This week, the threats got personal. A fake Google Meet update that hands attackers the keys to your PC. An SMS that pinged Luke's phone at a hospital and turned out to be a live scammer on the end of the line. A banking glitch that let strangers see your salary, your benefits, and your child payments. And a former government insider who allegedly walked out with the personal data of almost every living American on a thumb drive.

Oh, and if you've got an old iPhone? Stop reading this and go update it first.

The full episode is an hour well spent. Watch on YouTube, listen on Spotify, Apple Podcasts, or wherever you get your podcasts. Ant and Luke don't do death by PowerPoint, just straight talking cyber news for people who actually care about the human side of security.

This week's episode is available to watch on YouTube

Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

SANS is off to Vegas Baby!

If you work in security awareness and you've got something worth saying, this is the room to say it in.

The SANS Workforce Security & Risk Training Security Awareness and Culture Summit Call for Presentations is open right now, and the deadline is Friday 3rd April at 5pm ET. The summit itself runs on the 27th and 28th of August in Las Vegas at Caesars Palace, and it is the biggest gathering of security awareness, behaviour and culture professionals on the planet. 13th year running.

The summit is looking for talks, research and case studies that focus on shifting not just behaviour, but attitudes and beliefs around cybersecurity. If you've got something that's worked in your organisation, something you've learned the hard way, or a genuinely new idea worth sharing with thousands of your peers, they want to hear from it.

And if you've never presented at a conference before, this is a brilliant place to start. Mentoring is available for first time speakers, so you won't be thrown in at the deep end on your own.

If Vegas isn't on the cards, that's not a reason to miss out either. You can present remotely, so there's really no barrier to getting involved.

The deadline is the 3rd of April. Two weeks. Get your submission in.

Submit your proposal here. Get more information on the summit here.

This Week's Stories...

One click on a fake Google Meet update hands attackers the keys to your PC

Watch | Read

A phishing page disguised as a Google Meet update notice is being used to silently enroll victims Windows PCs into an attacker controlled device management system. No malware, no stolen passwords, just a single click.

The page mimics a genuine Google Meet update prompt, but clicking the button triggers a built in Windows feature called MS Device Enrollment, the same legitimate tool your IT department would use to manage a company device. A victim who clicks through hands full remote control of their machine to the attacker, who can then silently install software, change settings, read files, or wipe the device entirely. Because the attack works entirely through the operating system, traditional antivirus tools have nothing to flag. There is no malicious file. No suspicious download. Nothing to scan for.

The best defence here is a human one. Why is Google Meet asking me to update through a webpage? Is this normal? Those two questions, asked out loud, stop this attack dead.

Awareness Angles

• Your antivirus will not save you here - This attack uses a genuine Windows feature to hand over control of your machine. If your only defence is a security tool, you have a gap that only a questioning mindset can fill.
• Knowing what normal looks like matters - Google Meet does not push updates through a webpage like this. Neither do most legitimate apps. If something prompts you to do something you have never seen before, that instinct to pause is worth listening to.
• If you think you might have clicked it - Go to Settings, Accounts, Access Work or School. If you see anything you do not recognise, especially anything referencing sunlife-finance[.]com or esper[.]cloud, disconnect it immediately.

The SMS that pinged Luke's phone at a hospital turned out to be a live scammer on the other end of the line

Watch | Read

SMS blasters are portable rogue devices that mimic legitimate mobile towers, force nearby phones to downgrade to 2G, and deliver phishing text messages that bypass your carrier's spam filters entirely. They sound like something out of a spy thriller, but three people were convicted of using one on the London Underground just a few weeks ago.

This week it got personal. Luke received a suspicious SMS at a local hospital, categorised as being from Google, complete with a verification code he never requested and a support number to call if he didn't recognise the activity. Ant called the number, and the recording is in this week's episode. It wasn't a call centre in Asia with background noise and a script. It sounded like one person in a bedroom, running the whole operation solo, building trust quickly without ever asking for account details, steering the conversation toward a password reset that would have handed over full account access if a real email address had been given. The whole attack is engineered around panic. Someone sees an unexpected verification code, worries their account has been compromised, calls the number in the message, reads out the recovery code that lands on their phone moments later, and it is over before they realise what happened.

Awareness Angles

• A text that appears to be from a legitimate sender is not proof that it is - SMS blasters spoof sender names, bypass carrier filters, and can drop a message into an existing thread with real previous messages from that contact. The name at the top means nothing.
• The script relies on you being worried - The call is designed to feel urgent and helpful at the same time. If you receive an unexpected verification code and feel the urge to call a number in the message, stop. Find the real support number from the official website and call that instead.
• Android users can disable 2G right now - Go to Settings, Network, and look for the option to avoid 2G networks. It is often opted out by default. Turning it on removes the mechanism these devices exploit entirely.

A whistleblower says a former government staffer walked out of the Social Security Administration with the personal data of almost every living American on a thumb drive

Watch | Read

The Social Security Administration's inspector general is investigating a whistleblower complaint alleging that a former DOGE software engineer left his role and took two tightly restricted government databases with him, with at least one stored on a personal thumb drive. One of those databases, NUMIDENT, contains Social Security numbers, dates of birth and parents' names for virtually every living American. He also allegedly claimed to have retained what he described as "god-level" access to SSA systems after leaving. The SSA and the former employee's lawyer have both denied wrongdoing, but investigations are open.

No firewall stops someone walking out of the door with a thumb drive. If the allegations are true, the failure here wasn't technical at all. It was human, procedural and organisational, and the lessons apply just as much to a small business as they do to a government agency.

Awareness Angles

• Revoking access when someone leaves is a critical security control, not an admin task - When did you last audit who still has access to systems they no longer need?
• Insider threats are harder to detect and harder to talk about than external attacks - but they are just as real and no security tool will catch them if the right processes aren't in place.
• The ability to plug a personal device into a government machine should never have been possible - USB port restrictions are unglamorous, but this is exactly why they exist.

Starbucks disclosed a data breach this week affecting nearly 900 employees after attackers created fake login pages to steal their credentials

Watch | Read

Attackers gained access to Partner Central, Starbucks' internal HR platform, by building convincing imitations of the login page and harvesting employee credentials. Once in, they had access to names, Social Security numbers, dates of birth and financial account and routing numbers. The breach ran for 23 days before it was fully resolved, with Starbucks discovering the intrusion on the 6th of February but not fully removing the attackers until the 11th, leaving a five day window where they knew someone was in but couldn't get them out. Affected employees are being offered two years of free identity theft protection through Experian.

The reason this one is worth highlighting isn't the scale, it's the method. Fake login page, stolen credentials, walk straight in through the front door. It's one of the oldest tricks going and it still works, including against large well resourced organisations with dedicated security teams.

Awareness Angles

• This attack didn't exploit a technical vulnerability, it exploited a human one - A convincing fake login page is often all it takes. Knowing what the real login page looks like and being suspicious of anything that asks for your credentials is a habit worth building.
• Financial account and routing numbers are a different category of risk - Unlike an email address or even a password, these create a direct route to fraud. If you've been notified of this breach, contact your bank directly rather than just monitoring.
• Third party platforms expand your attack surface whether you like it or not - Payroll, HR, pensions, training. Every platform your organisation uses is another login screen that can be faked. MFA on all of them isn't optional anymore.

Phish Of The Week

A legitimate Google email was used to deliver a phishing message, and the trick was hidden in plain sight

It's clever but we do wonder how successful this will be

This one is genuinely clever. The attacker submitted a Google account recovery request, but instead of using a normal email address, they put the entire phishing message into the email address field. It looked something like this: unauthorized_order_of_bitcoin_965usd_on_gpay_if_not_you_call_08XXXXXXXXX@domain[.]com. Because it's formatted like an email address, it passed Google's form validation. Because it came from Google's own systems, it landed in inboxes looking completely legitimate.

The goal is to panic the recipient into calling the number, at which point the scam moves off email entirely and onto a phone call where the real manipulation happens. We've seen this pattern before with PayPal, and it's becoming a recurring technique. Get the victim to make contact on a different platform where there are no spam filters, no warnings and no safety net.

Awareness Angles

• A legitimate sender does not mean a legitimate message - This email came from Google. The domain was real, the formatting was real, and it would pass most technical checks. The content is the only thing that gave it away.
• When something tries to move you to a phone call, that's a red flag - Email, text, fake notification. The platform doesn't matter. If the end goal is getting you on a phone call to a number you didn't go looking for yourself, pause.
• Panic is the whole mechanism - Unauthorised Bitcoin purchase, urgent action required, call now. Every word is designed to stop you thinking clearly. Slowing down for ten seconds is genuinely a security control.

Thank you to the Hoxhunt Threat Intelligence team for sharing this with us!

This Week's Talking Points...

Starbucks discloses data breach affecting hundreds of employees Watch | Read

Iran-linked hackers wipe data across 200,000 Stryker devices Watch | Read

Lloyds, Halifax and Bank of Scotland apps exposed strangers' transactions Watch | Read

One click on this fake Google Meet update can give attackers control of your PC Watch | Read

Google Messages may soon get built-in protection against SMS blasters Watch | Read

A whistleblower says a former DOGE staffer walked out of the SSA with Americans' data on a thumb drive Watch | Read

Apple rushes out patches for older iPhones and iPads against the Coruna exploit kit Watch | Read

Topics: ClickFix evolves with a new variant that bypasses Microsoft Defender Watch | Read

Topics: Darren Jones MP accidentally shares his passcode on camera Watch | Watch on Instagram

Topics: Tricking an AI scam caller Watch | Watch on Instagram

Topics: Apple MacBook Neo Touch ID ad Watch | Watch on TikTok

And Finally...

The scam caller that got asked for a Bolognese recipe

Watch

Someone received one of those relentless car finance cold calls this week and decided to have a bit of fun with it. From the start it became pretty clear the caller wasn't human, so they started pushing it. Ask it an off script question, see what happens. Eventually they got it to recite a full Bolognese recipe mid sales pitch, complete with the markdown formatting still intact, hashtags and all, read out loud in a completely earnest robotic voice.

It is funny, and it is worth sharing with people in your life who might not realise how convincing these AI calling systems have become. Because the flip side of that video is that plenty of people who received the same call had no idea they were talking to a machine. If you ask it whether it is human, it says yes. It gives a name. It says it is from Manchester. And that is enough to keep a lot of people on the line.

Show this to someone who needs to hear it. It is a lot easier to hang up on a robot when you know it is a robot.