate AI models into generating flattering summaries. It's another example of how AI tools, while useful, can be tricked and influenced behind the scenes. We talk about why trust in automation can be risky and how this could impact anyone relying on AI to summarise or assess content.

In the UK, emergency alerts are back. The government is planning another full-scale test of its mobile alert system in September, with phones expected to blare a loud warning even if they’re set to silent. These alerts can be life-saving, but they can also cause real problems for people in vulnerable situations, especially those who rely on hidden phones. We chat about how comms like this need to be handled with care and why a simple test isn’t always simple for everyone.

Then we dive into the sharp rise in phishing attacks using .es domains. A 19x spike in malicious campaigns was uncovered, with most attacks spoofing Microsoft login pages. These aren’t basic scams either. They use CAPTCHA gates, polished lures, and infrastructure like Cloudflare to appear legitimate. It’s a reminder that even trusted tools and clean-looking domains can be used for harm.

In Brazil, a massive $140 million bank heist started with a $920 bribe. One insider gave up their credentials and followed hacker instructions passed through a Notion workspace. It’s a classic case of insider risk combined with social engineering, and it shows how attackers don’t always need malware when they’ve got people.

Monzo also found itself in the spotlight this week, with a £21 million fine for letting customers sign up using clearly fake addresses like 10 Downing Street and even their own HQ. It happened during a period of rapid growth between 2018 and 2022, and while the systems have since been improved, it’s a strong example of why basic checks like address validation still matter.

Then there’s the fake Dixon flannel sale that nearly got Ant. A scam account on Instagram promoted a slick-looking website offering limited edition shirts at a massive discount. It used real branding, looked almost perfect, and even had stock numbers that changed depending on your clicks. But the site had only been registered weeks earlier and the whole thing was a complete fake. Dixon confirmed it wasn’t them. It’s a brilliant example of how scams are evolving and how easy it is to get caught out when you’re in a rush and see a brand you trust.

Speaking of almost getting caught, we also cover Victor Serban’s near-miss with a phishing scam posing as a new client. Victor is a well-known PPC expert who was contacted by someone claiming to work for a legitimate company. Everything looked fine until the Google Ads invitation came from a suspicious email address. MFA saved the day, and Victor spotted the red flags just in time. We talk about how this kind of scam could be used to compromise entire ad networks and why it’s more targeted than most people realise.

Then there’s McDonald’s, who used an AI-powered chatbot for recruitment, only to find out it was still using the admin password “123456.” Researchers got in and uncovered a serious IDOR vulnerability that let them access applicant data at scale. The vendor has since patched the issue and launched a bug bounty programme, but it’s a clear reminder that AI platforms still need old-fashioned security controls.

We also talk about Apple’s new scam warnings in Apple Cash. They’re only live in the US at the moment, but they pop up when a transaction looks suspicious and warn users to be cautious. The alert is smart but a little clunky in language, and we wonder how well it’ll land in a high-pressure moment.

We close with a lovely story from MK Dons football club, who have released a new away kit in tribute to the Enigma codebreakers of Bletchley Park. The shirt design includes a repeating pattern based on the Enigma machine and it’s a beautiful way to connect modern football with local tech heritage. Cyber meets culture.

And in this week’s Awareness Awareness, we cover KnowBe4’s free human risk maturity assessment. It takes five minutes and gives you a full report with benchmarks, suggested improvements, and action plans to level up your awareness programme. We also highlight a new internal comms report from Samantha Fletcher at Sainsbury’s that shows just how much people want authentic communication and clarity from leadership. It’s packed with stats and insights that are highly relevant to anyone working in security awareness or employee engagement.

Finally, Ant shares a preview of the next Awareness Angle interview with Lori Steuart, a content marketing pro who has helped security brands communicate better. They talk about what security teams can learn from B2B marketing, how storytelling helps drive behaviour change, and why your messages don’t have to be boring to be effective. It’s a conversation you won’t want to miss.

If you’re into human risk, behavioural security, phishing scams, or just want to stay sharp on what’s happening in cyber, Episode 40 is a good one.

M&S and Co-op Cyber Arrests
Watch – https://youtu.be/jG9o0q2eDdQ?t=199
Read – https://www.bbc.co.uk/news/articles/cwykgrv374eo

Call of Duty WWII Hacked via Game Pass
Watch – https://youtu.be/jG9o0q2eDdQ?t=356
Read – https://www.notebookcheck.net/Call-of-Duty-WW2-players-are-being-hacked-by-RCE-exploit-after-shooter-debuts-on-Xbox-Game-Pass.1050816.0.html

13-Year-Old Hacks Teams, Changes Microsoft Policy
Watch – https://youtu.be/jG9o0q2eDdQ?t=620
Read – https://interestingengineering.com/culture/teenager-rewrites-microsoft-bug-bounty-rules

Researchers Trick AI Into Praising Their Work
Watch – https://youtu.be/jG9o0q2eDdQ?t=789
Read – https://80.lv/articles/researchers-hide-prompts-in-reports-to-make-ai-praise-their-papers

UK Emergency Alert System Test Coming
Watch – https://youtu.be/jG9o0q2eDdQ?t=1057
Read – https://www.bbc.co.uk/news/articles/c4ge9xk8wj0o

Phishing Surge Using .es Domains
Watch – https://youtu.be/jG9o0q2eDdQ?t=1212
Read – https://www.theregister.com/2025/07/05/spain_domains_phishing

$920 Bribe Leads to $140M Bank Heist in Brazil
Watch – https://youtu.be/jG9o0q2eDdQ?t=1510
Read – https://www.bleepingcomputer.com/news/security/employee-gets-920-for-credentials-used-in-140-million-bank-heist

Monzo Fined for Fake Customer Addresses
Watch – https://youtu.be/jG9o0q2eDdQ?t=1717
Read – https://www.bbc.co.uk/news/articles/cqjqgxzz8gjo

MK Dons Honour Bletchley Park in New Kit
Watch – https://youtu.be/jG9o0q2eDdQ?t=1916
Read – https://www.bbc.co.uk/news/articles/cx23djxn89ro

McDonald’s AI Hiring Bot Leak
Watch – https://youtu.be/jG9o0q2eDdQ?t=2005
Read – https://cybersecuritynews.com/mcdonalds-ai-hiring-bot-leaks

KnowBe4 Culture Assessment Tool
Watch – https://youtu.be/jG9o0q2eDdQ?t=2228
Read – https://blog.knowbe4.com/is-your-human-risk-management-program-creating-measurable-change-find-out-with-our-free-program-maturity-assessment

Internal Comms Report from Sainsbury’s Samantha Fletcher
Watch – https://youtu.be/jG9o0q2eDdQ?t=2537
Read – https://www.ioic.org.uk/resource-report/ic-index-2025.html

TikTok Deepfake Identity Warning
Watch – https://youtu.be/jG9o0q2eDdQ?t=2681

Apple Pay Scam Warning Prompt
Watch – https://youtu.be/jG9o0q2eDdQ?t=2940

Dixxon Flannel Instagram Scam
Watch – https://youtu.be/jG9o0q2eDdQ?t=3190

Victor’s Google Ads Phishing Close Call
Watch – https://youtu.be/jG9o0q2eDdQ?t=3614
Read – https://victorserban.com/

Share
Recently uploaded
Video thumbnail
Is the UK Online Safety Act Flawed?
5 days ago
Video thumbnail
Magic, Mindset, and Metrics – Harley Sugarman from Anagram Security
8 days ago
Video thumbnail
Hackers Asked for a Password... and Got It?
11 days ago
Video thumbnail
Why Was an Elevator Held Hostage by Windows?
18 days ago
Video thumbnail
Marketing Muscle Memory - Lori Steuart on Making Cyber Second Nature
22 days ago
Video thumbnail
How Many Lost Laptops Is Too Many?
about 1 month ago
Video thumbnail
"Is Your Brain Wired for Insecurity?" - AJ King on Phishing, Present Bias and Purple Cows
about 1 month ago
Video thumbnail
Military Secrets On A Gaming Forum?
about 1 month ago
Video thumbnail
Is Your Security Awareness Program Just Ticking Boxes?
about 2 months ago
Video thumbnail
“Real-time beats simulation” - Terry McCorkle on Rethinking Phishing
about 2 months ago
Video thumbnail
The Hidden Danger of LNK Files on Your Computer
about 2 months ago
Video thumbnail
Why Gen Z Is Going Passwordless
2 months ago
Video thumbnail
Is the UK Online Safety Act Flawed?
5 days ago
Video thumbnail
Magic, Mindset, and Metrics – Harley Sugarman from Anagram Security
8 days ago
Video thumbnail
Hackers Asked for a Password... and Got It?
11 days ago
Video thumbnail
Why Was an Elevator Held Hostage by Windows?
18 days ago
Video thumbnail
Marketing Muscle Memory - Lori Steuart on Making Cyber Second Nature
22 days ago
Video thumbnail
How Many Lost Laptops Is Too Many?
about 1 month ago
Video thumbnail
"Is Your Brain Wired for Insecurity?" - AJ King on Phishing, Present Bias and Purple Cows
about 1 month ago
Video thumbnail
Military Secrets On A Gaming Forum?
about 1 month ago
Video thumbnail
Is Your Security Awareness Program Just Ticking Boxes?
about 2 months ago
Video thumbnail
“Real-time beats simulation” - Terry McCorkle on Rethinking Phishing
about 2 months ago
Video thumbnail
The Hidden Danger of LNK Files on Your Computer
about 2 months ago
Video thumbnail
Why Gen Z Is Going Passwordless
2 months ago