Could Your Webcam Be Spying on You?

This week, we’re bringing you a mix of Chicago heat, cyber scares, and a bit of nostalgia. I’ve just wrapped up an incredible few days at the SANS Security Awareness Summit, where 350 awareness pros (and over 5,000 virtually) came together to share stories, strategies, and yes, a few laughs. From romance scam keynotes to Champions Network chats, it was packed. You can catch our two live streams (plus a brilliant bonus bit) from the summit on YouTube if you missed them.

Back in the news, we dig into a wild Lenovo webcam flaw that turns cameras into hacking tools, a scam piggybacking on car finance compensation, and fresh zero-days cracking open password vaults. Plus, there’s a telecom breach, a city hit with ransomware has breached data made available, and a reminder that even “strong” passwords aren’t always as strong as we think.

And because we like to balance the serious with the fun, we also talk AOL dial-up (RIP after 30 years), calendar spam scams, and the rise of “Major Data Breach” as a military rank.

Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube

Listen Now

Podcast · Risky Creative

Conversations From The Summit

The SANS Security Awareness Summit is the biggest gathering of people who live and breathe security awareness, human risk, and culture. This year, more than 350 professionals met in Chicago, with thousands more joining online. For two days the focus was on one thing: how to make security stick with people.

Here are some of the big takeaways from the conversations and sessions:

Stories make it stick – time and again, people highlighted that storytelling is one of the most powerful tools we have in awareness. A good story is remembered years later, while a policy or slide deck is often forgotten.
Words matter – the language we use can either build trust or shut people down. Some traditional buzzwords are starting to feel stale or even negative, and many are turning towards warmer, more human messaging.
Culture over compliance – the strongest programs are moving away from box-ticking exercises and instead building genuine relationships across the business. It’s about nurturing behaviours, not policing them.
Champions need investment – security champions and ambassador networks are widely seen as one of the best ways to influence culture, but they only thrive when they have proper support, budget, and dedicated people running them.
Community is everything – awareness professionals are learning as much from each other as they are from the talks. Peer-to-peer sharing, whether at the summit or in ongoing practice groups, is driving new ideas and confidence.
Human risk is front and centre – the conversation is shifting from “awareness training” to measuring and reducing actual behaviours that create risk, supported by better data and behavioural science.
The power of in-person – many said the real magic of the summit is in the connections: the chats over coffee, the sense of community, and the reassurance that you’re not the only one facing these challenges.

You can watch both LinkedIn Lives and a bonus session on YouTube.

Watch here - https://www.youtube.com/playlist?list=PLEsOj51Q0PfBp55nkDIS0S3sA8cTJFJkk

Lenovo Webcams Can Be Turned Into BadUSB Devices

Watch the discussion - https://youtu.be/Ce8cjxsYXDY?t=527

Researchers have found a serious flaw in certain Lenovo webcams (CVE-2025-4371) that allows attackers to remotely reprogram them into so-called BadUSB devices. Originally demonstrated back in 2014, this attack takes advantage of USB firmware itself, turning what looks like an innocent webcam into a malicious tool. Once compromised, the camera can inject keystrokes, deliver payloads, or log data. What's even more worrying is that it can survive a full operating system reinstall.

Lenovo has released firmware updates to fix the issue, but it’s a reminder that even everyday accessories like webcams aren’t always as simple as they seem. These devices often run their own operating systems and can be weaponised without the user ever realising.

∠The Awareness Angle

Peripheral Trust Risks – Even “innocent” devices like webcams can run their own OS and be remotely weaponised.
Persistence Beyond OS Wipe – Firmware-level malware survives reinstallation, requiring hardware-level fixes.
Supply Chain & Physical Access Threats – Malicious devices could be shipped to targets or swapped in by insiders.

uBlock Origin Lite Finally Comes to Safari

Watch the discussion - https://youtu.be/Ce8cjxsYXDY?t=763

Safari users have been missing a reliable ad blocker for years, but that gap is now filled. uBlock Origin Lite is a lightweight, privacy-friendly version of the popular ad blocker and is finally available on macOS, iOS, and iPadOS. Unlike the original extension, it uses Safari’s “declarative rules API,” which means the browser handles all the blocking natively, without draining CPU or memory.

Why does this matter? Malicious Advertising (or Malvertising) is still a common infection route, and a good ad blocker doesn’t just clean up your browsing experience. It also helps protect against malicious ads. For Apple users who’ve been stuck without proper options, this is a welcome (and safer) addition.

∠The Awareness Angle

Lightweight Privacy Tool – Blocks ads and trackers without draining device resources.
Apple Ecosystem Gap Filled – Safari users on iPhone and iPad finally get official support.
Declarative Security Model – Reduces attack surface by letting the browser handle blocking logic natively.

Scammers Jump on Fake Car Finance Payouts

Watch the discussion - https://youtu.be/Ce8cjxsYXDY?t=963

The UK’s Financial Conduct Authority (FCA) has warned motorists about scam calls offering fake compensation for mis-sold car finance deals. Real compensation of up to £950 per driver is being considered, but the scheme isn’t live yet. Fraudsters are exploiting the publicity by posing as lenders and tricking people into handing over personal and banking details.

The FCA has been clear: it will never ask for PINs or passwords. If someone calls about a payout, it’s a scam. Hang up immediately and report it. With so much publicity around the genuine legal cases, these scams are only likely to grow.

∠The Awareness Angle

No Scheme Yet – Any compensation offers right now are fake as the FCA is still in consultation.
Data Theft Risk – Scammers aim to harvest bank and personal details under the guise of claims.
Avoid Middlemen – Claims firms may take up to 30% of payouts unnecessarily.

Google Calendar Spam Invites Trick Users Into Scams

Watch the discussion - https://youtu.be/Ce8cjxsYXDY?t=2531

A sneaky scam is making its way into people’s schedules, literally. Attackers are sending fake Google Calendar invites that look like business opportunities, complete with WhatsApp numbers and vague “partnership” offers. Because Calendar is often set to automatically add invitations, these bogus meetings appear right in your diary even if the invite goes to spam.

The hook is simple: reply to the WhatsApp number and they’ll try to extract personal details, bank info, or upfront payments for a fake deal. Several versions are circulating, all using different email addresses but the same WhatsApp contact.

The fix is straightforward:

In Google Calendar, go to Settings → Event settings → Automatically add invitations → No, only show invitations I’ve responded to.
Under View options, uncheck Show declined events.

This is basically phishing delivered through your calendar instead of your inbox, and it’s a reminder that spam can slip in from unexpected places.

∠The Awareness Angle

Calendar Phishing – Scams don’t just arrive by email anymore; invites and reminders can be weaponised too.
Default Settings Risk – “Automatically add” gives attackers a free pass to your schedule.
Simple Fix – Changing one setting shuts down this entire attack vector.

Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

This Week's Discussion Points...

Linux-Based Lenovo Webcams' Flaw Can Be Remotely Exploited for BadUSB Attacks
Watch | Read

uBlock Origin Lite Is Finally Available on Safari
Watch | Read

Drivers warned about scam car finance payout calls
Watch | Read

Critical Zero-Days Crack Open CyberArk Password Vaults
Watch | Read

Bouygues Telecom Hit by Cyberattack, 6.4 Million Customers Affected
Watch | Read

Interlock Ransomware Group Leaks 43GB of Data in City of St. Paul Cyberattack
Watch | Read

Reddit: Strong Passwords Weaker Than Weak Ones
Watch | Read

Reddit Meme: Age Verification Scam Ads
Watch | Read

Password Power – CyberHerd Awareness Game
Watch | Read

AOL Ends Dial-Up Service After More Than 30 Years
Watch | Read

Major Data Breach Meme (Major Data Breach Reporting for Duty)
Watch | Read

Google Calendar Spam Scam
Watch | Read

Subscribe to the Newsletter

https://www.riskycreative.com

Major Data Breach… Reporting for Duty

Watch - https://youtu.be/Ce8cjxsYXDY?t=2361

Sometimes security awareness doesn’t need a 50-page whitepaper, it just needs a good laugh. On an Australian news broadcast, the words “Major Data Breach” flashed up on screen while a military officer in uniform stood perfectly in frame. The unintentional mash-up looked like the officer’s name badge was literally “Major Data Breach.”

The clip from the Toni and Jon Podcast last year has since gone viral and for good reason. It’s a reminder that humour can break down barriers when talking about cyber. Sharing memes, light-hearted clips, and cultural moments like this in your workplace can spark conversations that stick far longer than another all-staff email.

∠The Awareness Angle

Humour Works – A funny clip can start the security conversation better than another warning.
Front of Mind – Little viral moments keep “cyber” relevant in everyday chatter.
Relatable Training Tool – Sharing memes in newsletters, chats, or town halls can make security feel human and approachable.

Watch it at - https://www.instagram.com/reel/DNPuMmOsQC0/?igsh=MTZpNmViaW8xNGl3