PHISH & TELL 017

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Top stories of the week, how they are relevant to you, and what to do about them.

1. Patch Tuesday! Microsoft issues big security update – don’t ignore it
   Source: The Hacker News, Microsoft August 2025 Patch Tuesday Fixes Kerberos Zero-Day Among 111 Total New Flaws

   Microsoft released its August updates fixing more than a hundred security bugs in Windows and other products. One of the bugs was already being used by criminals to break into systems.
   Why it matters: Unpatched computers are low‑hanging fruit for hackers. Cybercriminals look for outdated software to get inside networks.
   What to do: Make sure you set Windows, Office and any Microsoft cloud services to update automatically. (This is generally true for any operating system, browser, program, or app.) Restart computers after updates and remind employees to do the same at home, otherwise patches don’t take effect. If you outsource IT to a managed service provider (MSP), ask them to confirm they have applied the latest patches.

2. Booby‑trapped archive files are spreading malware
   Source: The Hacker News, WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately

   Hackers found a way to hide malicious files inside zipped archives created with the popular WinRAR program. When unsuspecting users opened the attachment, malware could be installed behind the scenes.
   Why it matters: Many of us receive compressed files by email. One careless click on a fake invoice or document could infect your entire network.
   What to do: Update WinRAR (if you use it) to the latest version (7.13 or newer). Remind team members not to open unexpected ZIP or RAR files, even if they look legitimate. When possible, rely on the built‑in compression tools in Windows or Mac to avoid extra risk.

3. Do you run Google Ads? Attackers stole contact lists
   Source: Bleeping Computer, Google confirms data breach exposed potential Google Ads customers' info

   Google disclosed that hackers tricked an employee into installing malware and stole about 2.5 million business contacts from its advertising sales database. No credit‑card or payment information was taken, but the criminals attempted to extort Google for a ransom.
   Why it matters: If you advertise on Google, your business contact details may be among the stolen data. Attackers could use those details to send convincing scam emails or phone calls.
   What to do: Stay alert for unusual messages referencing your ad campaigns. Tell staff not to install unofficial browser extensions or apps. Turn on two‑factor authentication for your Google Ads and CRM accounts and review who has access to your contact lists.

4. Ransomware shutters city services in St. Paul
   Source: Bleeping Computer, Saint Paul cyberattack linked to Interlock ransomware gang

   Hackers struck the city government of Saint Paul, Minnesota, shutting down many online services and stealing more than 66,000 files. The city called in the National Guard for help and refused to pay a ransom.
   Why it matters: Ransomware doesn’t just hit big companies—it also disrupts city services, hospitals and small businesses. Criminals may publish stolen documents to pressure victims.
   What to do: Keep backups disconnected from your network so you can recover if attacked. Train your staff to spot phishing emails, since most ransomware infections start with a malicious link. Review your business’s relationships with local governments for potential exposure.

5. Even “phishing‑proof” logins have weaknesses
   Source: Cyber Press, FIDO Under Fire – How ‘Phishlet’ Kits Enable Authentication Downgrade Attacks

   Researchers discovered a technique that can force Microsoft’s passkey (FIDO) logins to fall back to less secure methods. By making the website think you’re using an unsupported browser, attackers could prompt you to use a code instead—and then steal that code.
   Why it matters: Passkeys and hardware tokens (like Yubikeys) are marketed as phishing‑proof, but there’s still room for user error. Hackers look for any opportunity to trick people into using weaker verification.
   What to do: Don’t blindly trust prompts asking you to switch authentication methods. If a login looks unusual, close the window and start again through your normal sign‑in page. Where possible, turn off backup methods like text codes when using passkeys.

Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

• This week’s blog post: Cyber Insurance: Having Coverage Isn't Enough – You Must Meet the Requirements Too » 

• Previously, we blogged about the Tea app data breach. Recently, the retaliatory spite site, TeaOnHer, was found just as leaky ».

• We have a free 3-page PDF resource: How to Identify and Avoid Scams: A Simple Guide »

• Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

As entrepreneurs, we often think about safeguarding our companies and forget about our own safety. Here’s a personal safety tip inspired by Interfor International’s guidance for women living in cities:

• Tell a friend where you’re going. When meeting a client or friend at a new location or using a rideshare service, let someone know your destination and expected return time. Many smartphones allow you to share your real‑time location with trusted contacts.

• Trust your instincts. If a situation feels wrong, leave immediately. Use your peripheral vision to stay aware of who is around you and don’t worry about appearing rude—your safety comes first.

• Double‑check your ride. Only get into rideshares you summoned and verify the driver’s name, photo and license plate. Predators sometimes pose as drivers to lure women into their cars.

💬 A PERSONAL NOTE

School is back in session. The college kids are geared up. The not-yet-college kids are facing the Yondr pouches starting today. Bro, the kids are NOT excited. If you’re not familiar with them, Yondr pouches are lockable pouches used to create phone-free environments, primarily in schools. Students power down their phones and place them in the pouch upon arrival, and the pouch remains locked throughout the school day. They are unlocked at the end of the day using a special unlocking device. The pouches are intended to reduce distractions and allow students to focus without digital interruptions. 

Kids and parents alike are having strong feelings about these. What do you think? I’m curious to hear.

👂 TELL ME

Are you finding this newsletter helpful? Do you have questions or topics you’d like me to cover? Let me know :-) [email protected]

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷