This week on The Awareness Angle, we cover a ransomware attack at Ingram Micro that disrupted a major part of the global IT supply chain, alongside a breach at Grubhub where customer, driver, and merchant data was accessed through a third party support system. We also look at a data breach at the Minnesota Department of Human Services affecting nearly 304,000 people, and a UK secondary school forced to close after a cyber attack knocked critical systems offline.
In the news, Microsoft issued emergency out of band Windows updates after Patch Tuesday caused shutdown and Cloud PC issues, while researchers uncovered malicious browser extensions designed to crash browsers and push fake fixes. We also discuss reports of criminals selling ready made voice phishing kits, a new EU vulnerability database launched as an alternative to CVE, and a phishing campaign targeting LastPass users with fake security alerts.
We round out the episode with policy and platform updates, including the UK government consulting on banning social media for under 16s, and TikTok finalising a deal to split its US operations into a new joint venture.
The Awareness Angle is best served in full. Watch on YouTube, or listen on Spotify or your favourite podcast platform to get the complete discussion and context.
Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
Support the show with all new Awareness Angle merch. Stickers, notebooks, mugs, and bits that quietly say you care about people, not just passwords.
This week's stories...
Voice phishing kits sold as a service
Cybercriminals are now selling ready made voice phishing kits that let almost anyone run convincing phone scams. These kits bundle scripts, call flows, dashboards, and in some cases AI generated voices that sound like banks or internal IT teams. This is not someone freelancing a scam call. This is packaged, repeatable, and designed to scale.
The kits guide attackers through the entire interaction. Who to call. What to say. When to apply pressure. Victims are coached into handing over credentials, one time passcodes, or approving actions that lead to account access. It is phishing, just delivered over the phone instead of email.
The problem is that phone calls still get a free pass. Many organisations have trained people to be cautious with links and emails, but far fewer have clear rules for handling unexpected calls. Attackers are leaning into that gap hard.
This is social engineering getting easier and more normal. And it is aimed squarely at busy humans.
The Awareness Angle
- Vishing is now off the shelf – Anyone can buy the tooling
- Calls still bypass suspicion – The channel carries trust
- Call back breaks the scam – Verification beats confidence
CrashFix browser attacks push fake fixes
CrashFix is a browser based attack where a malicious extension deliberately crashes the browser, then tells the user they need to install a fix. That fix is malware. Nothing is broken. The crash is the whole point.
After the browser fails, users are shown clear, step by step instructions telling them what to do next. Run this. Install that. It works because this is exactly how people normally deal with software problems. Get it working and carry on.
This is not a clever technical exploit. It is frustration as a delivery mechanism. When something breaks, people stop thinking about risk and start thinking about recovery. CrashFix is designed to catch people in that moment.
The Awareness Angle
- The crash is intentional – Failure is the lure
- Fixing mode bypasses caution – Urgency beats scepticism
- Running commands is a red flag – Pause before you actWatch | Read
UK secondary school forced to close after cyber attack
A secondary school in England was forced to close after a cyber attack took out its IT systems. There was no big data breach story and no suggestion that grades were tampered with. The school closed because it could not function safely without its systems.
Security, made human.Too much failed at once. Attendance, communications, access control, and safety related systems were all affected. That only happens when everything is tied together. Systems that should be dull, isolated, and resilient were clearly part of the same environment, so when one thing went down, everything followed.
This is what happens when convenience drives design. Things get connected because it is easier, cheaper, or sold as “modern”, not because it makes sense. Then something breaks, and suddenly the impact is far bigger than anyone expected.
The Awareness Angle
- Not everything should be connected – Convenience quietly increases risk
- Availability is a safety issue – Offline systems force closure
- Design decisions matter – Architecture shapes impact
This week's discussion points...
Ingram Micro ransomware attack knocks global IT supply chain offline – Watch | Read
Grubhub breach exposes customer, driver, and merchant data via third party support system – Watch | Read
Minnesota Department of Human Services breach exposes demographic records of nearly 304,000 people – Watch | Read
UK secondary school forced to close after cyber attack disrupts systems – Watch | Read
Microsoft releases emergency Windows updates after Cloud PCs fail to shut down properly – Watch | Read
Criminals are now selling ready made voice phishing kits – Watch | Read
Malicious Chrome extension crashes browsers to push fake “fix” in ClickFix variant – Watch | Read
EU launches new vulnerability database as alternative to CVE – Watch | Read
Phishing campaign targets LastPass users with fake security alerts – Watch | Read
Government consults on banning social media for under-16s in the UK – Watch | Read
TikTok seals deal to split US app into new joint venture, keeps platform running in America – Watch | Read
AI snowstorm videos show the current state of the internet – Watch
Five ways to spot AI generated accounts on social media – Watch
And finally...Action Fraud becomes “Report Fraud”, but the experience still breaks trust
The UK’s fraud reporting service has been rebranded from Action Fraud to Report Fraud. The new name is clearer and does exactly what it says. The problem is what happens next.
When users try to sign in or create an account, they are redirected to a completely different domain to complete the process. For some people, antivirus tools flag that page as suspicious or phishing. That puts users in an impossible position. They are doing the right thing by reporting fraud, and the experience immediately tells them not to trust it.
This is how trust gets damaged. Not by attackers, but by confusing design. People are told to be cautious about links and domains, then asked to ignore their own instincts when it really matters. Many will simply abandon the report.
If we want people to report scams and cybercrime, the process has to feel safe and consistent all the way through.
The Awareness Angle
- Trust is fragile – Mixed signals stop people acting
- Design shapes behaviour – Confusion leads to drop off
- Security advice must align – We cannot teach one thing and do another
Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.
Ant Davis and Luke Pettigrew write this newsletter and podcast.
The Awareness Angle Podcast and Newsletter is a Risky Creative production.
All views and opinions are our own and do not reflect those of our employers.
