PHISH & TELL 024

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

As I mentioned last week, I’m going to 3 news stories instead of 5. I got feedback that 5 was too overwhelming and I don’t want that!

Also, I am going to send out an email with one single focused tip on Wednesdays, starting in the next week or two. (You’ll be able to opt out without unsubscribing from everything.) I wanted to test it on myself first and I have a few tweaks to make.

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Top stories of the week, how they are relevant to you, and what to do about them.

1. Critical WordPress Service Finder theme flaw lets attackers become admins. Researchers discovered an authentication‑bypass vulnerability in the Service Finder WordPress theme used by booking‑and‑service marketplaces. Attackers can reset user passwords and gain full admin control without any authentication, according to The Hacker News. Wordfence observed more than 13,800 exploitation attempts since August. Why it matters: Many small businesses use WordPress sites built on themes like Service Finder for online bookings and payments. What to do: Immediately update the theme to version 6.1 or newer and audit your website for newly created admin accounts.

2. SonicWall confirms firewall backups were stolen for every customer. SonicWall disclosed that configuration backups for customers who use its cloud‑based backup service were stolen in September, per Bleeping Computer. These backups may contain VPN keys, passwords and other sensitive settings. Why it matters: Many small businesses use SonicWall firewalls to protect networks and remote‑access VPNs. Stolen configs can help attackers pinpoint weak passwords and gain access. What to do: SonicWall advises customers to rotate device passwords, regenerate VPN keys, delete existing backups and upgrade to the latest firmware.

3. AI notetakers may spill sensitive meeting data. Dark Reading warns that AI‑powered transcription tools like Otter.ai, Granola and Limitless capture and store entire meeting transcripts. Because transcripts are often uploaded to third‑party vendors with varying security practices, sensitive customer or employee discussions could be exposed or sold. Why it matters: Remote meetings are common in small businesses; using AI notetakers without vetting vendors could violate privacy laws and put trade secrets at risk. What to do: Create policies for AI transcription tools: require explicit consent before recording, review the provider’s security stance, and disable auto‑upload features.

   Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

• This week’s blog post: Why Your Business Emails Might Be Lying About You (and How to Fix It Before Scammers Do) »  Email impersonation is now one of the most common ways scammers trick people — and small businesses like ours are easy targets. A quick behind-the-scenes setup can make your domain almost un-spoofable. See the following free resource…

• I added a domain scanner to my Resources page for you. Try it out! It’ll tell you if your domain records are set up correctly so your domain (example.com, for example) can’t be spoofed and used by criminals to phish your own customers in your name, your emails will less likely be marked as spam (and so more often delivered to your customers), etc. I’ll be diving into explaining the security aspects of these records in my next blog.

• Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

Fraudsters are increasingly tampering with QR codes — the scannable squares used for menus, parking meters and contact‑free payments. For example, in one scheme, crooks cover or swap legitimate payment QR codes in restaurants so customers are unknowingly redirected to malicious sites that siphon off credentials or divert payments. Because QR codes look innocuous, people often scan them without verifying where they point.

What to do and watch for.

• Inspect physical codes: When using QR codes for payment or marketing, regularly check that stickers and signs haven’t been covered or swapped.

• Verify URLs after scanning: Encourage staff and customers to preview the link that appears after scanning and make sure it goes where you expect, before you click on it.

• Train your family: Teach family to be skeptical of unsolicited QR codes sent via email, text or packages. The FBI warns that scammers sometimes send gifts or packages containing QR codes to lure victims into entering sensitive information. (Several families in my area have gotten such packages.)

By understanding how these scams work and taking simple precautions, you can continue to use QR codes safely without giving fraudsters a free meal.

💬 A PERSONAL NOTE

Four Apps That (Surprisingly) Delight Me

I added a few things to my bookshelf in Roam — it’s like having a little office space online. While I was arranging things, I realized something: I’m using four apps right now that genuinely delight me. That’s not a word I use often. Most tools are… fine. These ones actually make me happy to open them.

Here they are:

Roam — Think virtual office, not Zoom call. It feels more like a real workspace — people come and go, conversations happen naturally, and you can decorate your own little corner. It also has an auditorium for big events. I’m testing 8-minute drop-in meetings right now. Want to drop in? Let’s try it! (You can check out my bookshelf, too.) Green light means I’m available. Red means I’m in deep work mode. https://ro.am/alexia-idoura 

Motion — I tried it years ago and gave up quickly. Tried again this year and now I rely on it. It’s an AI calendar that builds your day for you, based on what’s important and urgent. The AI employees are a work in progress — some are way beyond my expectations and some have a ways to go, including the ones I set up myself.

Cora — My inbox is calmer because of this one. Instead of organizing emails, it figures out what needs action and makes it actionable right then and there. It doesn’t just label an email. I now deal with email twice a day and don’t miss things like I used to. I don’t like the “add to to do list” feature — I do better forwarding those to Motion if I can’t act on them right then. A separate to do list becomes a black hole.

Snipd — I never got into podcasts until I found this. It pulls out the best bits, summarizes them, and helps me actually remember what I listened to. It creates ready to share socials, which I haven’t used yet but I should! And it has nice features for driving so you don’t get distracted trying to save something or make a note.

All of these use AI, but for most of them, AI isn’t just sprinkled on top — it’s what makes them work. I chose them for what they do, not just because they are new shiny AI toys.

Now I’m curious — what’s delighting you lately? Doesn’t have to be an app. Could be a notebook, a morning ritual, or a new way you’ve made tech work for you instead of against you. Hit reply and tell me.

👂 TELL ME

I’d love your feedback—do you prefer the new 3-story format? Just hit “reply” and let me know!

Stay safe and see you next week! 🌟 

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷