Phish & Tell
Posts
PHISH & TELL 028

PHISH & TELL 028

The Cybersecurity Brief for Women Who Mean Business

Alexia Idoura
November 07, 2025

vgws

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

You’re not just building a business.
You’re building something worth protecting.

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Hi there 👋—welcome back to Phish & Tell, your friendly heads‑up on the scams and hacks that matter most to your business. Read on for the stories you should know, why they matter for small businesses, and simple steps to stay safe.

Fake CAPTCHA pages now show how‑to videos to trick users (BleepingComputer) – A malware campaign called ClickFix has evolved. Attackers lure victims to a page impersonating a Cloudflare CAPTCHA. The new version detects a visitor’s operating system, shows a countdown timer and even plays a video tutorial telling people to paste malicious commands into their terminal.
Why it matters: This tactic combines social engineering and technical trickery to pressure users. If your team or customers are ever instructed to run commands from a web page, stop immediately.
What to do: Educate employees about phishing tactics; real CAPTCHA pages never ask you to open a terminal. Keep anti‑malware tools up to date and discourage running any code from unknown websites.
Hackers hijack WordPress sites via Post SMTP plugin (BleepingComputer) – Yup, WordPress, again. Attackers are exploiting a vulnerability in the popular Post SMTP plugin, which allows them to view password‑reset emails and take over admin accounts. The flaw exists in versions before 2.8.8. Wordfence reports thousands of attacks since Nov 1 and says roughly half of sites remain unpatched.
Why it matters: WordPress powers many small‑business websites, and plugin vulnerabilities are a leading cause of site takeovers. Not only could they add their own pages or malware on your pages, but your reputation, SEO rankings, and email deliverability could take a hit, and those take a long time to fix.
What to do: Update the Post SMTP plugin immediately or disable it until patched. Review your plugins regularly, remove ones you don’t use and enable two‑factor authentication for your admin account.
Windows update causes some PCs to boot into BitLocker recovery (BleepingComputer) – Microsoft warned that the October Windows updates can cause devices with certain Intel processors and the “Connected Standby” feature to boot into BitLocker recovery mode, requiring users to enter a recovery key. An affected device only needs to enter the key once; administrators can use Microsoft’s Known Issue Rollback policy to mitigate the issue.
Why it matters: Unexpected BitLocker prompts can confuse staff and delay work, and many people lose track of their recovery keys.
What to do: Ensure recovery keys are backed up securely and accessible to authorized personnel. Apply Microsoft’s mitigation policy if you manage multiple devices. For personal devices, keep backups of important data in case a recovery prompt appears.
Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

This week’s blog post: Your Marketing Team (or Know-How) Might Be Your Secret Cybersecurity Ally» Does it surprise you that your marketing strategy and tactics can help with your cybersecurity strategy and tactics?
Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

Strong passwords and updated systems — the basics first!

🧷 THE SAFETY SNAP

This week’s news caught my eye because I was in a fender-bender a week ago. (Everyone’s fine!) I told the young driver to take photos—just like I did—and then saw this story about AI-generated crash scams.

A recent paper, A New Wave of Vehicle Insurance Fraud Fueled by Generative AI (arxiv.org), warns that scammers are now using AI to fake accident photos, damage, and even driver IDs. Basically, someone could “create” a crash out of thin air and try to cash in on it.

So, if you ever find yourself in a real accident:

Snap everything. Take wide shots, close-ups, plates, street signs—anything that proves what really happened.
Stay where you feel safe. Move to a lit area if you can and keep your doors locked until help arrives.
Swap info smartly. Get names, numbers, and insurance details, but don’t let anyone take pictures of your license or personal documents.
Skip the random “helpers.” Only deal with your own insurer, roadside service, or the police.

It’s wild that AI can fake fender-benders now, but your own photos and police report are the best defense.

💬 A PERSONAL NOTE

Since I will be car-less for a bit as I get the (not serious) damage to my soccer-mom van fixed, I will be having a nice quiet weekend at home and spending some time in my garden. I’ve been spending a LOT of time online working, so it’s time to get some fresh air and sunshine, put together my greenhouse to try to winter my potted plants (used to bring them in, but the kittens have made that impossible), and cut back some out of control parts of my garden. Hot tip, don’t plant blackberry bushes near the house. It’s like Sleeping Beauty’s kingdom consumed by thorny thickets out there in spots.

Speaking of kittens, they are deceptively sweet in this pic. ;-)

👂 TELL ME

What would you like to see in this newsletter? What questions do you have?

Stay safe and see you next week! 🌟

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷