PHISH & TELL 020

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

This was a tough week, in a number of ways. Be kind to yourselves.

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Top stories of the week, how they are relevant to you, and what to do about them.

1. Malicious browser extensions masquerade as marketing tools to hijack Meta accounts

   Source: The Hacker News, Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts

   Researchers found ads promoting fake “Meta Verified” and AI‑powered marketing extensions that tricked users into installing malicious browser add‑ons. These extensions, hosted on legitimate cloud services, secretly harvested Facebook session cookies, IP addresses and credentials. Attackers used stolen cookies to interact with the Facebook Graph API and take over business ad accounts.

   Why it matters: Many women‑owned businesses rely on Facebook and Instagram ads to reach customers. Installing unknown extensions could hand criminals the keys to your ad budget and customer data.

   What to do: Only install extensions from trusted developers. Review and remove unused browser add‑ons, enable multi‑factor authentication (MFA) on social media accounts and watch for unexplained changes to your ad campaigns.

2. Microsoft Patch Tuesday fixes 81 flaws, including two public zero‑days

   Source: Bleeping Computer, Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days 

   On September 9, Microsoft released security updates for 81 vulnerabilities across Windows, Office and other products. Two publicly disclosed zero‑day flaws were patched. Microsoft also recommends enabling SMB Server signing and Extended Protection. Other vendors, including Adobe, Cisco and SAP, released their own fixes during the patch cycle.

   Why it matters: Routine patching is one of the simplest ways to block attacks. SMB owners often wear many hats and might postpone updates, giving hackers an easy way in.

   What to do: Schedule regular update windows and enable automatic updates on workstations and servers. After installing September’s patches, enable SMB signing and extended protection. Don’t forget to update third‑party software like Adobe Acrobat and SAP if you use it.

3. Retailers unite through RH‑ISAC
   Source: Cybersecurity Dive, How the retail sector teams up to defend against cybercrime

   After U.S. retailers such as Victoria’s Secret and Belk were hacked by the Scattered Spider cybercrime group, the Retail & Hospitality Information Sharing and Analysis Center (RH‑ISAC) coordinated threat intelligence and response strategies across the industry. RH‑ISAC members shared indicators of compromise, playbooks, and lessons learned in real time. The group also collaborated with British partners who faced similar attacks. Scattered Spider relies heavily on social engineering, tricking help‑desk staff into resetting passwords or even joining victims’ internal meetings.

   Why it matters: Collaboration isn’t just for big brands. Sharing information with peers and industry groups can help small retailers spot emerging scams sooner. Social‑engineering attacks exploit kindness and pressure, traits often valued in customer service.

   What to do: Join local or industry‑specific security forums. Educate staff to politely verify requests before resetting accounts, especially during busy seasons. Use layered defenses – technical controls are important, but human awareness is critical.

4. Pentagon finalizes Cybersecurity Maturity Model Certification (CMMC) rule and offers training for small businesses
   Source: Federal News Network, With CMMC rule final, DoD focused on training, small business relief

   The Department of Defense published the final rule for its Cybersecurity Maturity Model Certification (CMMC 2.0) program, with the first phase taking effect on November 10, 2025. The DoD is launching training classes and online videos through the Defense Acquisition University to help contractors meet the new requirements. Officials are working with the Small Business Administration to explore financial relief for small contractors. The CMMC program uses a phased approach: self‑assessments for less sensitive data and third‑party audits for high‑risk contracts.

   Why it matters: Many women‑owned SMBs supply goods and services to government agencies. Meeting CMMC requirements will soon be a condition for winning defense contracts. The costs and complexity of compliance could be daunting without support.

   What to do: If you’re a federal contractor or hope to become one, familiarize yourself with the CMMC 2.0 framework. Take advantage of DoD‑provided training and consult with qualified assessors. Budget for security improvements and advocate for financial assistance programs.

5. AI‑powered “SpamGPT” lowers the bar for mass phishing
   Source: Varonis, SpamGPT: The AI Tool Elevating Email Security Threats for Enterprises

   Varonis researchers uncovered “SpamGPT,” an underground spam‑as‑a‑service kit that combines generative‑AI tools with a full‑blown email‑marketing dashboard. Advertised on hacker forums, SpamGPT lets criminals craft convincing phishing emails, manage campaigns and monitor results using an interface that mimics legitimate marketing platforms. It even includes a built‑in AI assistant to suggest subject lines and content. The service emphasises guaranteed inbox delivery by abusing cloud providers such as Amazon AWS or SendGrid to blend in with legitimate traffic. It also offers “SMTP cracking” lessons and tools to forge sender identities, helping attackers bypass basic email‑authentication controls.

   Why it matters: Small businesses often lack dedicated security staff and are prime targets for phishing. SpamGPT makes it easier for criminals with little technical skill to send large volumes of believable scam emails, increasing the likelihood that someone will fall for a fake invoice or urgent request.

   What to do: Ensure your domains have proper SPF, DKIM and DMARC records to make spoofing harder, and enforce DMARC rejection policies. Use advanced email‑security services that detect AI‑generated or suspicious messages. Train employees regularly to recognise phishing attempts, and encourage them to verify unusual requests (such as wire‑transfer changes) by phone or in person.

Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

• This week’s blog post: How to Handle Online Harrassment Without Losing Your Sanity (or Your Business) »   

• We have a free 3-page PDF resource: How to Identify and Avoid Scams: A Simple Guide »

• Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

This just wasn’t really a funny week. This captured some of the feeling of being a mom, though.

🧷 THE SAFETY SNAP

Verify your ride before you get in. When using rideshare services, check the driver’s license plate and car make/model in the app before hopping in, and ask the driver to confirm your name. Share your trip with a trusted friend. Criminals have posed as rideshare drivers to target women, so trust your instincts and never be afraid to cancel if something feels off. (Uber and Lyft offer options for women to give priority to women drivers.)

💬 A PERSONAL NOTE

I attended the first two virtual sessions of the NGLCC iLead: Grow, Scale, and Contract Program, and connected with some interesting people and learned new things. I attended a workshop on AI Marketing for IT/security-related businesses put on by TMT, and met more interesting people. And I was asked for my first Capabilities Statement as part of a grant application — so I learned how to write one, in a hurry!

Emotionally, it was a tough week. I flew in to Newark airport and seeing the columns of light at night where the twin towers in NYC used to be really hit me. Then, the political violence through the week was horrible, followed by another school shooting. And I had some personal business to handle, plus a couple things were going on with my kids, which was tough to handle long-distance. The mom guilt was real. I ended up taking Friday and most of Saturday off, including playing cards with my two youngest, which was much needed. Be kind to yourselves, too, when you need a little more rest or care.

👂 TELL ME

Are you finding this newsletter helpful? Do you have questions or topics you’d like me to cover? Let me know :-) [email protected]

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷