PHISH & TELL 008

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

I’m hurrying to publish this before the battery runs out while traveling by train — if you catch an error, let me know and I’ll zoom back to update it when I’m back online! 😆 

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Here are the top cybersecurity stories from this week that are most relevant to small businesses—along with why they matter and what you can do about them.

1. Microsoft vendor TCS tied to M&S ransomware investigation

   Ongoing investigation suggests hackers may have penetrated Marks & Spencer systems through vulnerabilities at TCS, their IT vendor.

   ✅ Why it matters: If your small business uses outsourced IT, vendor security gaps could be your gap too. (Note: Many IT vendors have started tacking on security scanning and similar services. Depending what you have in place, some particular services may be appropriate, but on their own, they are usually not sufficient. Better than nothing, but not sufficient or strategic. Use our free Holistic Evaluation of Risk worksheet — with example business filled in — to see how they fit in.)

   👉 What to do: Perform a vendor risk assessment, ask for their recent pentest results, and include indemnity clauses in service agreements.

2. Supply-chain cyberattack starves grocery shelves

   United Natural Foods suffered a cyberattack, disrupting supply to Whole Foods and other grocers—leading to empty shelves nationwide.

   ✅ Why it matters: Small retailers dependent on food suppliers can’t rely on just “what’s on the shelf.” Breaches upstream affect your availability and revenue.

   👉 What to do: Identify alternative suppliers, include cyber resilience clauses in vendor contracts, and maintain an inventory buffer for critical products.

3. CISA warns—ransomware exploiting SimpleHelp tool

   The U.S. advisory (AA25‑163A) reports ransomware gangs using unpatched SimpleHelp RMM software to breach utility billing providers.

   ✅ Why it matters: Businesses working with IT support services using SimpleHelp are at high risk of being collateral victims.

   👉 What to do: Ask your IT vendor if they use SimpleHelp; if yes, ask if they’ve applied patches to version 5.5.8 or newer. Request verification (I know this can be a tough one to ask — it feels intrusive — but it’s typical, they are used to it.

4. SMBs under siege: 2.9 b credential leaks, 25% ransomware jump

   New threat intelligence reveals massive credential leaks and a 25% spurt in ransomware attacks targeting small businesses.

   ✅ Why it matters: Weak passwords and reused credentials are primary attack vectors for smaller organizations.

   👉 What to do: Enforce unique, strong passwords with a password manager and enable MFA everywhere, especially on email and admin accounts.

5. AI-Enhanced phishing, deepfake voice scams now mainstream

   AI-driven attacks are escalating in sophistication—realistic voice phishing, hyper-targeted emails, and adaptive malware are on the rise.

   ✅ Why it matters: These are hard to detect by non-technical staff and can bypass conventional email filters, increasing risk.

   👉 What to do: Update employee training to include AI threats, role-play deepfake calls, and add voice-auth detection (e.g., call-backs on known numbers).

🔍 In Case You Missed It (ICYMI)

• 💻 Did You Miss the Free Webinar! Watch the replay! You’ll discover how your business instincts are your best cybersecurity asset and learn practical steps to safeguard your company—no jargon, no overwhelm. 🔒 Watch it here:
  https://us06web.zoom.us/rec/share/9qTm9KFNZAS3PPYcq9Bt8puv1KdElr1jNErG8uKLomBkHc7MLBT5ZR-eS8zr-_tG.NydTmFEJaSmnkL8s?startTime=1749483982000 Passcode: c7=j2YM4

• 🛠️ Quick Tool: Free AI experience — Have you wondered what it’s like to manage through a cybersecurity incident? Practice Staying CALM™️ in a Cyber Crisis — Before It Counts »

• 🫵 Last week’s Security Done Easy blog post: Real Talk: What is the Cost of Cybersecurity for Women-Owned Small Businesses? »

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

🛡️ Personal Cyber Safety Tip for Women: Protect Your Voice from Deepfake Scams

Avoid sharing voice recordings publicly—especially on social media platforms. AI tools can now clone voices from just a few seconds of audio, enabling scammers to impersonate you in convincing voice phishing attacks.

How-To:

• Limit voice notes or videos shared online.

• Use privacy settings to restrict who can see/hear your posts.

• In professional settings, ask clients or contacts to confirm sensitive requests through a known, secure method (like a verified callback).

Why it matters: Deepfake voice scams are increasingly targeting women in leadership, customer service, and finance roles—often using emotional manipulation to trick colleagues or clients.

💬 A PERSONAL NOTE

We’ve got some exciting things in the works!

• We’re kicking off our Kickstarter soon for our deal-your-own-security card deck soon! Sign up to be notified when we go live!

• We are wrapping up signups for our first accelerator tonight! See the webinar replay above in the ICYMI section.

• We participated in a Pride panel at Vista, along with Charlie Sprinkman of Everywhere is Queer and ally Francine Coughlin of Bark and Roll.

• We are now a Certified LGBT Business Enterprise® through the NGLCC Supplier Inclusion and Education Initiative. Thanks to the NGLCC and the CLGBTCC for their support through the process.

👂 TELL ME

Are you finding this newsletter helpful? Do you have questions or topics you’d like addressed? Hit reply and let me know :-)

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷