A polite caller from your bank says there is a problem with your account. Don’t worry – they’ll send someone round to help. They’ll even take your cards away to keep them safe. The scam has run rampant, until Dutch police plastered blurred photos of 100 suspects across billboards, supermarkets, and TikTok, with a two-week ultimatum to turn themselves in… or else.
Meanwhile, a security researcher called Bob DaHacker got her hands on the live broadcast controls for every match of the 2026 FIFA World Cup. She could have Rickrolled the entire planet, but actually spent days trying to find anyone at FIFA who would pick up the phone.
Plus! Don’t miss our featured interview with Black Kite’s Jeffrey Wheatman explores ransomware and extortion attacks across Europe.
All this and more in episode 473 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Danny Palmer.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Did she think of sending a Truth Social message to the winner of the inaugural FIFA Peace Prize?
Because he's normally online, and I believe he probably has the mobile phone number of the FIFA president.
Smashing Security, Episode 473: How a Hacker Could Have Rickrolled the Entire World. World Cup with Graham Cluley and special guest Danny Palmer.
Hello, hello, and welcome to Smashing Security episode 473. My name's Graham Cluley.
Because he's normally online, and I believe he probably has the mobile phone number of the FIFA president.
Smashing Security, Episode 473: How a Hacker Could Have Rickrolled the Entire World. World Cup with Graham Cluley and special guest Danny Palmer.
Hello, hello, and welcome to Smashing Security episode 473. My name's Graham Cluley.
And I'm Danny Palmer.
Danny, great to have you on the show again. As regular listeners know, you are a cybersecurity journalist. Busy month, isn't it?
I mean, there's lots of events going on and things like that. You must be going from event to event, writing story after story.
I mean, there's lots of events going on and things like that. You must be going from event to event, writing story after story.
It has been busy, of course, as you well know as well. It was Infosecurity Europe this month and you were on stage hosting. I saw you on the stage. I didn't get to see you in person.
I did see you in person at one point, actually. Did you? But—
I did see you in person at one point, actually. Did you? But—
You should have given me a wave.
Well, this is from behind and you turned into the toilets. So I thought you wouldn't want a tap on the shoulder at that point.
But no, I could have sprinted up, but I doubt it would have been welcomed. But no, it was a good show. It's one of the biggest cybersecurity events in, well, Europe.
But this time I was working at Infosecurity Magazine. So I was covering it from that side. So it was very, very hands-on.
Lots of people seem to enjoy the talks, good feedback from sessions. People like you, obviously, there's always nice things said about you and feedback from the events.
But no, I could have sprinted up, but I doubt it would have been welcomed. But no, it was a good show. It's one of the biggest cybersecurity events in, well, Europe.
But this time I was working at Infosecurity Magazine. So I was covering it from that side. So it was very, very hands-on.
Lots of people seem to enjoy the talks, good feedback from sessions. People like you, obviously, there's always nice things said about you and feedback from the events.
Oh, thank you.
So that's good. But yeah, it was grand.
Well, before we kick off, let's thank this week's wonderful sponsors, Black Kite, ProtonPass, and Vanta. We'll be hearing more about them later on in the podcast.
This week on Smashing Security.
We won't be talking about how Brazil suspended its mobile phone emergency alert system after a hacker sent false warnings to phones across the country.
You'll hear no discussion of how tech site Gizmodo has been caught hitting readers with click-fix malware prompts.
And we won't even mention how two men have pled guilty to the £39 million cyberattack on Transport for London, which impacted 10 million commuters.
So Danny, what are you going to be talking about this week?
This week on Smashing Security.
We won't be talking about how Brazil suspended its mobile phone emergency alert system after a hacker sent false warnings to phones across the country.
You'll hear no discussion of how tech site Gizmodo has been caught hitting readers with click-fix malware prompts.
And we won't even mention how two men have pled guilty to the £39 million cyberattack on Transport for London, which impacted 10 million commuters.
So Danny, what are you going to be talking about this week?
I'm going to be talking about a security issue at FIFA which could have got everyone rickrolled.
And I'm going to be talking about a devastating Dutch fraud epidemic that has forced police into a bold response involving motorway billboards.
Plus, don't miss our featured interview with Jeffrey Wheatman, where we'll be looking at Black Kite's report into ransomware and extortion attacks across Europe.
All this and much more coming up on this episode of Smashing Security.
Plus, don't miss our featured interview with Jeffrey Wheatman, where we'll be looking at Black Kite's report into ransomware and extortion attacks across Europe.
All this and much more coming up on this episode of Smashing Security.
Graham, what's this about a new report from one of our sponsors?
Yes, Black Kite have just put out their first ever European Cyber Risk Report.
And oh my goodness, they've been looking into ransomware attacks across Europe for the last year and a half or so.
And oh my goodness, they've been looking into ransomware attacks across Europe for the last year and a half or so.
And let me guess, everything is fine and we have nothing to worry about?
Well, ransomware is up 55% year on year in the first 4 months of 2026 alone.
So, not fine.
No, Joe, not fine at all. Nearly 70% of all European ransomware activity is concentrated in just 5 countries.
And this report from Black Kite breaks down exactly where the attacks are hitting hardest and which hacking groups are responsible.
And this report from Black Kite breaks down exactly where the attacks are hitting hardest and which hacking groups are responsible.
So is there anything in there beyond the headline numbers?
The bit that really struck me is what they found about third-party risks. A lot of companies aren't being attacked directly.
Instead, they're being caught in the blast radius of an attack on one of their suppliers.
Instead, they're being caught in the blast radius of an attack on one of their suppliers.
Right. You're only as secure as the weakest link in your supply chain.
And the report has some real-world examples that illustrate this perfectly.
For instance, there's a Swedish company, it has an unpronounceable name, they got hit and that ended up causing huge problems at hundreds of organisations, exposing the data of over a million people.
For instance, there's a Swedish company, it has an unpronounceable name, they got hit and that ended up causing huge problems at hundreds of organisations, exposing the data of over a million people.
All from one incident.
All from one incident. And the report also covers how regulations like NIS2 and DORA are forcing European businesses to get much more serious about all of this.
Sounds like essential reading, frankly.
It is, and it's free. Get the full report at blackkite.com/smashing.
That's Black Kite, B-L-A-C-K-I-T-E.com/smashing. And thanks to Black Kite for supporting the show.
Now, Danny, imagine you're at home. It's maybe a Tuesday afternoon, nothing unusual going on, and your phone rings and it's your bank.
Well, it's someone claiming to be from your bank.
Well, it's someone claiming to be from your bank.
I see.
And they're very polite, very professional, and they say, Danny, I'm afraid there's been some suspicious activity on your account.
And they say, there's nothing to worry about, Danny. We don't want you worrying, Danny.
And they say, there's nothing to worry about, Danny. We don't want you worrying, Danny.
Well, that's reassuring.
Well, it's not that reassuring, is it? Whenever a company says, now, we don't want you to panic, but—
Panic.
They just want you to verify a few details. Now, your spider sense as a cybersecurity expert is tingling at this point.
You think, oh, hang on, they're going to ask me for a password or they're going to ask me for something like that. They don't do anything like that.
What they do is they say, look, we think you could be having some problems with your account. We think maybe you're having some problems on your computer.
There's lots of hackers about. Tell you what we're going to do, we're going to send someone round to help you.
Now, you might be a little bit suspicious about that, knowing the evil corporations which are financial institutions and the likelihood that they would ever send anyone round.
You think, oh, hang on, they're going to ask me for a password or they're going to ask me for something like that. They don't do anything like that.
What they do is they say, look, we think you could be having some problems with your account. We think maybe you're having some problems on your computer.
There's lots of hackers about. Tell you what we're going to do, we're going to send someone round to help you.
Now, you might be a little bit suspicious about that, knowing the evil corporations which are financial institutions and the likelihood that they would ever send anyone round.
They only send someone round when they want something from you.
Right, right. But if you were, for instance, a little bit vulnerable or elderly or weren't too tech savvy, you might say, oh, would you do that? Would you come around?
Because I just can't work out what I have to do here. Maybe you would be a little less suspicious.
And because they've been polite, maybe you've been born in a different age where you're more trusting of people. I don't think you, Danny, would say, sure, come on round, would you?
Because I just can't work out what I have to do here. Maybe you would be a little less suspicious.
And because they've been polite, maybe you've been born in a different age where you're more trusting of people. I don't think you, Danny, would say, sure, come on round, would you?
No, no.
It's one of those things where I've not had this particular thing happen to me, but a few years ago, I had an alert from my bank saying my bank card had been used elsewhere in the world.
It's one of those things where I've not had this particular thing happen to me, but a few years ago, I had an alert from my bank saying my bank card had been used elsewhere in the world.
Right.
What I did then was I called my actual bank and did it that way.
Yes. Well, anyway, this particular scam, which has been called bank help desk fraud, has been running rampant across the Netherlands.
And the Netherlands, you just think it's a land of bicycles and Edam cheese and just ostentatiously tall people.
And the Netherlands, you just think it's a land of bicycles and Edam cheese and just ostentatiously tall people.
Yes.
It turns out it's also the home of help desk fraud as well.
Well, it's a tech-savvy country, lots of startups there.
That's very true. And there certainly have been over the years many servers which have been run by the criminals. They've often been hosted in the Netherlands as well.
That is true, yeah.
Anyway, criminals apparently are calling victims pretending to be bank employees with all sorts of COVID stories.
So they say, "We've detected unusual transactions," a bit like that call which you received, or "We need to increase your overdraft limit," or "We're trying to protect your account from some kind of problem." Whatever the script is saying, there's always some urgency.
There's some authority in the voice which they're using. And because, you know, this is mainland Europe we're talking about, so they're still fairly civilised compared to us Brits.
So they say, "We've detected unusual transactions," a bit like that call which you received, or "We need to increase your overdraft limit," or "We're trying to protect your account from some kind of problem." Whatever the script is saying, there's always some urgency.
There's some authority in the voice which they're using. And because, you know, this is mainland Europe we're talking about, so they're still fairly civilised compared to us Brits.
Us all being painted on woad on our island here.
They will go so far as to offer hands-on help.
"If you're unsure what to do." So they're actually sending people to the victims' doors to collect their bank cards, their cash, whatever they can get.
"If you're unsure what to do." So they're actually sending people to the victims' doors to collect their bank cards, their cash, whatever they can get.
I suppose the Netherlands isn't a huge country. You can quite drive across it in a few hours.
I suppose so.
Yeah.
I bet the public transport's fantastic. Just this week, Dutch police raided an Amsterdam house.
They found 6 people aged between 15 years old and 30, running a makeshift call centre, basically from someone's living room.
They were caught mid-call with a potential victim on the line when the police walked in.
And this is apparently something which is happening a great deal and it's causing all sorts of problems.
Now, there is a companion scam to this one where they send around the bank employee saying, "Oh, you know, we're worried about your money or whatever, so we'll come round, take your money." And put it somewhere safe for you because you can't look at it.
They found 6 people aged between 15 years old and 30, running a makeshift call centre, basically from someone's living room.
They were caught mid-call with a potential victim on the line when the police walked in.
And this is apparently something which is happening a great deal and it's causing all sorts of problems.
Now, there is a companion scam to this one where they send around the bank employee saying, "Oh, you know, we're worried about your money or whatever, so we'll come round, take your money." And put it somewhere safe for you because you can't look at it.
Yeah, we'll take that money from under your bed and store it in a safety deposit box that you don't know where it is.
I mean, we're laughing, but if you are a nonagenarian — and I'm not saying all people who are elderly aren't tech savvy, because obviously some of them are very, very tech savvy — but if you are someone who's maybe a little bit more trusting, a little bit more vulnerable, you might well fall for that kind of thing.
You know, it's people often towards the end of their lives who have a lot of assets. Which makes some rich pickings.
You know, it's people often towards the end of their lives who have a lot of assets. Which makes some rich pickings.
Plus, it's difficult to be assertive when you've got someone who says they're an expert on the other end of the line.
Right.
Well, it's social engineering, isn't it? I suppose while you could go on the phone, "Okay, I'm not doing that," if there's someone at your door asking something, it's harder.
Yes.
So there is a companion scam running alongside this one. And it's perhaps even more brazen. It is called fake police officer fraud.
They've been thoughtful of these names, haven't they?
They have. It's a good name, but it requires a different fancy dress costume.
So rather than dressing up like someone who works at the bank, you know, with a bowler hat and an umbrella and that pinstripe suit, you turn up dressed as a policeman. Now—
So rather than dressing up like someone who works at the bank, you know, with a bowler hat and an umbrella and that pinstripe suit, you turn up dressed as a policeman. Now—
Like some sort of criminal Mr. Ben.
You know, I love that analogy, Danny. I'm not sure everyone internationally is going to get it. I'm now going to have to link to Mr.
Ben in the show notes so people can understand what that was about.
But, so if a policeman turns up on my door, I obviously will think, "Oh crumbs, maybe there's some speeding ticket I haven't paid or something." It's going to be that or it's going to be a strippogram.
You don't expect it normally, but apparently they are calling people up, claiming to be a detective, and they say, "Look, there's been a burglary nearby and your valuables could be at risk."
Ben in the show notes so people can understand what that was about.
But, so if a policeman turns up on my door, I obviously will think, "Oh crumbs, maybe there's some speeding ticket I haven't paid or something." It's going to be that or it's going to be a strippogram.
You don't expect it normally, but apparently they are calling people up, claiming to be a detective, and they say, "Look, there's been a burglary nearby and your valuables could be at risk."
Oh no.
But don't worry, we're going to send one of our colleagues from the police force.
We're going to get them to pop round and keep your valuables safe on your behalf because there's someone going around stealing stuff.
It's like, yes, there's someone going around stealing stuff because it's the person who's dressed up as a policeman pinching all your gear.
We're going to get them to pop round and keep your valuables safe on your behalf because there's someone going around stealing stuff.
It's like, yes, there's someone going around stealing stuff because it's the person who's dressed up as a policeman pinching all your gear.
It's very old school, isn't it? It's almost like a Wild West element to it as well.
You'd have someone dressed up as a sheriff going around to do that to people, you know, 150 years ago.
You'd have someone dressed up as a sheriff going around to do that to people, you know, 150 years ago.
Apparently they knock on your door, they flash a warrant card, because that's convincing, isn't it?
You also got to have a little laminated card and it's like, oh well, then you're clearly someone in authority.
You also got to have a little laminated card and it's like, oh well, then you're clearly someone in authority.
Especially if it's laminated.
And they walk off with your jewellery and your savings. In one case, they took the wedding ring of one woman's deceased husband.
Yeah.
It's really horrible. In August last year, apparently an 80-year-old woman was killed during one of these fake police doorstep visits.
So whether that particular woman got suspicious and put up some resistance or what, I mean, it is ghastly to think that these people are effectively being scammed on the phone, tricked into having someone come round, and who knows what's going to happen next.
So whether that particular woman got suspicious and put up some resistance or what, I mean, it is ghastly to think that these people are effectively being scammed on the phone, tricked into having someone come round, and who knows what's going to happen next.
So their details, I guess their phone number has been involved in some sort of breach.
At the very least, their phone number. But let's think about it. Many data breaches will not just contain your phone number, they will also contain your postal address as well.
Yes, I remember a few years back, I had an ethical hacker sort of do those things where, for an ask, let's see who you can find about me on the internet.
It was really freaky to hear.
It was really freaky to hear.
Yeah, it is. Now, you might think, well, this seems rather far-fetched. How big a problem is this really?
Well, apparently, last year, there were 13,000 reports of fake police officer scams in the Netherlands alone. 13,000. So, I mean, it's not as though it's that rare.
This is a small country, relatively, with a big problem.
And police said that the impact on elderly victims, who are the most commonly targeted group, is devastating — not just financially, of course, but psychologically as well, because trust is gone.
The Dutch police, Danny, they've decided to do something about all of this.
And what they did was they launched a special operation called Game Over — in fact, it's called Game Over, question mark, exclamation mark.
Well, apparently, last year, there were 13,000 reports of fake police officer scams in the Netherlands alone. 13,000. So, I mean, it's not as though it's that rare.
This is a small country, relatively, with a big problem.
And police said that the impact on elderly victims, who are the most commonly targeted group, is devastating — not just financially, of course, but psychologically as well, because trust is gone.
The Dutch police, Danny, they've decided to do something about all of this.
And what they did was they launched a special operation called Game Over — in fact, it's called Game Over, question mark, exclamation mark.
So are they shouting at, or?
It's not all in capitals. What they did was they collected CCTV images of these ne'er-do-wells who were engaged in this kind of thing. They took video footage from smart doorbells.
They took video taken at ATMs when money was being taken there as well. They got photographs of 100 different suspects, and they published them.
What was unusual about it was they blurred the images.
And they said, here is 100 people, and they put them up on motorway billboards, in supermarkets, at petrol stations, on TikTok, on TV, Instagram, all of that.
But what they did was they said, in two weeks, we're going to unblur the images.
So if you want to hand yourself in now, if you want to go to your local cop shop and say, maybe we should have a little chat about what I've been doing, now is your chance.
They took video taken at ATMs when money was being taken there as well. They got photographs of 100 different suspects, and they published them.
What was unusual about it was they blurred the images.
And they said, here is 100 people, and they put them up on motorway billboards, in supermarkets, at petrol stations, on TikTok, on TV, Instagram, all of that.
But what they did was they said, in two weeks, we're going to unblur the images.
So if you want to hand yourself in now, if you want to go to your local cop shop and say, maybe we should have a little chat about what I've been doing, now is your chance.
That's really interesting. It's almost applying — I'm not saying the police are doing extortion, but it's the same sort of principle as a lot of cybercrime, isn't it?
It's a bit of leverage, isn't it?
Yeah, do as we say, otherwise we'll —
Yes.
Come and — come back and get you big time.
It's a little bit like one of those data extortion attacks, which we see all the time.
So how many of those 100 suspects do you reckon turned themselves in before the countdown was gone?
So how many of those 100 suspects do you reckon turned themselves in before the countdown was gone?
You said they're all sort of between 15 and 30, the average demographic of a cybercriminal, young men.
I'd say there's a lot of hubris in there, and it's not going to be that many that turn themselves in because they'll think, "Oh, they'll never get me." Am I on the right track?
I'd say there's a lot of hubris in there, and it's not going to be that many that turn themselves in because they'll think, "Oh, they'll never get me." Am I on the right track?
Well, I don't know if you'll consider this a small number or a large number. Apparently 21 came forward.
One in five, yeah.
I thought that was quite a lot, considering, you know, their photo hadn't been published. It was just a blurred version.
But they came forward before the deadline, before the images were unblurred. They cycled over to the police station.
They probably leant over a bit as they went through the doorway, because they were ostentatiously tall.
But they came forward before the deadline, before the images were unblurred. They cycled over to the police station.
They probably leant over a bit as they went through the doorway, because they were ostentatiously tall.
Well, they'll have taller doors though, won't they, to make up for it?
You would think so. That would make sense really, wouldn't it?
I wouldn't know about that. I'm 5 foot 7, so it's—
If there's any listeners out there in the Netherlands, we do have a fair few actually, maybe you can confirm whether your average door height is higher than—
I'm off to the Netherlands in a couple of months, as discussed previously, so I can report back and check.
Take a tape measure with you, Danny. Please find out for us. Anyway, once the photos were unblurred, and the public got involved because this is high profile.
This is on motorway billboards, these pictures. Over 500 tips came in.
This is on motorway billboards, these pictures. Over 500 tips came in.
I suppose you see it, you go, oh, I recognise that guy.
Yeah, exactly. Oh, hang on, that's my nephew Bertrand or whatever who is over there.
Yeah, trying to think of Dutch names now.
Dirk.
Oh gosh. Joost. Marcel.
I should know this because me and some friends played a multiplayer Football Manager recently and we were in the Belgian and Dutch leagues.
But all the information is gone from me now, unfortunately.
But all the information is gone from me now, unfortunately.
Anyway, the Game Over website has received more than 2 million visits. The ads on social media have racked up 54 million views.
Wow.
And apparently some detectives had to work overtime just to handle all the tips that are coming in. By last month, 74 of the 100 suspects had been identified.
34 have handed themselves in. 40 were recognised by members of the public, you know, neighbours and school friends, I imagine, possibly family as well. And 6 have been arrested.
And the youngest person identified was just 14 years old.
34 have handed themselves in. 40 were recognised by members of the public, you know, neighbours and school friends, I imagine, possibly family as well. And 6 have been arrested.
And the youngest person identified was just 14 years old.
Wow.
Now, the thing is, Dutch police have said, look, even though there's lots of young people who are involved in this, they are not the masterminds behind this scheme.
They are not the Mr. Big. What's happening apparently is young kids are basically acting as errand runners. They're doing this for a little bit of pocket money.
They are getting some cash. So they're being sent off to knock on doors and collect the bank cards and take the jewellery, that kind of thing.
They are not the Mr. Big. What's happening apparently is young kids are basically acting as errand runners. They're doing this for a little bit of pocket money.
They are getting some cash. So they're being sent off to knock on doors and collect the bank cards and take the jewellery, that kind of thing.
The 2026 equivalent of a paper round.
I suppose so. This is the problem. People don't get newspapers delivered anymore. So the kids are having to turn to crime instead.
Newspapers. You established last week you don't have a milkman, so—
Yes. So they're handing everything up the chain. They're pocketing a little slice for themselves for being the face on the camera.
And the organisers, the people actually behind all this criminality, they're the ones making serious money. And they are largely escaping appearing on the billboards.
So the police are keen to get the Mr. Bigs, as it were. So Dutch police are calling this a social problem that requires a social solution.
I think that's probably true of a lot of things to do with our world, isn't it?
And the organisers, the people actually behind all this criminality, they're the ones making serious money. And they are largely escaping appearing on the billboards.
So the police are keen to get the Mr. Bigs, as it were. So Dutch police are calling this a social problem that requires a social solution.
I think that's probably true of a lot of things to do with our world, isn't it?
Yeah. You can't just stamp down on, let's say, technologies, for example, and sort of hope things will get better.
You could almost draw an analogy with how we're trying to clean up the world of social media by preventing kids from getting on social media.
Indeed, yes.
Rather than why don't we just clean up the social media sites or fine them?
Oh no, that's far too complicated. Children will, if you tell them not to do something, they'll just not do it. Of course, they won't try to do it.
They're very obedient. Anyway, this public shaming campaign, it's been quite clever because it's not just caught 74 people.
It's also made the whole criminal ecosystem feel less safe for everyone involved.
So I think if you are a 17-year-old, and you've been recruited to knock on doors for €50 a time, and you know there's a chance that you might have your photo taken by the doorbell and then appear on a motorway billboard, maybe you'll think twice about what you're doing.
It's also made the whole criminal ecosystem feel less safe for everyone involved.
So I think if you are a 17-year-old, and you've been recruited to knock on doors for €50 a time, and you know there's a chance that you might have your photo taken by the doorbell and then appear on a motorway billboard, maybe you'll think twice about what you're doing.
Yeah, it's gonna put you off.
It's gonna sort of make the pool of potential, for want of a better word, employees smaller if they think, okay, what if my friends, family, what if my mum sees I've been part of a criminal group?
It's gonna sort of make the pool of potential, for want of a better word, employees smaller if they think, okay, what if my friends, family, what if my mum sees I've been part of a criminal group?
Oh yeah, that's always the biggest deterrent of all, isn't it? If your mum finds out what you've been up to.
Now, listeners, as you've already suggested, Danny, there are sensible steps to take if you do get a call which claims to be from your bank.
Obviously, a genuine bank is never going to call you and offer to send someone to your house.
Now, listeners, as you've already suggested, Danny, there are sensible steps to take if you do get a call which claims to be from your bank.
Obviously, a genuine bank is never going to call you and offer to send someone to your house.
No, I mean, the bank keeps doing the opposite these days. They want everything to go online. So, yes.
And real police aren't going to knock on your door and ask to take all your valuables away for safekeeping. That doesn't really happen either.
So if anything like that is offered to you, put your phone down, find the number yourself, just like you did, Danny.
I imagine, you know, look on the back of your bank card or something like that for a contact phone number.
Don't use the one that's been given to you on the phone and call the bank back directly.
And if you've got elderly relatives or neighbours, you know, have that kind of conversation with them because these operations, these criminal schemes, they are targeting people who grew up trusting institutions, like the banks, like the police, you know, those institutions that we've learned to be a little bit more suspicious of over the years.
Modern-day cybercriminals can be very, very convincing indeed. Well, we've got time now to talk about one of today's sponsors, Vanta.
Joe, what keeps you up at 2 o'clock in the morning?
So if anything like that is offered to you, put your phone down, find the number yourself, just like you did, Danny.
I imagine, you know, look on the back of your bank card or something like that for a contact phone number.
Don't use the one that's been given to you on the phone and call the bank back directly.
And if you've got elderly relatives or neighbours, you know, have that kind of conversation with them because these operations, these criminal schemes, they are targeting people who grew up trusting institutions, like the banks, like the police, you know, those institutions that we've learned to be a little bit more suspicious of over the years.
Modern-day cybercriminals can be very, very convincing indeed. Well, we've got time now to talk about one of today's sponsors, Vanta.
Joe, what keeps you up at 2 o'clock in the morning?
The dog next door, mostly.
Oh, right. Well, yeah, but I'm talking professionally. What keeps you up?
Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.
Exactly. Which is where today's sponsor comes in. It's Vanta.
Fanta, the fizzy orange drink. How can this possibly be true?
No, no, Joe. It's a Vanta with a V. It's a trust management platform. It's not a drink full of sugar.
It automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
It automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
Lush, I hate questionnaires.
Well, who doesn't? Vanta continuously monitors your systems. It centralises your security data. It keeps your program audit ready all of the time.
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
So basically it handles the boring stuff so we can focus on the interesting stuff.
Exactly. Precisely that. And for a limited time, new customers can get $1,000 off. $1,000? Yep. $1,000.
Head to vanta.com/smashing — that's vanta.com/smashing — and get started today.
Head to vanta.com/smashing — that's vanta.com/smashing — and get started today.
And maybe get a decent night's sleep for once. Oh, and unlike fizzy drinks, Vanta isn't bad for you. That was a fruit twist.
Danny, what's your story for us this week?
Well, Graham, even if you don't follow football, you might have noticed there's quite a big event going on right now. That is the World Cup. Ah! You're familiar with it, I take it?
I am familiar with the World Cup. I think I've heard of it.
Yeah.
This is a football thing, I believe.
It's a football thing. Yeah. Quite a big deal. So it started on June the 12th, and it runs all the way through to the final on July the 19th. So that's just over a month.
It's the biggest World Cup ever, in fact, featuring 48 teams from around the world. I'm a football fan. I'm aware of the World Cup. Wales aren't in it.
It's the biggest World Cup ever, in fact, featuring 48 teams from around the world. I'm a football fan. I'm aware of the World Cup. Wales aren't in it.
Oh.
I'm used to that over the years. We qualified for the 2021 World Cup. Before that, the previous World Cup was 1958. So it's a rare thing for us, but now I still get to sort of—
Hang on, Danny. There can't have been a 2021 World Cup. Isn't it every 4 years?
It's 2020, but there was something, something happened during 2020, which made them postpone it for a year.
Okay, got it.
That would be a certain pandemic that sort of caused some problems and shenanigans around the world, let's say.
So, okay, there's 2 things I'm aware of, the World Cup and that pandemic thing. I remember that.
All right.
Okay.
Anyway, main point, Wales not good at football. I am just watching as a general fan. So, right.
This biggest World Cup ever happens to be happening in the country that likes to do things big.
It's in the United States of America, which is hosting the tournament alongside Mexico and Canada. So this was decided about a decade ago, right?
When things were a bit smoother diplomatically between those countries, let's say. And admittedly, this hasn't gone without controversy.
There've been accusations of price gouging by FIFA and its official partners.
Fans, a referee, and even players from certain countries were told they weren't allowed into the Land of the Free due to visa issues and restrictions.
This biggest World Cup ever happens to be happening in the country that likes to do things big.
It's in the United States of America, which is hosting the tournament alongside Mexico and Canada. So this was decided about a decade ago, right?
When things were a bit smoother diplomatically between those countries, let's say. And admittedly, this hasn't gone without controversy.
There've been accusations of price gouging by FIFA and its official partners.
Fans, a referee, and even players from certain countries were told they weren't allowed into the Land of the Free due to visa issues and restrictions.
Which does prove a bit of a challenge, doesn't it, in having a football game if you're not allowed into the country?
Yeah, it's a bit tricky. I mean, I think some of the teams that are playing in Canada and Mexico are not having these problems there, but in the US, they're having these problems.
And then there's the whole kerfuffle with the winner of the inaugural FIFA Peace Prize, the President of the United States of America, not being that peaceful in his approach to international diplomacy in the run-up to the tournament.
And on top of all that, obviously the key thing for us here is if you're watching it from the UK or Europe, the games are often late at night.
So weird times for us, but despite all that, the World Cup itself appears to be running rather smoothly.
And there's already been a bunch of excellent matches and moments on the pitch.
And then there's the whole kerfuffle with the winner of the inaugural FIFA Peace Prize, the President of the United States of America, not being that peaceful in his approach to international diplomacy in the run-up to the tournament.
And on top of all that, obviously the key thing for us here is if you're watching it from the UK or Europe, the games are often late at night.
So weird times for us, but despite all that, the World Cup itself appears to be running rather smoothly.
And there's already been a bunch of excellent matches and moments on the pitch.
Right.
Ultimately, hundreds of millions of people, and maybe billions, are tuning in to watch these matches.
So you'd expect FIFA to have strong, robust protections in place to ensure that nothing untoward can happen to the live broadcasts.
So you'd expect FIFA to have strong, robust protections in place to ensure that nothing untoward can happen to the live broadcasts.
Yes.
Well, it turns out that may not have been the case.
Oh dear.
Because this week, a security researcher who goes by the name of Bob de Hacker. You might have heard of her older brother, who is a builder.
Yes. But it's a bit strange for siblings to have the same first name.
That is true, yeah.
But anyway, Bob de Hacker, yeah. What's she been up to?
Well, she published a blog post where she claimed she could have hijacked live match feeds and Rickrolled millions of people watching games. Oh boy.
And despite this being the biggest World Cup ever and all that, it appears it was rather trivial for her to gain access because all she needed to start this process was some ID.
So, as detailed on her blog, Bob started with the FIFA agent platform.
So that's a public portal where football agents, that is the managers and advisors of football players, register that they are indeed football agents.
I don't know what paperwork you need to say you are a football agent, I imagine you just need a big fur coat and a huge cigar. Exactly. Yeah.
So to register, she had to upload some personal data and some ID, and there she was in.
She was part of the FIFA agent platform, which runs on Microsoft Entra, which is, I believe, used to be part of Azure previously.
So while she was initially blocked from accessing the FIFA football data platform, she was able to bypass some of the guardrails on this. I mean, these haven't been specified.
And we'll shortly see why, but basically Bob found herself with access to the FIFA streaming management panel, partly hosted by a third-party provider called MediaKind.
And Bob said what she saw made her jaw, and I quote, "hit the floor."
And despite this being the biggest World Cup ever and all that, it appears it was rather trivial for her to gain access because all she needed to start this process was some ID.
So, as detailed on her blog, Bob started with the FIFA agent platform.
So that's a public portal where football agents, that is the managers and advisors of football players, register that they are indeed football agents.
I don't know what paperwork you need to say you are a football agent, I imagine you just need a big fur coat and a huge cigar. Exactly. Yeah.
So to register, she had to upload some personal data and some ID, and there she was in.
She was part of the FIFA agent platform, which runs on Microsoft Entra, which is, I believe, used to be part of Azure previously.
So while she was initially blocked from accessing the FIFA football data platform, she was able to bypass some of the guardrails on this. I mean, these haven't been specified.
And we'll shortly see why, but basically Bob found herself with access to the FIFA streaming management panel, partly hosted by a third-party provider called MediaKind.
And Bob said what she saw made her jaw, and I quote, "hit the floor."
Was she as sick as a parrot?
Hahaha. Well, let's assume yes. For in front of her eyes was the live production streaming management panel for the FIFA World Cup 2026.
She could, through this panel, gain access to every match, every camera angle, every stream. Ultimately, that is live video streams for live matches. And this wasn't just read-only.
She could have played around with the live broadcast.
She could, through this panel, gain access to every match, every camera angle, every stream. Ultimately, that is live video streams for live matches. And this wasn't just read-only.
She could have played around with the live broadcast.
I thought you were going to say that she could just watch all of these for free, but what you're saying is she could actually alter them as well.
Yes, she could sort of control the feeds, as it were. What would you do if you stumbled upon that sort of power?
If I had that kind of power, what I would do is I would take my phone to the local park where there's a bunch of 7-year-olds having a kick around with a football.
And I would— I would maybe get them to dress up. We'd have one side dressed up in the Portuguese football kit and the other side as Cape Verde. No, I'd have the US versus Iran.
That's what I'd do. I'd get them to dress up in the Iranian football kit and the American football kit, and I would broadcast it. How brilliant would that be?
And I would— I would maybe get them to dress up. We'd have one side dressed up in the Portuguese football kit and the other side as Cape Verde. No, I'd have the US versus Iran.
That's what I'd do. I'd get them to dress up in the Iranian football kit and the American football kit, and I would broadcast it. How brilliant would that be?
I thought you'd say you'd go into the park, you can turn it into a Springwatch type of thing. But no, that is a good idea.
Well, what Bob said is that with the access she had, she could have just gone for what she described as the nuclear option and Rickrolled the entire world, which seems like a hacker thing to do, doesn't it?
It does. Because Bob is a responsible ethical hacker, nothing happened.
But it's not hard to imagine that if someone with nefarious intentions had found this lapse in cybersecurity, they could have done something much worse.
They could have shut down the live broadcast of one of the biggest sporting events in the world. People notice that sort of thing.
They could have taken advantage of the ability to choose what to broadcast by unleashing unsavoury content.
An attacker could have got hold of or messed around with data and broadcasts.
Then of course there's all the websites that rely on this platform for, even if they're not showing the actual match itself, updating scores.
If you go to the BBC Live Football page, it'll be through that. There's implications, this security vulnerability, for an event watched by hundreds of millions of people.
But as an ethical hacker, Bob wanted to disclose what she has found. It seems this was more difficult than gaining access to FIFA's live streaming platforms themselves.
She's listed on her blog post, which I'm sure we'll link to in the notes, the 10 steps she had to go through to actually get someone to apparently listen to her.
So prepare yourself. Step 1: First, she tried to disclose the vulnerability directly to FIFA by several publicly available email addresses.
Well, what Bob said is that with the access she had, she could have just gone for what she described as the nuclear option and Rickrolled the entire world, which seems like a hacker thing to do, doesn't it?
It does. Because Bob is a responsible ethical hacker, nothing happened.
But it's not hard to imagine that if someone with nefarious intentions had found this lapse in cybersecurity, they could have done something much worse.
They could have shut down the live broadcast of one of the biggest sporting events in the world. People notice that sort of thing.
They could have taken advantage of the ability to choose what to broadcast by unleashing unsavoury content.
An attacker could have got hold of or messed around with data and broadcasts.
Then of course there's all the websites that rely on this platform for, even if they're not showing the actual match itself, updating scores.
If you go to the BBC Live Football page, it'll be through that. There's implications, this security vulnerability, for an event watched by hundreds of millions of people.
But as an ethical hacker, Bob wanted to disclose what she has found. It seems this was more difficult than gaining access to FIFA's live streaming platforms themselves.
She's listed on her blog post, which I'm sure we'll link to in the notes, the 10 steps she had to go through to actually get someone to apparently listen to her.
So prepare yourself. Step 1: First, she tried to disclose the vulnerability directly to FIFA by several publicly available email addresses.
Right.
These messages either bounced or received no response. Or as she described it, disappeared into the void. Second attempt, she reached out to a person.
She found the LinkedIn account for the Head of Football Technology and Data at FIFA and tried to reach out to him.
She found the LinkedIn account for the Head of Football Technology and Data at FIFA and tried to reach out to him.
Okay.
No response.
Oh dear.
Her third go, she tried to contact the FIFA headquarters in Zurich directly. She didn't receive a response there. She also tried calling the FIFA media line. Same result.
No one was there.
In her now, what we on now, fifth attempt to get through to someone, Bob called the Dallas Convention Center, which for the World Cup is home to the temporary International Broadcast Centre, which is basically where all the media involved in covering the event are based for the duration.
No one was there.
In her now, what we on now, fifth attempt to get through to someone, Bob called the Dallas Convention Center, which for the World Cup is home to the temporary International Broadcast Centre, which is basically where all the media involved in covering the event are based for the duration.
Okay.
Nobody picked up and Bob left a voicemail message. So that's quite a few attempts now just to tell someone about this.
Yes.
She phoned then MediaKind, the hosting partner for the streaming, and she got through to someone.
She said that person understood immediately what the issue was and asked her to email details as proof, which she did.
But she isn't sure if action got taken immediately at that point.
So she tried contacting Host Broadcasting Services, a specialist media organisation which helps to broadcast major events like this.
She said that person understood immediately what the issue was and asked her to email details as proof, which she did.
But she isn't sure if action got taken immediately at that point.
So she tried contacting Host Broadcasting Services, a specialist media organisation which helps to broadcast major events like this.
Did she think of sending a Truth Social message to the winner of the inaugural FIFA Peace Prize?
Because he's normally online, and I believe he probably has the mobile phone number of the FIFA president. I'm just thinking, go to—
Because he's normally online, and I believe he probably has the mobile phone number of the FIFA president. I'm just thinking, go to—
You're right, yeah. Unfortunately, I don't think she thought of that. But lessons to be learned there.
Yeah.
But this 7th attempt, calling this host broadcasting services, she got through to someone, but they said on the phone they didn't have anyone there who could help, and they hung up on her.
Right.
And then didn't answer any further calls. You wouldn't want that if you're calling, say, the police, and they went, "Ah, nah, sorry, mate. Nothing to do with us," and hung up.
Bob de Haka has shown remarkable patience by this point.
I would be tempted to think, why don't I just take over one of the streams and put up my email address on the screen and say, if you want this fixed, contact me and I'll tell you what the problem is.
I would be tempted to think, why don't I just take over one of the streams and put up my email address on the screen and say, if you want this fixed, contact me and I'll tell you what the problem is.
That would have been eye-catching. I imagine she would have gotten a bit of trouble for doing that though.
Probably would. But you can understand why someone might feel so frustrated they would do that.
Definitely. So at this point, she's clearly getting a bit fed up that the situation hasn't been fully resolved.
So she contacted CISA, the critical infrastructure agency in the United States.
So she contacted CISA, the critical infrastructure agency in the United States.
Oh yeah.
Holds the official title of federal lead on cybersecurity for the FIFA World Cup 2026, including broadcast services.
Okay. I was wondering why on earth CISA would be involved in the World Cup. Was that really critical infrastructure?
But okay, they have somehow allied themselves with the World Cup, maybe for a few cheapo tickets in order for giving some cybersecurity advice.
But okay, they have somehow allied themselves with the World Cup, maybe for a few cheapo tickets in order for giving some cybersecurity advice.
Well, I suppose the stadiums are infrastructure.
I suppose they're— okay, I suppose they are.
You don't want those getting ransomwared and fans not being able to get in. That would be embarrassing, I imagine.
Fair enough. Okay, so CISA now are going to fix this problem.
Well, they listened and asked for more information, which she sent across. And it seems that they responded positively.
And then she made a final attempt because, you know, she had contact at the FBI from some previous work she'd done.
And then she made a final attempt because, you know, she had contact at the FBI from some previous work she'd done.
I bet she does.
Yeah, who said they'd look into the disclosure right away. So it seems that after all this effort, the vulnerability was fixed. So all of this effort was for something.
But as has been reported by various media outlets and Bob themselves, FIFA haven't acknowledged that this was a thing which was a problem.
They haven't acknowledged that Bob tipped them off.
But as has been reported by various media outlets and Bob themselves, FIFA haven't acknowledged that this was a thing which was a problem.
They haven't acknowledged that Bob tipped them off.
Yeah.
Maybe they were too busy hobnobbing with celebrities and world leaders, perhaps.
If you've got the choice of answering a message from some vulnerability researcher, some security bod on the internet or hanging out with Shakira, which are you gonna do?
You're probably right, I imagine. You don't get to meet celebrities very often, I suppose.
No.
In any case, it feels like it should not have taken this much effort to get the issue, which boiled down to a simple client-side authorisation issue with no server-side enforcement, sorted.
And FIFA might consider themselves lucky that it wasn't someone more nefarious who was trying to do something of this.
And FIFA might consider themselves lucky that it wasn't someone more nefarious who was trying to do something of this.
Yes.
Bob concluded the write-up with some advice for FIFA, which was, "When a researcher has to call CISA and the FBI to reach you, something is wrong." And she recommended that they might want to start some sort of bug bounty programme before signing off with the phrase, "So long and thanks for all the fish." This episode is sponsored by ProtonPass.
ProtonPass, the password manager from the team behind ProtonMail, the world's largest end-to-end encrypted email service.
Now, Joe, you and I both know the grubby little secret of how a lot of businesses actually share passwords.
A spreadsheet, a Post-it note, sending it to a colleague via Slack and hoping for the best.
That's pretty much it. All of the above. And every one of them is a breach waiting to happen.
ProtonPass is built to fix exactly that, letting teams store and share credentials securely, with end-to-end encryption baked into every feature.
ProtonPass is built to fix exactly that, letting teams store and share credentials securely, with end-to-end encryption baked into every feature.
It's open source and fully auditable. It runs on Swiss infrastructure, so your data sits outside US jurisdiction, and it's backed by a nonprofit.
No venture capitalists, no pressure to chase a quick exit.
No venture capitalists, no pressure to chase a quick exit.
Which is the bit I like. You know, it's built to serve you, not investors.
So it will never be pressured to cut security corners or rush towards a liquidity event that could change ownership, pricing or priorities overnight.
It's trusted by over 100 million people, ISO 27001 certified, SOC 2 audited, and it helps you tick the boxes for NIST 2, DORA, and the UK's Cybersecurity and Resilience Bill.
So it will never be pressured to cut security corners or rush towards a liquidity event that could change ownership, pricing or priorities overnight.
It's trusted by over 100 million people, ISO 27001 certified, SOC 2 audited, and it helps you tick the boxes for NIST 2, DORA, and the UK's Cybersecurity and Resilience Bill.
And crucially, people actually use it. One Swiss customer told Proton, and I quote, "It works. It works perfectly." High praise indeed.
So why not start your business's free trial right now at proton.me/smashingsecurity.
And thanks to Proton Pass for supporting the show.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Now, my pick of the week this week is not security related.
My pick of the week this week may take you back to your geography classroom, Danny.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Now, my pick of the week this week is not security related.
My pick of the week this week may take you back to your geography classroom, Danny.
Remember them well. I was one of those people who enjoyed geography, I will say.
Yeah, geography's all right, isn't it? I mean, basically you learn how an oxbow lake is made.
Very important information, isn't it?
Yeah.
Erosion.
A bit of erosion. Yes, that was good.
Stuff that sticks with you, even if it's not particularly useful for everyday life these days.
Well, I wonder whether the image of an iceberg has stuck with you.
That picture, the sort of cross-sectional image of the part of the iceberg which is above water and the part of the iceberg which is beneath the water.
That picture, the sort of cross-sectional image of the part of the iceberg which is above water and the part of the iceberg which is beneath the water.
Now you mention it, I think it does. Yeah, they're quite large, these things, I believe.
Well, this is the whole thing, isn't it?
Is that you get a little bit above the water and then you get this huge mass underneath and it's always like, oh, that's not the— that's the bit which isn't visible.
It's like a mountain underneath the much smaller hill above the water. So we've all seen that. But have you ever asked yourself, is that really true?
Is that you get a little bit above the water and then you get this huge mass underneath and it's always like, oh, that's not the— that's the bit which isn't visible.
It's like a mountain underneath the much smaller hill above the water. So we've all seen that. But have you ever asked yourself, is that really true?
Well, I've not really thought about that in depth, as I assumed it was true because an expert in geography and icebergs was telling me it was true.
Well, I am going to question this because although it is true that only about 10% of an iceberg is above water, I don't think it necessarily matches that image that we've been given.
And this astonishing truth has been revealed to me by a website which I have visited.
A website created by a chap called Joshua Torbera, where he actually invites you to examine the physics of all of this.
And this astonishing truth has been revealed to me by a website which I have visited.
A website created by a chap called Joshua Torbera, where he actually invites you to examine the physics of all of this.
Does sound very interesting. And that's not being sarcastic either. That does sound interesting to me.
Right. So this is a site which allows you to draw an iceberg. So it has the waterline. You draw the shape of an iceberg.
So imagine that one, which you can see from that image with just a little bit on top and the huge massive mountain underneath.
Draw that, and then it shows you how it would actually float. And what you find is that the iceberg will sort of adjust itself and change its position.
So you don't end up with Everest underneath.
So imagine that one, which you can see from that image with just a little bit on top and the huge massive mountain underneath.
Draw that, and then it shows you how it would actually float. And what you find is that the iceberg will sort of adjust itself and change its position.
So you don't end up with Everest underneath.
No, and it doesn't just sink, I presume.
Yeah. I'll put a link in the show notes, but why don't you go and try it for yourself right now? Cool.
I'm looking at one here which someone else has drawn, which is an image of something which appears to be like a unicorn's head.
I'm looking at one here which someone else has drawn, which is an image of something which appears to be like a unicorn's head.
I see it, yes.
Well, why would it have to be a particular shape? Anyway, you draw your own little iceberg and see what happens.
Huh, I can't think what to draw now.
Draw a traditional iceberg, how you imagine it would be underneath.
I was just talking about football. I'm just going to draw a ball. Draw more something that looks like a rugby ball there. Oh, it's sunk and most of it is underwater.
Drawing a circle is a difficult thing, but I like how it bobs up and down. That's cool.
Drawing a circle is a difficult thing, but I like how it bobs up and down. That's cool.
Anyway, check out the show notes. I think this will be a revelation to you that we've been lied to by geography teachers as to how icebergs actually float.
Yes, they only have a little bit above the water, a little bit of their mass. We agree on that. But you're not going to have this colossal mountain shape underneath.
Yes, they only have a little bit above the water, a little bit of their mass. We agree on that. But you're not going to have this colossal mountain shape underneath.
Huh.
And so this revelation is my pick of the week. Danny, what's your pick of the week?
So my pick for the week is a video game I've recently started playing. It's a modification for the video game Fallout 4.
So, first things first, Fallout video game series — it's a popular video game series which is set in a post-apocalyptic nuclear world.
Sounds quite dark, but it tends to take quite a sideways, sort of funny look at things. So in this dark world, there's elements of humour. I'll give you an example.
In the game Fallout 4, based in Boston, you can go down into a bar and the skeletons at the bar, which have been nuked in this war, they look suspiciously like people who might frequent the bar Cheers.
There's a postman at the bar, or a photo guy, kind of thing, so yeah — they've always had quite tongue-in-cheek humour in the games.
That Fallout 4 came out 10 years ago now, which is mad to think about. And a couple of years ago, about a year ago, a mod came out, so a fan-made modification of the game.
So, first things first, Fallout video game series — it's a popular video game series which is set in a post-apocalyptic nuclear world.
Sounds quite dark, but it tends to take quite a sideways, sort of funny look at things. So in this dark world, there's elements of humour. I'll give you an example.
In the game Fallout 4, based in Boston, you can go down into a bar and the skeletons at the bar, which have been nuked in this war, they look suspiciously like people who might frequent the bar Cheers.
There's a postman at the bar, or a photo guy, kind of thing, so yeah — they've always had quite tongue-in-cheek humour in the games.
That Fallout 4 came out 10 years ago now, which is mad to think about. And a couple of years ago, about a year ago, a mod came out, so a fan-made modification of the game.
Yes.
It's Fallout London, so they've taken this world and placed it in London, which is very impressive, especially for a fully fan-made project.
And, you know, as someone who lives in London, I'd say the map is generally quite accurate.
Basically, when you start the game, it dumps you near New Cross Gate, which isn't that far away from me.
And, you know, as someone who lives in London, I'd say the map is generally quite accurate.
Basically, when you start the game, it dumps you near New Cross Gate, which isn't that far away from me.
Right.
The fun thing is though, that the people who made it, they know London because the exact shopping centre that I've visited in Bromley is in the game. Wow.
There's even a thing where there's an equivalent of Boots exactly where that should be. There's an equivalent of a Games Workshop exactly where that should be.
There's even a thing where there's an equivalent of Boots exactly where that should be. There's an equivalent of a Games Workshop exactly where that should be.
And this is a post-apocalyptic London, right?
It is. Yeah.
So this is based on London after the Brexit vote.
Yes. And the nuclear Brexit.
Yes.
A lot of effort has gone into this and it also has some surprise celebrity cameos. I'm not that far into it, but it's a lot of fun. A lot of love and effort has gone into this game.
And if you own Fallout 4, it's completely free.
And if you own Fallout 4, it's completely free.
Right.
That's my pick of the week. Come visit post-apocalyptic London, it's great.
And go and visit Danny in his local Boots.
Fantastic.
Great pick of the week.
Now, Black Kite has just released its first report focused specifically on Europe, covering ransomware and data extortion across 31 countries between January of 2025 and April of this year.
And the findings of that report paint a pretty clear picture of how attacks are accelerating. It's not just about a growing number of victims who are being reached directly.
There's also, of course, a lot of companies who are being hit through their suppliers.
So to dig into this report and walk me through the research, I'm really delighted to have on the show Jeffrey Wheatman, who is senior VP at Black Kite. Jeffrey, welcome to the show.
Now, Black Kite has just released its first report focused specifically on Europe, covering ransomware and data extortion across 31 countries between January of 2025 and April of this year.
And the findings of that report paint a pretty clear picture of how attacks are accelerating. It's not just about a growing number of victims who are being reached directly.
There's also, of course, a lot of companies who are being hit through their suppliers.
So to dig into this report and walk me through the research, I'm really delighted to have on the show Jeffrey Wheatman, who is senior VP at Black Kite. Jeffrey, welcome to the show.
Graham, it is a pleasure and an honour to be here with you.
Oh, steady on, old chap. Enough of the mutual backslapping. This is Black Kite's first report specifically focused on Europe.
So my question to start off with is what made now the right time to really look at what's going on in Europe?
So my question to start off with is what made now the right time to really look at what's going on in Europe?
That's a great question. And I'll sort of look back on my whole career — I feel like many American technology companies are very focused on America, North America.
And I think that we live in a global economy and the reality is there are some different drivers and different approaches that take place in the EU, in the UK, in the whole region.
And we just saw some interesting trends, because we have a ton of data.
We saw these interesting trends and we decided it was worthwhile maybe doing a focus on some of the countries in the region.
And it turned out we found some really interesting things. And I think really the answer to your question is, why did it take so long for people to start focusing in Europe?
And I think that we live in a global economy and the reality is there are some different drivers and different approaches that take place in the EU, in the UK, in the whole region.
And we just saw some interesting trends, because we have a ton of data.
We saw these interesting trends and we decided it was worthwhile maybe doing a focus on some of the countries in the region.
And it turned out we found some really interesting things. And I think really the answer to your question is, why did it take so long for people to start focusing in Europe?
Right, right. Well, I think some of the things which you've dug up in this report are interesting. It's worth digging through these.
So the headline number is this big rise in ransomware attacks in early 2026.
So you're saying there's been a 55% year-on-year rise in those attacks, which is quite a big jump, isn't it?
Is that genuinely more attacks or are we just getting better at counting ransomware incidents?
So the headline number is this big rise in ransomware attacks in early 2026.
So you're saying there's been a 55% year-on-year rise in those attacks, which is quite a big jump, isn't it?
Is that genuinely more attacks or are we just getting better at counting ransomware incidents?
So I think there are a few parts to that. I think there are definitely more attacks.
We saw a huge number of CVEs last year and with Mythos and the Frontier models, we think that's going to continue to spike. So it's definitely more attacks.
We are also getting better at counting them, in large part because of the regulatory environment. Companies are being required to make announcements when they have breaches.
In the US, for example, if you're publicly traded and you have a material breach, you have to make an announcement. The EU, we know, has very similar things.
DORA for financial services, NIST too — all of these things are requiring organisations to be much more open. So I think it's really a combination of both of those things.
There's more of them and we're being forced to talk about them more. And the other thing that I think is important is it used to be very much about data.
It's still about data, but now it's much more about resilience.
We saw a huge number of CVEs last year and with Mythos and the Frontier models, we think that's going to continue to spike. So it's definitely more attacks.
We are also getting better at counting them, in large part because of the regulatory environment. Companies are being required to make announcements when they have breaches.
In the US, for example, if you're publicly traded and you have a material breach, you have to make an announcement. The EU, we know, has very similar things.
DORA for financial services, NIST too — all of these things are requiring organisations to be much more open. So I think it's really a combination of both of those things.
There's more of them and we're being forced to talk about them more. And the other thing that I think is important is it used to be very much about data.
It's still about data, but now it's much more about resilience.
Okay.
Right. Can you keep your business up and running even if something bad happens to your partners who you don't directly control?
Yeah. Which is the scary thing, isn't it?
You may have your own house in order, but the problem is that you're letting in all these other people or you're letting other people's code into your organisation.
And potentially that's a route through which you can suffer a ransomware incident.
You may have your own house in order, but the problem is that you're letting in all these other people or you're letting other people's code into your organisation.
And potentially that's a route through which you can suffer a ransomware incident.
Yeah, I present all over the world and I always get up on stage and say, look, you're all perfect at defending against ransomware.
You're not, but I'm gonna give you the benefit of the doubt. But what I can tell you for sure is your partners, they're not.
You're not, but I'm gonna give you the benefit of the doubt. But what I can tell you for sure is your partners, they're not.
Right.
And that kind of opens people's eyes up a little bit.
This problem of ransomware, it's not hitting everywhere equally, is it? The geographic picture around this, it's really quite striking.
You're reporting nearly 70% of the incidents landed in just 5 countries. So you've got the UK, Germany, France, Italy, Spain.
You're reporting nearly 70% of the incidents landed in just 5 countries. So you've got the UK, Germany, France, Italy, Spain.
Yep.
Is that just because they're the biggest economies in Europe, or is something else going on? Germany in particular seems to be having a really rough time.
Yeah, I think it's again a combination. I think it's because their economies are bigger, there are more targets there.
Infamous US bank robber Willie Sutton, when they asked him why he robbed banks, he said, 'Cause that's where the money is.' And that's definitely the case.
We also think that in part some of it is related to the regulatory environment. People are gonna be quicker to pay, I think, because of the potential financial impact if they don't.
And then the other thing too, I think for global companies, they're more likely to have a presence in these 5 nations than others.
As an example, it's because the economies are big, but really the targets are just bigger. So that's what the bad actors are gonna go at, right? It's a magnification game for them.
And I always say bad actors are like water. They take the easiest pathway.
And frequently the easiest pathway is going to be where you have the most opportunities and the most targets and the most concentration.
And that's why we think that these particular countries are getting nailed so badly.
Infamous US bank robber Willie Sutton, when they asked him why he robbed banks, he said, 'Cause that's where the money is.' And that's definitely the case.
We also think that in part some of it is related to the regulatory environment. People are gonna be quicker to pay, I think, because of the potential financial impact if they don't.
And then the other thing too, I think for global companies, they're more likely to have a presence in these 5 nations than others.
As an example, it's because the economies are big, but really the targets are just bigger. So that's what the bad actors are gonna go at, right? It's a magnification game for them.
And I always say bad actors are like water. They take the easiest pathway.
And frequently the easiest pathway is going to be where you have the most opportunities and the most targets and the most concentration.
And that's why we think that these particular countries are getting nailed so badly.
And when you're talking about bad actors, you're not talking about Nicolas Cage, you are talking about—
Don't—
Hold on, hold on, Graham. Do not badmouth Nicolas Cage. Nicolas Cage is one of the finest actors of our generation.
He's not always good at picking scripts, but he is a terrific, terrific actor. We just watched Spider Noir and he was fabulous in that.
He's not always good at picking scripts, but he is a terrific, terrific actor. We just watched Spider Noir and he was fabulous in that.
I haven't seen that one yet. Now, talking about these threat actors, though, Qilin, Q-I-L-I-N, pronounced Qilin, I believe. They pop up in 26 of the 31 countries you looked at.
What's made them so prolific as a ransomware gang?
What's made them so prolific as a ransomware gang?
The short answer, they run this thing like a company. They don't run it like a ransomware gang. They run it like a criminal enterprise. They provide ransomware as a service.
So if I want to go after a company with ransomware and I don't have the tools, they'll do it on my behalf. So that's a magnification.
They are using what we call double extortion, which is they exfiltrate the data and then they encrypt it.
So even if you have really good backups, that's not enough because they have your data and they're going to send it out. And there are a couple of examples around that.
They're also always improving. They're paying attention to the software market. They are updating their software. They're testing everything against all of the detection tools.
They're also focusing in a very opportunistic way in areas where downtime is significantly impactful from a dollar, pound, euro perspective. It's not haphazard.
They're going after companies that they know cannot afford to have any downtime.
The bottom line is they operate like a company and not like a gang, like these organisations used to do.
And if I'm a bad actor and I do business with them and it works and they support me, I'm going to continue to do business with them just like any company.
And that's why we think their presence is so high.
So if I want to go after a company with ransomware and I don't have the tools, they'll do it on my behalf. So that's a magnification.
They are using what we call double extortion, which is they exfiltrate the data and then they encrypt it.
So even if you have really good backups, that's not enough because they have your data and they're going to send it out. And there are a couple of examples around that.
They're also always improving. They're paying attention to the software market. They are updating their software. They're testing everything against all of the detection tools.
They're also focusing in a very opportunistic way in areas where downtime is significantly impactful from a dollar, pound, euro perspective. It's not haphazard.
They're going after companies that they know cannot afford to have any downtime.
The bottom line is they operate like a company and not like a gang, like these organisations used to do.
And if I'm a bad actor and I do business with them and it works and they support me, I'm going to continue to do business with them just like any company.
And that's why we think their presence is so high.
So another thing which caught my attention were the most hit sectors. Now, what types of industry are getting hit? Manufacturing — nearly 28% of all incidents.
But it's IT services which is the single most targeted subsector. Why does that matter, do you think?
But it's IT services which is the single most targeted subsector. Why does that matter, do you think?
So I'll talk about manufacturing very briefly, and then I think the IT services is really interesting.
So manufacturing traditionally, they haven't put a lot of time and effort into cyber because that's not what they're in business for. They're not about moving ones and zeros.
They're about making physical things.
What we've seen in the last 18 to 24 months, very visibly, is that these organisations are getting hit with ransomware and it's causing downtime.
So manufacturing traditionally, they haven't put a lot of time and effort into cyber because that's not what they're in business for. They're not about moving ones and zeros.
They're about making physical things.
What we've seen in the last 18 to 24 months, very visibly, is that these organisations are getting hit with ransomware and it's causing downtime.
Yeah.
And that is very, very painful for them. And we have some great examples — K&P Logistics, which is in your neck of the woods. LastPass, two years ago they got hit with ransomware.
They were out of business in 125 days — a 156-year-old shipping and logistics company. We saw Jaguar Land Rover last year got hit with an attack.
It had an impact on the GDP of the UK, one of the biggest economies in the world. This is big money now.
They were out of business in 125 days — a 156-year-old shipping and logistics company. We saw Jaguar Land Rover last year got hit with an attack.
It had an impact on the GDP of the UK, one of the biggest economies in the world. This is big money now.
Yeah.
IT services is a slightly different target. They are going after those organisations — why? Because they're connected into multiple organisations.
So the blast radius of these IT service providers is really, really big. And, you know, as an example, we saw a breach last year that went after Royal Mail.
So the blast radius of these IT service providers is really, really big. And, you know, as an example, we saw a breach last year that went after Royal Mail.
Yes.
And they got breached through a German data collector called Spectos. Well, Spectos provides data collection for a bunch of different organisations in a bunch of different sectors.
So it was this magnification thing. We also saw Miljödata in Sweden, which is an HR company.
Most people have never heard of them — I never heard of them until they showed up in the report.
Well, the bad actors went after them and they compromised 200 entities — governments, universities, et cetera, and Volvo, a big car company.
And they compromised one company and had access into hundreds of organisations. So IT service providers tend to be that single repository. They have their fingers everywhere.
And we run up against the shoemaker's children problem — they generally are not focusing enough on locking down their own stuff, even though they're providing these services in a lot of cases for customers.
So it was this magnification thing. We also saw Miljödata in Sweden, which is an HR company.
Most people have never heard of them — I never heard of them until they showed up in the report.
Well, the bad actors went after them and they compromised 200 entities — governments, universities, et cetera, and Volvo, a big car company.
And they compromised one company and had access into hundreds of organisations. So IT service providers tend to be that single repository. They have their fingers everywhere.
And we run up against the shoemaker's children problem — they generally are not focusing enough on locking down their own stuff, even though they're providing these services in a lot of cases for customers.
So it's the whole supply chain problem once again, isn't it?
Yeah.
Yeah. Which is what the bad guys are exploiting here.
You can have all kinds of different businesses out there, but if they're reliant upon some kind of IT service provider and the IT service provider gets hit.
You can have all kinds of different businesses out there, but if they're reliant upon some kind of IT service provider and the IT service provider gets hit.
Yeah. And then you're in. And the reality is most of these IT service providers are considered trusted entities.
Yes.
And therefore, once you compromise them, get their credentials, you're inside and you're trusted. And once you're inside, the monitoring is gonna change.
What they're looking for is gonna change. And I don't think people look enough at sort of data exfiltration in bulk and those kinds of things.
So it's definitely an ongoing challenge. And I think we need to hold these folks to higher standards. And I don't think a lot of organisations out there recognise that.
You know, I always badly paraphrase Animal Farm by George Orwell. All partners are equal, but some partners are more equal than others.
And we see organisations struggle with prioritisation. This is not unique to the EU or the UK. This is a global problem.
But in these cases, we're seeing some specific examples that are regional in nature.
What they're looking for is gonna change. And I don't think people look enough at sort of data exfiltration in bulk and those kinds of things.
So it's definitely an ongoing challenge. And I think we need to hold these folks to higher standards. And I don't think a lot of organisations out there recognise that.
You know, I always badly paraphrase Animal Farm by George Orwell. All partners are equal, but some partners are more equal than others.
And we see organisations struggle with prioritisation. This is not unique to the EU or the UK. This is a global problem.
But in these cases, we're seeing some specific examples that are regional in nature.
And I think one of the takeaways I took from your report, and it makes really clear, is that this is now a legal question as much as a security one, because European regulation has fundamentally shifted where the accountability sits.
We've got the likes of NIS2 and DORA, which you've mentioned. The message is quite plainly that now you are legally accountable for your suppliers' security, not just your own.
But has that message got through to organisations yet?
We've got the likes of NIS2 and DORA, which you've mentioned. The message is quite plainly that now you are legally accountable for your suppliers' security, not just your own.
But has that message got through to organisations yet?
I think a little bit.
I've always said that the EU and the UK has definitely been more risk-aligned in the way security and information security and cybersecurity have been practised.
So I think historically that's the case. I think it is still the case.
And I think a byproduct of that is the regulations tend to be more risk-based and therefore they make much more sense within a business context.
So that being said, I think until we see people see these big financial impacts like JLR, like nights of the old KMP, I mean, I told that story in our customer advisory board and one of my customers in manufacturing put their hand up and said, yeah, that cost us $50 million 'cause the truck didn't show up with raw materials.
Right?
I've always said that the EU and the UK has definitely been more risk-aligned in the way security and information security and cybersecurity have been practised.
So I think historically that's the case. I think it is still the case.
And I think a byproduct of that is the regulations tend to be more risk-based and therefore they make much more sense within a business context.
So that being said, I think until we see people see these big financial impacts like JLR, like nights of the old KMP, I mean, I told that story in our customer advisory board and one of my customers in manufacturing put their hand up and said, yeah, that cost us $50 million 'cause the truck didn't show up with raw materials.
Right?
Right.
So the regulatory environment I think is definitely shifting.
I think one of the things that we at Black Kite focus on as a really, really important objective is collaboration is the key to success. The bad actors are collaborating.
They do it really well. They do it through affiliate networks. This is some stuff that shows up in the report. We are bad at collaborating. We are way too competitive.
We don't want to put out there what's going on because they don't want anybody pointing a finger and blaming. And that again is a global problem.
But I think that slowly but surely organisations are starting to realise, and if you look at attack surface management or continuous threat and exposure management, whatever the analyst firms call it these days, what we're starting to see is that security operations centres, the SOCs, are starting to realise that their perimeter is not the perimeter they need to focus on.
It's really about the perimeter that includes third parties. And as you mature, fourth, fifth, and sixth.
So I think from an operational perspective, I think we're seeing that from a regulatory perspective, we're seeing that, but it's always very slow.
I mean, you've been around a while.
It is very hard to get the board to shift focus, to get the CEO and the CFO and the COO to shift focus because they're focused on money coming in, money going out, and if something goes bad, who gets in trouble?
I think one of the things that we at Black Kite focus on as a really, really important objective is collaboration is the key to success. The bad actors are collaborating.
They do it really well. They do it through affiliate networks. This is some stuff that shows up in the report. We are bad at collaborating. We are way too competitive.
We don't want to put out there what's going on because they don't want anybody pointing a finger and blaming. And that again is a global problem.
But I think that slowly but surely organisations are starting to realise, and if you look at attack surface management or continuous threat and exposure management, whatever the analyst firms call it these days, what we're starting to see is that security operations centres, the SOCs, are starting to realise that their perimeter is not the perimeter they need to focus on.
It's really about the perimeter that includes third parties. And as you mature, fourth, fifth, and sixth.
So I think from an operational perspective, I think we're seeing that from a regulatory perspective, we're seeing that, but it's always very slow.
I mean, you've been around a while.
It is very hard to get the board to shift focus, to get the CEO and the CFO and the COO to shift focus because they're focused on money coming in, money going out, and if something goes bad, who gets in trouble?
Yep.
So we need to start more aligning our talk tracks and our conversations with money coming in, money going out, and who gets in trouble.
And I think it's happening and I do think it's accelerating. And I think a few years down the road, I think there will be much more focus on it.
I mean, the market we're in is growing like crazy. We are seeing a lot more interest now than we were last year and more last year than two, three years ago.
And I think that is a reflection of the focus there and the fact that people need to pay more attention to this.
And I think it's happening and I do think it's accelerating. And I think a few years down the road, I think there will be much more focus on it.
I mean, the market we're in is growing like crazy. We are seeing a lot more interest now than we were last year and more last year than two, three years ago.
And I think that is a reflection of the focus there and the fact that people need to pay more attention to this.
Now, this podcast, we're lucky enough to have listeners around the world, not just in Europe. And I think this report is actually relevant to folks outside of Europe as well.
I think there's a lot we can learn from this.
I think there's a lot we can learn from this.
Yeah.
For anyone who's listening who runs security, what's the single most important thing your report tells them to go and do?
You know, tomorrow when you arrive at your desk, what should you be doing?
You know, tomorrow when you arrive at your desk, what should you be doing?
I'm gonna cheat and I'm gonna give you a three-part answer.
Okay.
So the first part, Graham, is you need to inventory your suppliers. I talk to so many people and I say, how many vendors do you have? And they go, 50? I go, there's no way.
My wife runs a business out of our kitchen. She's got 36 suppliers. You have way more than 50, and it's not just IT suppliers, it's all of your suppliers. So that's the first.
The second thing is a follow-up to that. You need to prioritise them. You need to tier them. Not all of them are going to lead to the same exposure.
And then the third piece of that is you need to identify single points of failure.
A friend of mine was the chief security officer for a global manufacturer, and they had one supplier that manufactured a screw. That screw was only manufactured by that company.
That screw went into a module that went into an aerospace guidance system that went into military hardware all around the world. That small company was terrible at cyber.
And the CISO went to the board and said, "Look, I need $5 million. I gotta go buy a bunch of screws." And the board said, "What?" And he articulated that story.
They gave him the money and lo and behold, Graham, two weeks later, that screw supplier got hit with ransomware.
They were down for three weeks and this company didn't lose a minute of production.
My wife runs a business out of our kitchen. She's got 36 suppliers. You have way more than 50, and it's not just IT suppliers, it's all of your suppliers. So that's the first.
The second thing is a follow-up to that. You need to prioritise them. You need to tier them. Not all of them are going to lead to the same exposure.
And then the third piece of that is you need to identify single points of failure.
A friend of mine was the chief security officer for a global manufacturer, and they had one supplier that manufactured a screw. That screw was only manufactured by that company.
That screw went into a module that went into an aerospace guidance system that went into military hardware all around the world. That small company was terrible at cyber.
And the CISO went to the board and said, "Look, I need $5 million. I gotta go buy a bunch of screws." And the board said, "What?" And he articulated that story.
They gave him the money and lo and behold, Graham, two weeks later, that screw supplier got hit with ransomware.
They were down for three weeks and this company didn't lose a minute of production.
Right?
So if you don't have alternatives, you need to understand what your fallback is and can you be proactive? So I think those are really the key things, right?
So inventory, tiering, and identifying your critical points of failure. And I think that gets people closer to where they need to go.
There's obviously a bunch of stuff you need to do after that, but if you don't know who your partners are, how do you get them to change?
How do you get them to be more aligned with what we want them to do? And the answer is you can't. Because you're not engaged with them. And that's a problem.
And with AI, I don't know if anyone out there has heard it. It's this new technology, artificial intelligence. It's crazy, apparently.
And we're seeing more and more of that in organisations and agentic workflows and MCP servers and all of this stuff.
You're connecting to a bunch of people you don't know and never agreed to do business with.
So inventory, tiering, and identifying your critical points of failure. And I think that gets people closer to where they need to go.
There's obviously a bunch of stuff you need to do after that, but if you don't know who your partners are, how do you get them to change?
How do you get them to be more aligned with what we want them to do? And the answer is you can't. Because you're not engaged with them. And that's a problem.
And with AI, I don't know if anyone out there has heard it. It's this new technology, artificial intelligence. It's crazy, apparently.
And we're seeing more and more of that in organisations and agentic workflows and MCP servers and all of this stuff.
You're connecting to a bunch of people you don't know and never agreed to do business with.
Well, it's been really fascinating chatting with you today.
And listeners, if you want to learn more, you can find the 2026 European Cyber Risk Report — download your own copy at blackkite.com/smashing.
We'll put a link in the show notes as well. Jeffrey Wheatman of Black Kite, thank you so much for joining us today.
And listeners, if you want to learn more, you can find the 2026 European Cyber Risk Report — download your own copy at blackkite.com/smashing.
We'll put a link in the show notes as well. Jeffrey Wheatman of Black Kite, thank you so much for joining us today.
Graham, it has been an absolute pleasure. You have a great rest of the day, my friend.
Thank you.
Well, that just about wraps up the show for this week. Thank you so much, Danny, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?
Thank you for having me, first of all, and you can follow me on LinkedIn, Bluesky, trying to get back into using Mastodon more.
Got my website as well, which I should update far more regularly than I do. And of course, for the next sort of 6 weeks or so, you can catch my articles on infosecuritymagazine.com.
I'm still there until my contract is up, and then I'll be off to explore the world on my own again.
Got my website as well, which I should update far more regularly than I do. And of course, for the next sort of 6 weeks or so, you can catch my articles on infosecuritymagazine.com.
I'm still there until my contract is up, and then I'll be off to explore the world on my own again.
Terrific stuff. And you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky and Mastodon, and even Reddit.
And don't forget to ensure you never miss another episode — follow Smashing Security in your favourite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
Episodes, show notes, sponsorship info, guest lists, and the entire back catalog of 473 episodes — check out smashingsecurity.com. Until next time, cheerio. Bye-bye.
And don't forget to ensure you never miss another episode — follow Smashing Security in your favourite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
Episodes, show notes, sponsorship info, guest lists, and the entire back catalog of 473 episodes — check out smashingsecurity.com. Until next time, cheerio. Bye-bye.
Bye-bye.
You've been listening to Smashing Security with me, Graham Cluley, and huge thanks, of course, to Danny Palmer for joining us this week and to this episode's sponsors, ProtonPass, Black Kite, and Vanta.
And you know what? We've also got to thank the patrons, haven't we?
Yes, those people who've signed up for Smashing Security Plus, because we're going to pick a few of their names out of the hat right now to thank them. Thank them specifically.
We've got Daniel Kromeck, sounds like a dab hand at opening a jar of pickles. Jack Unverfurth. Orborus, which is, could be a person, maybe a snake with an appetite for its own tail.
Dan H, who perhaps wisely thought twice about sharing his surname.
Billy loves the podcast, but is even more privacy conscious than Dan, and so can't even tell us a single letter of his surname. MJ Lee.
Well, we know their surname, but we're just getting initials for the forenames now.
And you know what? We've also got to thank the patrons, haven't we?
Yes, those people who've signed up for Smashing Security Plus, because we're going to pick a few of their names out of the hat right now to thank them. Thank them specifically.
We've got Daniel Kromeck, sounds like a dab hand at opening a jar of pickles. Jack Unverfurth. Orborus, which is, could be a person, maybe a snake with an appetite for its own tail.
Dan H, who perhaps wisely thought twice about sharing his surname.
Billy loves the podcast, but is even more privacy conscious than Dan, and so can't even tell us a single letter of his surname. MJ Lee.
Well, we know their surname, but we're just getting initials for the forenames now.
Who else?
Saital, Mark Norman. Could be— sounds like should probably be presenting the 7 o'clock news. And the utterly delicious Sammy Doza.
Those are just a few of the members of Smashing Security Plus.
And because they are members, they get their episodes ad-free and earlier than the general public, and they can have their details pulled out at random and mercilessly mocked at the end of the show.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus, because it puts a few shekels in my pocket, and I'm always grateful for that.
Keeps the servers running. But you don't have to support us financially. You can also support us in other ways.
You can subscribe, leave a 5-star review, or maybe tell your friends about the show. Simply spread the word. Why not?
Because every little bit helps and it makes all the effort worthwhile. Until next week, where I hope you'll be tuning in again. Cheerio. Bye-bye.
Those are just a few of the members of Smashing Security Plus.
And because they are members, they get their episodes ad-free and earlier than the general public, and they can have their details pulled out at random and mercilessly mocked at the end of the show.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus, because it puts a few shekels in my pocket, and I'm always grateful for that.
Keeps the servers running. But you don't have to support us financially. You can also support us in other ways.
You can subscribe, leave a 5-star review, or maybe tell your friends about the show. Simply spread the word. Why not?
Because every little bit helps and it makes all the effort worthwhile. Until next week, where I hope you'll be tuning in again. Cheerio. Bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Danny Palmer:
/ dannypalmerwriter
Episode links:
- Suspected cyberattack triggers false emergency alerts across parts of Brazil – The Record.
- Gizmodo readers hit with ClickFix malware prompts after account compromise – The Register.
- Two men plead guilty over £39m Transport for London cyber attack – BBC News.
- Helpdesk scammers are making house calls to make their lies feel more real – The Register.
- Dutch cops’ shame games nets 74 wanted fraudsters – The Register.
- Omgebrachte vrouw (80) in Amsterdam vermoedelijk slachtoffer van nepagenten – NU.
- Mr Benn – Wikipedia.
- I Could’ve Rickrolled the Entire FIFA World Cup. All I Needed Was My ID – Bobdahacker.
- Bug in FIFA World Cup internal system gave anyone ability to modify TV stream – TechCrunch.
- Iceberger – Draw an iceberg and see how it will float.
- Fallout: London – GOG.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Black Kite – Read Black Kite’s 2026 European Cyber Risk Report to explore the latest ransomware trends, top threat actors, and how supplier breaches are reshaping cyber risk across Europe.
- Proton Pass – The password manager for businesses that can’t compromise on security or slow their team down. Start a free trial.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
