PHISH & TELL 027

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

It’s been another busy week in cybersecurity! I’ve combed through trusted sources like BleepingComputer, The Hacker News, Help Net Security, and more to pull together the key stories women small‑business owners need to know. Each item below explains what happened in plain English, why it matters to your business and what you can do about it. Let’s dive in.

1. 🎃 Halloween scams flood inboxes and feeds

   Source: Trick or Treat: Bitdefender Labs Uncovers Halloween Scams Flooding Inboxes and Feeds

   What happened: Halloween‑themed scams surged in the past few weeks. About 63% of Halloween‑related emails were malicious, offering fake candy packs, costume discounts or Bitcoin giveaways. On social media, scammers promoted Amazon and Home Depot “surveys,” lottery scams and malvertising that delivered malware. Criminals love holidays!

   Why it matters: Seasonal scams exploit familiar brands and urgency (“limited‑time offer!”). Your staff might click an email promising a free giant skeleton or fill out a bogus survey, exposing the company to credential theft or malware.

   What you can do: Remind yourself and team members to be extra cautious around holiday promotions. Verify deals by visiting the retailer’s official site directly rather than clicking embedded links. Encourage everyone to report suspicious messages so they can be blocked.

2. 🛡️ WordPress plugin bug exposed private files

   Source: WordPress security plugin exposes private data to site subscribers

   What happened: A flaw in the widely used Anti‑Malware Security and Brute‑Force Firewall plugin (over 100,000 installs) allowed any logged‑in subscriber to read arbitrary files on the WordPress server – including the sensitive wp‑config.php configuration file. Ugh. A fixed version was released on 15 October.

   Why it matters: Many small businesses use WordPress to run their websites. A compromised plugin can expose database credentials or API keys stored in wp‑config.php, allowing attackers to hijack your site, deface it or steal customer data.

   What you can do: Log in to your WordPress dashboard and check that all plugins are updated. Remove plugins you don’t use, and only install extensions from reputable developers. Restrict subscriber‑level accounts so they can’t access sensitive settings, and back up your site regularly.

3. 💸 Ransomware profits drop as fewer victims pay up

   Source: Ransomware profits drop as victims stop paying hackers 

   What happened: New research from Coveware shows that only about 23% of companies hit by ransomware paid the attackers in the third quarter of 2025, down from 28% in early 2024. Payment resolution rates have been declining for six years. Coveware credits better defenses, stronger incident‑response capabilities and increased pressure from law enforcement to avoid paying. Average ransom payments did fall to $377,000 and median payments to $140,000

   Why it matters: Attackers are still targeting small and medium‑sized businesses because they believe you’re more likely to pay. Refusing to pay denies them revenue and may discourage future attacks. Understanding how ransomware tactics are evolving – from simple encryption to double extortion – helps you prepare.

   What you can do: Develop an incident‑response plan that includes backups, business‑continuity procedures and clear guidelines not to pay ransoms. Invest in security awareness training so employees recognise phishing and remote‑access scams. Keep systems patched and use multifactor authentication on VPNs and remote‑access tools.

Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

• This week’s blog post: Out with the Old (Tech): How to Safely Get Rid of Your Old Devices»  Let’s talk about how to say goodbye to your old devices the smart (and secure) way.

• Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

Phone scams are becoming more convincing as criminals spoof caller IDs and use AI‑generated voice clips. One common ploy is a fake “fraud department” call claiming your business bank account has been compromised and urging you to transfer funds or provide verification codes. The scammer may even know some of your personal details.

Tip: If you receive an urgent call about your account or a payment, hang up and call the organization back using a phone number from your bank card or official website. Never trust a number provided in a text or email. Legitimate banks will not pressure you to make immediate transfers or share one‑time codes. Adopt this call‑back reflex – it only takes a minute and could save you from a costly fraud.

💬 A PERSONAL NOTE

Do you have fun with Halloween? My kids are at the age where I can sit on the porch and ooh and ahh over all the neighborhood kids (teens, too!) who come for candy and treats while my own kids go trick or treat with their friends (well, just one now — the others are all older and go to parties or hang out with friends). We host a sleepover Halloween night so my night will be full of sugared-up almost-teens! Wish me luck! lol

👂 TELL ME

I’d love your feedback—do you like the new 3-story format? Just hit “reply” and let me know!

Stay safe and see you next week! 🌟 

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷