Is Voice Phishing the Next Big Cyber Threat?

What’s the cost of a retail ransomware attack? For M&S, it’s £300 million.

This episode is full of high-impact cyber stories—from supplier ransomware and spoofed IT calls to fake Chrome extensions and Discord privacy concerns. We also give credit where it's due with a rare win for the UK government, and dive into why your train, hospital, or ATM might still be running Windows XP.

Let’s break it all down...

🛍️ M&S Cyber Attack: £300m and Counting
The attack hit at Easter and recovery is expected to last until July. It came via a third-party supplier, used social engineering (not fancy malware), and took down key services. Just browsing is back online—but you still can’t buy anything.

🥩 Tesco & Sainsbury’s Supplier Held to Ransom
Cold storage logistics firm Peter Green Chilled was forced to stop taking new orders after a ransomware attack, leaving meat pallets at risk of spoiling. Food supply chains are becoming a soft target—and it’s starting to show on shelves.

📞 3AM Ransomware: Fake IT Calls, Real Access
A new campaign mixes email bombing with phone calls spoofed to look like internal IT support. Victims are persuaded to open Quick Assist and hand over control. It's bold, direct, and sadly, very effective.

💸 HSBC CEO: “Cyber Threats Keep Me Awake”
Ian Stuart told MPs that cyber risk is a top concern for banks—and a massive ongoing cost. With financial services under constant attack, the push for stronger authentication (like passkeys and number matching) is gaining momentum.

📍 O2 Bug Leaked Your Location During Calls
A flaw in O2’s VoLTE and WiFi calling systems exposed IMSI, IMEI, and cell tower data for over a year. It’s now fixed, but highlights how verbose network protocols can become a serious privacy risk.

🚗 Goodbye QR Codes in Car Parks?
The UK government is rolling out a National Parking Platform so drivers can use any parking app in any supported location. It’s a big step toward ending QR confusion and fake codes in car parks.

🧩 Chrome Extensions Gone Rogue
More than 100 fake Chrome extensions have been caught stealing credentials, hijacking sessions, and injecting ads. Many posed as known tools or services. Don’t trust what you find in the Chrome Web Store—especially if you got there via an ad.

💬 2 Billion Discord Messages Scraped
Brazilian researchers scraped public Discord messages from over 3,000 servers and released the dataset for academic use. It’s anonymised, but the backlash shows how fragile our expectations of online privacy really are.

🧠 The Awareness Angle – This Week’s Takeaways

Trust Is Still the Weak Link – Ransomware groups aren’t breaking in. They’re being let in, by confused or tricked staff who think it’s IT calling.

Legacy Systems Are Hidden Risks – From O2’s metadata leak to lifts running Windows XP, old tech can cause new problems.

People Remember What’s Relatable – A £300m price tag sticks. So does a fake IT call. Tell the real stories, not just the technical ones.

🎙️ Quick Plugs

We’re up for Best Newcomer and Back to Basics at the European Cybersecurity Blogger Awards. Voting closes on 27th May. You can vote now at riskycreative.com

Don't Forget!
The Awareness Angle interview with Amy Stokes-Waters is out now. Go back one episode and listen. It’s full of personality, honesty, and escape rooms. Don’t miss it.

M&S Cyber Attack – £300m Loss and Third-Party Access
Watch – https://youtu.be/yR2iBWZlDVU?t=373
Read – https://www.bbc.co.uk/news/business-69050058

Tesco & Sainsbury’s Supplier Ransomware Attack
Watch – https://youtu.be/yR2iBWZlDVU?t=602
Read – https://www.theregister.com/2025/05/21/peter_green_cyberattack/

3AM Ransomware – Fake IT Calls and Email Bombing
Watch – https://youtu.be/yR2iBWZlDVU?t=779
Read – https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-email-bombing-and-fake-it-calls-to-breach-companies/

HSBC CEO – “Cyber Threats Keep Me Up at Night”
Watch – https://youtu.be/yR2iBWZlDVU?t=937
Read – https://www.bbc.co.uk/news/business-68939456

O2 Mobile Bug – User Location Leaked via Call Metadata
Watch – https://youtu.be/yR2iBWZlDVU?t=1099
Read – https://www.bleepingcomputer.com/news/security/o2-uk-bug-exposed-mobile-users-location-during-voice-calls/

UK Government Unifies Parking Apps to Reduce QR Risks
Watch – https://youtu.be/yR2iBWZlDVU?t=1338
Read – https://www.bbc.co.uk/news/technology-68993852

100+ Fake Chrome Extensions Stealing Data
Watch – https://youtu.be/yR2iBWZlDVU?t=1477
Read – https://www.bleepingcomputer.com/news/security/over-100-malicious-chrome-extensions-used-to-hijack-browsers/

2 Billion Discord Messages Scraped and Published
Watch – https://youtu.be/yR2iBWZlDVU?t=1770
Read – https://www.404media.co/researchers-scrape-and-release-2-billion-discord-messages/

Still Booting – Ancient Windows Systems in Use Today
Watch – https://youtu.be/yR2iBWZlDVU?t=2514
Read – https://www.bbc.com/future/article/20240513-the-people-still-using-ancient-windows-computers

Vishr.ai – Live Demo of AI Vishing Simulator
Watch – https://youtu.be/yR2iBWZlDVU?t=2830
Try – https://vishr.ai

Deepfake Investment Scam Featuring Fake Anthony Bolton
Watch – https://youtu.be/yR2iBWZlDVU?t=3135
Read – https://www.fnlondon.com/articles/fidelitys-anthony-bolton-targeted-by-instagram-deepfake-scam-20240513

Google Veo – AI Video Generation with Audio
Watch – https://youtu.be/yR2iBWZlDVU?t=3424
Read – https://blog.google/technology/ai/google-veo-video-generation-ai-io-2025/

Notebook LM – Turn Transcripts into Podcast Conversations
Watch – https://youtu.be/yR2iBWZlDVU?t=3858
Try – https://notebooklm.google