This week on The Awareness Angle, attackers ditch malware and pick up the phone. Optimizely confirms a breach after a vishing attack, proving again that the helpdesk is now the attack surface.
We’ve got fake QR codes stuck on real parking meters, Samsung’s weather app quietly fingerprinting devices, and the UK fining Reddit over children’s data.
Plus mental health apps with serious security flaws, a researcher accidentally taking control of 7,000 robot vacuums, and a brilliant example of using AI to build interactive awareness training in minutes.
The Awareness Angle makes more sense in full. Watch on YouTube, listen on Spotify, Apple Podcasts, or wherever you get your podcasts. If you prefer your cyber news with context, challenge and a bit of straight talking, this one’s worth your time.
Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube
Listen Now
Podcast · Risky Creative
This week's stories...
Optimizely confirms breach after vishing attack
This wasn’t some cutting edge exploit. It was a phone call.
Attackers impersonated IT support, convinced staff to hand over SSO and MFA details, and got access to internal systems and CRM records. Optimizely says they didn’t escalate privileges or deploy backdoors, but the real story is how they got in.
We keep talking about this. MFA isn’t failing. People are being redirected around it.
If someone sounds credible, creates urgency, and claims to be internal support, most people don’t switch into “threat actor” mode. They switch into “helpful colleague” mode and that’s the gap.
For awareness teams, this is a great reminder about verification scripts, call back policies, and a chance to emphasise that support staff have permission to challenge authority.
The Awareness Angle
- Authority Is a Shortcut – When someone claims to be internal IT, most people default to cooperation. Attackers know that.
- MFA Can Be Socially Engineered – The control works, until someone convinces you to approve or share it.
- Support Teams Need Different Training – Helpdesks and IT aren’t just defenders. They are targets. Treat them that way in your awareness strategy.
Fake QR codes stuck on real parking meters
Cybercriminals placed fake QR stickers on 75 parking meters. Drivers scanned, landed on a convincing payment page, and almost handed over their details. No inbox. No malware. Just a sticker and a bit of time pressure.
When you’re paying for parking, you’re not thinking about threat modelling. You’re thinking about not getting a fine.
This is a brilliant story to use internally because it shows that the risk of QR codes hasn't gone away and must be bringing results or the cybercriminals wouldn't continue with it!
The takeaway is simple. Slow down. Check the URL. Use the official app or go to the web page instead of scanning whatever is in front of you.
The Awareness Angle
- Context Changes Behaviour – People don’t apply the same caution in a car park as they do in their inbox.
- Convenience Is the Bait – Quick pay shortcuts are designed to reduce friction. Attackers ride that same instinct.
- Teach Verification, Not Fear – The behaviour to reinforce is simple. Check the URL. Use official apps. Slow down before entering details.
Mental health apps with millions of installs and hundreds of flaws
Researchers found over 1,500 vulnerabilities across ten Android mental health apps, including AI therapy companions and CBT trackers. Collectively, they’ve been installed 14.7 million times.
People are using these apps at their lowest points. Logging thoughts. Sharing deeply personal struggles. And behind the scenes, insecure storage, weak session handling, and other issues are sitting there waiting to be abused.
This is not a “delete all apps” panic story. It’s a reminder that popularity isn’t the same as security. It's also not laying blame at the developer's door. Maybe, with all of the AI coding tools available, it's just become too easy to build something that isn't secure.
If you’re in awareness, this opens up a bigger conversation with some important things to check. App permissions. Update frequency. Who built this thing. When was it last maintained.
The Awareness Angle
- Sensitivity Should Raise Standards – The more personal the data, the higher the security bar should be.
- Install Numbers Mean Nothing – Millions of downloads create false confidence.
- Awareness Goes Beyond Email – App hygiene, updates, permissions and developer credibility are part of modern security literacy.
This Week's Discussion Points...
Ad Tech Firm Optimizely Confirms Data Breach After Vishing Attack Watch | Read
Fraudulent QR Codes Found on 75 Kelowna Parking Meters Watch | Read
Your Samsung Weather App Is a Fingerprint Watch | Read
UK Fines Reddit £14.47M for Using Children’s Data Unlawfully Watch | Read
Android Mental Health Apps With 14.7M Installs Found With Security Flaws Watch | Read
Instagram to Alert Parents if Teens Search for Self-Harm and Suicide Content Watch | Read
Security Flaw Allows Man to Accidentally Gain Control of 7,000 Robot Vacuums Watch | Read
Building Interactive Security Training With Gemini Watch
We Invented the Dacia Sandman and the Internet Fell for It Watch | Read
ClickFix Pop-Ups in the Wild Watch | Read
Samsung Privacy Display Feature Watch
Protect Yourself From This Latest Ahrefs Phishing Attack Watch
And finally...Building Interactive Security Training With Gemini
Luke shows how he used Google Gemini to build an interactive security awareness module in minutes.
With a simple prompt, Gemini generated a ClickFix training page in HTML, complete with explanations, red flags, and a knowledge check. He then refined the look and even built a retro-style phishing game with multiple levels and feedback.
No specialist tools. No complex setup. Just prompts and iteration.
The big takeaway is this. The barrier to creating engaging, customised awareness content is lower than ever. You still need to sense check, validate, and tidy things up, but as a rapid prototyping tool, it is seriously powerful.
