This week on The Awareness Angle:

• Apple’s iCloud calendar gets abused to send phishing emails that look all too real

• Qantas cuts executive bonuses after a massive breach, showing leadership accountability in action

• Nexar’s dashcam database is hacked, spilling video footage and GPS data into the wild

• Huntress researchers get a rare inside look at how cyber attackers really operate

• Plus: Plex suffers another breach, new awareness content from Hoxhunt, and more in the extras

 Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube

Listen Now

Podcast · Risky Creative

Cyber Security Awareness Month videos with Hoxhunt

We’ve teamed up with Hoxhunt again this year to create a series of short, snappy videos for Cyber Security Awareness Month. Each one is just one to two minutes long and covers social engineering in messaging apps, the psychology behind social engineering, how AI is powering spear phishing, and how to spot deepfakes. They’re quick, practical, and perfect for sharing with your colleagues, friends, or family. You can grab them directly from the Hoxhunt toolkit, and there are unbranded versions if you’d like to use them in your own awareness programmes.

Get the toolkit here - https://hoxhunt.com/cybersecurity-awareness-month-toolkit-2025

This week's stories...

Apple Calendar Invites Are Being Turned Into Phishing Scams

Watch the discussion - https://youtu.be/k4iTtfaLtaw?t=151

Attackers have found a way to abuse Apple’s own iCloud calendar system to send phishing emails that look like they’re coming straight from Apple. By creating and sharing malicious calendar invites, scammers can bypass many email security filters. The example we saw was a fake PayPal invoice for $600, complete with an “@email.apple.com” sender address. Because the messages ride on Apple’s trusted infrastructure, they carry an extra layer of legitimacy, and that makes them harder to spot.

Read more - https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-send-phishing-emails-from-apples-servers/

∠The Awareness Angle

• Trust can be exploited – Just because an invite or email comes from a big name like Apple doesn’t mean it’s safe.

• Look closer before clicking – Unexpected calendar invites, especially those with links or payment requests, should raise red flags.

• Report and delete – If something feels off, don’t interact. Remove it and let IT or your security team know.

Qantas cuts executive bonuses by 15% after a July data breach

Watch the discussion - https://youtu.be/k4iTtfaLtaw?t=362

Qantas suffered a cyber attack in July that exposed data from 5.7 million customers. The breach has been linked to the Scattered Spider group, who have targeted multiple airlines this year. In response, Qantas announced a 15% cut to executive bonuses, despite reporting $1.5 billion in profit. It’s a rare example of leadership being held financially accountable for a security failure, and a strong signal that cybersecurity is a board-level responsibility.

Read more - https://securityaffairs.com/181954/data-breach/qantas-cuts-executive-bonuses-by-15-after-a-july-data-breach.html

∠The Awareness Angle

• Accountability matters – Security isn’t just IT’s problem, it’s a leadership responsibility.

• Culture starts at the top – When executives take a hit, it shows the whole organisation that protecting data is everyone’s job.

• Learn from mistakes – Breaches happen, but how leaders respond sets the tone for resilience and trust.

Nexar dashcam video database hacked

Watch the discussion - https://youtu.be/k4iTtfaLtaw?t=520

Hackers broke into Nexar’s cloud storage, exposing around 130 terabytes of dashcam footage and metadata. The data included video clips, GPS locations, and driving insights uploaded automatically from connected Nexar devices. Beyond the privacy risk, the footage could be misused for stalking or tracking routines. Nexar also monetises this data by selling access to blurred images and road insights to third parties, raising further questions about what users actually sign up for when they connect a “smart” dashcam.

Read more - https://www.malwarebytes.com/blog/news/2025/09/nexar-dashcam-video-database-hacked

∠The Awareness Angle

• Your devices see more than you think – Dashcams don’t just record accidents, they capture where you go, who’s with you, even conversations.

• Convenience vs. Risk – Smart features like 4G uploads sound useful, but they increase exposure if data isn’t properly secured.

• Secure your data – Keep devices updated, use unique credentials, and think twice about what you allow to be stored in the cloud.

Attacker’s Blunder Gave Huntress a Rare Look Inside Their Operations

Watch the discussion - https://youtu.be/k4iTtfaLtaw?t=898

Researchers at Huntress stumbled across exposed command-and-control servers and got a rare glimpse into the daily workings of a cybercrime group. The access revealed playbooks, stolen data, even real-time chats between attackers. It was like peeking behind the curtain at how professional and organised these operations have become. The blog post reads more like a story than a technical brief, making it a fascinating read for anyone curious about the business-like side of cybercrime.

Read more - https://www.huntress.com/blog/rare-look-inside-attacker-operation

∠The Awareness Angle

• Attackers are organised – Cybercrime runs like a business, complete with processes, tools, and collaboration.

• Awareness is defence – Understanding how attackers think helps us prepare and spot their tricks earlier.

• Every click counts – These campaigns still rely on someone letting them in, so cautious habits remain the strongest shield.

Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

Awareness Awareness

CyberSecure Leeds
On 24 September, KnowBe4 are hosting CyberSecure Leeds 2025: When AI Strikes, Humans Defend as part of Leeds Digital Festival. Ant will be on a panel with Javad Malik, Jack Chapman, and James Dyer, discussing AI-driven threats, building resilience, and reducing phishing risk. If you’re in the north of England, it’s a great opportunity to join the conversation.

More information at https://leedsdigitalfestival.org/events/cybersecure-leeds-2025-when-ai-strikes-humans-defend/

HuFiCon agenda now live
SoSafe’s Human Firewall Conference takes place in Cologne this November and the agenda has just been published. Ant will be attending the two-day event, which focuses on human risk and security culture, and features some excellent speakers. If you’re heading out too, let him know, it’s always good to connect. If you are located in Europe, it should be pretty affordable!

More information at https://humanfirewallconference.com/

Watch the discussion - https://youtu.be/Qfwq2z7EyFs?t=1320

This Week's Discussion Points...

News

iCloud Calendar abused to send phishing emails from Apple’s servers
Watch | Read

Qantas cuts executive bonuses by 15% after a July data breach
Watch | Read

Nexar dashcam video database hacked
Watch | Read

How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations
Watch | Read

Plex suffers data breach, warns customers to change passwords
Watch | Read

Extras

HuFiCon agenda now live
Watch | Read

Reddit thread: Wildest breach stories you’ve been a part of
Watch | Read

Framing security alerts beyond “true vs false positive”
Watch | Read

Subscribe to the Newsletter

https://www.riskycreative.com

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week — a breach, a tool, or just something a bit weird — let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Phishing goes old school

Ozan from Keepnet shared a phishing letter he received through the post, not an email, but an actual printed letter promising millions of dollars if he helped “claim” an unclaimed fortune. It’s basically the Nigerian prince scam with a new twist, and a good reminder that social engineering isn’t limited to inboxes. Sometimes it arrives in an envelope.

Watch - https://youtu.be/k4iTtfaLtaw?t=1750

∠The Awareness Angle

• Old tricks, new packaging – Scams don’t always arrive by email. Letters, phone calls, and texts can be just as dangerous.

• Too good to be true – Promises of unexpected money are almost always a red flag, no matter how official the message looks.

• Check before you trust – If something unexpected lands in your inbox or your letterbox, pause and question it before you respond.

Guest Spot: AI Experience Podcast

Ant recently joined Julien Redelsperger on the AI Experience podcast to talk about how AI is reshaping cybersecurity. From deepfake voices to flawless phishing emails, scams are getting harder to spot, and yet sometimes the best defence still comes down to analogue checks and trusting your instincts.

The episode is available on all major podcast platforms.  Click here to listen.