This week on The Awareness Angle, we discuss the knock-on effects of the UK’s Online Safety Act, from free VPNs topping the app charts, to Sims characters and AI face-swapping being used to fool age checks. It’s a fascinating look at what happens when compliance meets real-world behaviour.
We also talk about a viral Reddit post where a new starter is facing the sack after failing phishing simulations that were so aggressive, they blurred the line between awareness and sabotage. And we run through four major breaches, Allianz Life, NASCAR, Orange France, and the city of St. Paul, all showing different shades of third-party risk and response failure.
Also: QR code suspicion, awareness tools with no sales pitch, intimate tech privacy leaks, and Ant’s ongoing confusion over his new bin schedule.
Plus, a quick plug, Ant will be heading to Chicago for the SANS Security Awareness Summit. If you're there or joining online, keep an eye out for the LinkedIn Lives.
New Website Now Live!
This week saw us launch our new website. It's now easier than ever to view past episodes. You can also now sign up to become a member and buy Awareness Angle merchandise. We've got new items coming to the store in the coming weeks so keep your eyes peeled. Check out the site at riskycreative.com
🎧 Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube
Listen Now
Podcast · Risky Creative
Magic, Mindset, and Metrics - Harley Sugarman on Rethinking Training
🎙️ Out Now On The Awareness Angle Interviews!
Security awareness is often full of smoke and mirrors, and not always in a good way.
In this episode, Ant chats with Harley Sugarman, founder of Anagram Security, about why traditional training falls flat, how bad metrics lead us astray, and what it really takes to change behaviour. They get into mindset shifts, nudge fatigue, and why calling people “risks” might be the worst move of all.
People’s journeys into security awareness are rarely straightforward, and Harley’s has a twist that makes his whole approach make sense (you’ll see what we mean).
If you want awareness that sticks (and maybe even amazes), don’t miss this one.
🎧 This episode is available at https://riskycreative.com/supporters/video_embeds/146832, and wherever you get your podcasts and on YouTube.
Previous Episodes -
To catch our previous episodes of The Awareness Angle Interviews - visit https://riskycreative.com/supporters/videos.
If you’ve got a story to tell, a lesson to share, or a perspective you think more people should hear, get in touch. We’d love to hear from you. Email us at hello@riskycreative.com
VPN Chaos as UK Age Checks Go Live
Watch the discussion - https://youtu.be/J3qw0NvSTgc?t=188
The UK’s Online Safety Act is now in force, requiring age verification for access to adult content. Predictably, VPN downloads have skyrocketed, with free apps topping the App Store charts. But experts warn these apps often come with serious risks, from shady data practices to outright malware.
The new law has triggered a wave of workarounds, from VPN use to AI-generated facial spoofing. Meanwhile, platforms like Spotify are threatening to delete accounts that fail to verify, and YouTube is testing AI that estimates your age based on your watch history.
∠The Awareness Angle
- Free VPNs Are Risk Magnets – Popular free VPNs are often insecure, ad-supported, or even malicious. And now they’re being used by kids.
-
Tech Controls Are Being Bypassed – AI facial spoofing, game characters, and loophole-sharing on social media show how quickly people find ways around policy.
-
Compliance ≠ Safety – Platforms risk promoting tools that undermine the very rules they’re trying to follow. Time to focus on real outcomes, not just box-ticking.
Phishing Fail? You're Fired.
Watch the discussion - https://youtu.be/J3qw0NvSTgc?t=3308
A Reddit user shared their experience of joining a new company, only to be told months later that they were one phishing fail away from being terminated. They’d already failed five, but the real issue? The tests were borderline unfair. They used real branding, copied genuine internal emails (like PTO requests), and were sent from legitimate-looking addresses. One arrived on their first day. No warnings until failure number four. No support. No clarity. Just a countdown to being fired.
The user was new to MS Outlook had never even worked in a company that ran phishing simulations before. They were flagging genuine threats and excelling in their role otherwise, but that didn’t matter. They now live in fear of their inbox.
Read more - https://www.reddit.com/r/cybersecurity/comments/1mbwp26/are_my_companys_phishing_tests_in_bad_faith_or_am/
∠The Awareness Angle
- Is This Really What “Awareness” Looks Like – If your phishing tests are causing fear, silence, or people gaming the system just to avoid punishment, your programme has failed, no matter what your dashboard says.
-
Simulations Should Teach, Not Trap – First-day tests? Mimicking HR processes with no prior context? That’s not training. That’s entrapment. Especially for new joiners who don’t yet know what “normal” looks like.
-
You're Measuring Fear, Not Resilience – You can scare people into compliance, but it doesn’t build better behaviour. It builds resentment, disengagement, and a toxic relationship with security.
Ant's Take -
I'm not a fan of phishing simulations but they have their place. I feel that while phishing simulations aren't the enemy, badly designed ones are. The goal isn’t to "catch people out." It’s to help them catch themselves before clicking next time.
As I said in this episode:
"Phishing simulations should support people — not entrap them."
"If your first experience at a company is being tricked by a phishing test on day one, something’s gone wrong."
We’re supposed to be building confidence and culture, not testing whether someone can read minds under pressure.
And it’s not just me. Simon Sinek is often quoted as saying, “A culture is strong when people work with each other, for each other.” I also hear Maxime Cartier from Hoxhunt speak often about the importance of psychological safety, and how fear-based training undermines it.
Fear doesn’t create better behaviour. It creates silence. It isolates people. And it makes security feel like a trap, not a support system.
If your programme relies on shame, secrecy, or silence, are you really managing risk or are you creating it.
Four Breaches, One Theme?
Watch the discussion - https://youtu.be/J3qw0NvSTgc?t=1626
It’s been a rough week for security teams. Allianz Life, the city of St. Paul, NASCAR, and Orange France were all hit by serious breaches, exposing everything from Social Security numbers to city infrastructure.
-
Allianz Life lost personal and financial data of most US customers. The entry point? A third-party CRM tool.
-
St. Paul, Minnesota was hit so hard by ransomware, the National Guard had to step in to restore city operations.
-
NASCAR was extorted for $4 million after attackers accessed contracts, ID documents, and health data via a third-party vendor.
-
Orange France confirmed attackers accessed customer contracts and ID info through an IT services provider.
∠The Awareness Angle
- Third-Party Risk Isn’t Abstract – Three of these breaches involved external systems or suppliers. If someone else has access to your data, their breach is your breach.
-
It’s Not Just Data, It’s Disruption – From payroll freezes to city-wide outages, the impact is more than reputational. Real people and services were affected.
-
Basic Access Still Gets Exploited – Weak passwords, slow detection, and social engineering continue to be the entry points. This is not advanced cyber-wizardry. It’s the same old doors left unlocked.
Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!
Awareness Awareness
🎤 SANS Security Awareness Summit – Ant’s Heading to Chicago
The SANS Security Awareness Summit is happening August 14–15, live in Chicago and online, and Ant will be there in person, learning, and livestreaming bits of it from the floor.
Expect a couple of LinkedIn Lives, some behind-the-scenes moments, and maybe a few chats with awareness pros as they come out of sessions. If you’re joining online, definitely hop into the SANS Slack, the conversation there is always lively.
This summit is one of the best for anyone working on the human side of security. It’s all about behaviour, culture, and communication, not just policy and platforms.
SebDB 4.0 is live
Oz Alashe announced the latest CybSafe update to their Security Behaviour Database, now aligned to MITRE, NIST, and more. It’s open-source, and free to use.
🔗 See the announcement
A Free Maturity Model That Doesn’t Sell You Stuff
Jason Hoenich’s new tool at humanrisk.com gives you a benchmark across strategy, engagement, assessment, and training. The best part is that there is no sales pitch attached (but you can reach out to Jason for guidance and support if you wish!!)
🔗 Try it now
FYI - Jason has made a bunch of updates since we recorded this, so it will have only gotten better!
🧪 Fable Comes Out of Stealth
There’s a new human risk startup on the scene. Fable Security just launched publicly, with big investment and even bigger promises around "agentic AI" for behaviour change. Think bite-sized nudges, deepfake detection, and phishing defence, all delivered with a sleek interface and some very polished branding.
It’s early days, but the pitch is bold: smarter, scalable human risk intervention with less noise and more action. We’ll be keeping an eye on it to see how it stands out in a rapidly growing space.
This Week's Discussion Points...
VPN Use Surges After UK Age Checks
Watch | Read
Labour Rules Out VPN Ban, Warns Households
Watch | Read
Loopholes Used to Bypass Online Safety Act
Watch | Read
Spotify Threatens to Delete Unverified Accounts
Watch | Read
YouTube Using AI to Guess Your Age
Watch | Read
Google AI Search Launches in UK
Watch | Read
Lovense App Flaw Leaks User Emails
Watch | Read
Microsoft Edge Adds ‘Copilot Mode’ AI Assistant
Watch | Read
Allianz Life Breach – Personal Data Stolen
Watch | Read
City of St. Paul Hit by Ransomware, National Guard Deployed
Watch | Read
NASCAR Data Breach – $4M Ransom Demanded
Watch | Read
Orange France Cyberattack via IT Supplier
Watch | Read
Reddit Story – Harsh Phishing Test Penalties
Watch | Read
Hertfordshire Bin Chaos
Watch | Read
TikTok Clip – Hidden Messages in Birdsong
Watch | Read
📬 Subscribe to the Newsletter
Bin Watch 2025
Watch - https://youtu.be/J3qw0NvSTgc?t=3647
Ant recently found himself navigating a new local bin system. Five bins. Three different collection cycles. Two separate letters from the council, each giving different instructions.
It’s a small thing, but it stuck with him, because it’s exactly what happens when security controls get too complex.
If people don’t know what’s expected, or the rules keep changing, they don’t follow the system, they work around it. Not out of laziness, but survival. They’re just trying not to get it wrong.
In awareness, we talk a lot about risk, but confusion is its own kind of risk. If your policies feel like bin day maths, don’t be surprised when people stop engaging with them.
Simplicity isn’t a shortcut. It’s the strategy.
∠The Awareness Angle
- Complexity Kills Compliance – When people can’t understand or remember the rules, they stop following them. Confusion creates risk, even if your policy is technically sound.
-
Intent Doesn’t Equal Clarity – Just because you’ve communicated something doesn’t mean it landed. Conflicting instructions, like conflicting security messages, erode trust fast.
-
Simplicity Builds Behaviour – Clear, consistent guidance makes it easier for people to do the right thing. If security is intuitive, people won’t need a calendar, chart, or cheat sheet to follow it.
