PHISH & TELL 029

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Our blog won the Gold! 🎉 See the Personal Note section below!

Let me tell you, it’s so hard to just pick the top 3 news stories for the week. 😬 

1. AI helps fraudsters create realistic fake receipts

   Source: Schneier on Security schneier.com
   What happened: Generative‑AI tools now produce photo‑realistic fake receipts with wrinkles and all, itemized lists, and signatures. Expense‑management software tries to detect AI‑generated images by examining metadata, but fraudsters can circumvent detection by taking screenshots or photos.
   Why it matters: Small businesses rely on receipts for reimbursements and accounting. Sophisticated fakes can slip through manual review, leading to fraudulent payouts or tax problems.
   What to do: Consider using digital expense tools that cross‑check receipts against merchant data. Audit expense reports periodically and verify large purchases directly with vendors. Educate staff about the legal consequences of expense fraud. Worst case is requiring and saving paper receipts, but that’s not really realistic today for many businesses.

2. Google sues operators of “Smishing Triad” phishing kit

   Source: Krebs on Security krebsonsecurity.com
   What happened: Google filed a lawsuit against the creators of Lighthouse, a phishing‑as‑a‑service tool used by the Chinese “Smishing Triad.” It has duped over one million victims across 120 countries. Victims are asked to pay fake toll fees or delivery charges (I know I’ve gotten several of these SMS phishing — aka smishing — messages, myself). Then the scammers use the one‑time codes to link cards to devices they control.
   Why it matters: Smishing attacks prey on busy people who pay invoices and shipping fees via text. A single employee’s mistake can expose both personal and company payment details.
   What to do: Warn staff about fraudulent text messages. Don’t click links claiming you owe a fee; instead, go directly to the company’s official site. Turn on transaction alerts and use virtual cards for online purchases.

3. Microsoft’s November Patch Tuesday fixes zero‑day and critical bugs

   Source: The Hacker News thehackernews.com
   What happened: Microsoft patched 63 vulnerabilities across its products. Critical remote‑code‑execution bugs in the graphics component and Windows Subsystem for Linux were also addressed, along with a high‑severity Kerberos issue that could let attackers impersonate any user.
   Why it matters: Nearly every small business uses Windows. Unpatched systems can allow attackers to move from a low‑privilege account to full domain administrator, enabling data theft or ransomware. (Note that ALL operating systems are vulnerable and should be updated as soon as updates are available — Mac, Windows, doesn’t matter. Set it to update automatically so you don’t have to remember. Just don’t snooze it!)
   What to do: Install November’s updates on all Windows desktops and servers. Encourage employees to run updates promptly and restart when asked. If you use Active Directory, review Kerberos delegation settings and apply vendor recommendations.

   Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

• This week’s blog post: From Reactive to Proactive Protection: A Managed Security Services Guide for Small Businesses» Understand why switching from “I’ll deal with it if it happens” to a managed security services model isn’t just about paying a monthly fee -- it’s about protecting your livelihood, complying with the law, and gaining peace of mind.

• Looking for the Customer Journey Risk Map template? My web team should have it posted this week. I’ll include a link as soon as it is. (It’ll be on the Resources page on my website.) Read the related blog article here!

• Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

The sheer quantity of email we get can be really overwhelming. Even with setting up automations and rules and labels and folders, etc.

Did you know that actually can be a security issue, not just an inconvenience? It makes it hard to spot the legit stuff, like log-in alerts.

🧹 Quick Anti-Spam Guide: How to Keep Your Inbox Clean

1. Use built-in tools

• Hit Unsubscribe for legit senders. (I’ve been using Google’s Manage Subscriptions option in the Gmail menu — you can knock a bunch out at once.)

• Use Report Spam only for scams or things you never signed up for.

• Block repeat offenders.

2. Let filters do the work

• Create simple rules like “If email contains unsubscribe, move to Promotions.”

• Auto-label newsletters, receipts, and marketing emails.

3. Use smart email habits

• Have a separate email for shopping, downloads, and sign-ups.

• Try plus-addresses (name+shopping@…).

• Never use your main business email for freebies or online accounts.

4. Protect your address

• Don’t post your email publicly if you can avoid it.

• Use Apple Hide My Email or similar tools for low-trust sites.

5. For business owners

• Make sure your domain has SPF, DKIM, and DMARC set up. (I have a free scanner on my website.)

• Turn off catch-all addresses (they’re spam magnets).

• Use strict anti-spam settings in Google Workspace or Microsoft 365.

A few smart habits + the right filters = a dramatically calmer inbox. Let your tools do the heavy lifting.

BUT Be Kind to Other Businesses

If an email is from a legit business (especially a tool you use, a creator you follow, or a company you’ve interacted with), use Unsubscribe—not Report Spam. (For texts, use STOP, rather than Report Junk or the equivalent.)

Unsubscribing quietly removes you from their list.

Reporting spam, though, can damage their sender reputation, get their emails blocked, and create deliverability headaches for a business that didn’t actually do anything wrong.

My related blog post on spam attacks, coming Monday

When a cybercriminal is going to do something that will likely generate an email alert to you (like try to get into your bank account), they will often first create a spam flood by signing you up for a bunch of stuff, such as newsletters. They use the spam to create chaos and pressure, deliberately making it hard for you to notice legitimate emails related to fraudulent online purchases, account updates, or identity theft. So what do you do if it’s an actual attack? I’ll address that in my next blog post, so look out for it on Monday.

💬 A PERSONAL NOTE

Your crossing your fingers for me worked! I mentioned that I was a finalist for a Stevie Award for Best Female Business Blogger and that I was going to find out where I was on the podium last Monday night at the awards ceremony. I got the gold! Thanks to all of you for reading and giving me feedback along the way. Read my blog articles here.

Other than that, I’ve been doing a better job listening to my fellow business owners and taking breaks so I don’t burn out. I’ve also been taking the kids out to do fun out-of-the-ordinary stuff (like hunting for the Thomas Dambo trolls and seeing Mesmerica. Did you know the artist who created Mesmerica was the drummer for The Pretenders, one of my favorite bands?! They just re-released The Singles, btw.)

👂 TELL ME

Have a story to share or a cybersecurity question? Simply reply to this email or leave a comment. I’d love to hear from you and include your tips or questions in the next issue!

Stay safe and see you next week! 🌟 

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷