PHISH & TELL 031

The Cybersecurity Brief for Women Who Mean Business

Author

Alexia Idoura
November 28, 2025

vgws

đź‘‹ WELCOME to Phish & Tell™️, from Security Done Easy™️

You’re not just building a business.
You’re building something worth protecting.

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Happy holidays! As we wrap up November, cyber‑crooks aren’t taking time off. It’s a lot to keep up with, so we’ve distilled three of the top security stories from the last week with a focus on what matters to women small‑business owners. This issue also includes a seasonal Safety Snap to help you spot holiday scams before they find you.

Below you’ll find what happened, why it matters, and quick steps you can take to keep yourself and your business safe.

Let’s get into it.

  1. Fired IT contractor locked workers out of accounts

    Source: The Register 
    What happened: An Ohio IT contractor pleaded guilty after being fired: he used lingering access to his former employer’s systems to run a PowerShell script that reset passwords and locked workers out.
    Why it matters: A disgruntled freelancer, VA, web designer, or ex-employee with leftover access to your email, website or cloud apps can do a lot of harm in a very short time.
    What to do:

    • Keep a simple “who has access to what” list (including contractors).

    • When anyone leaves—employee or contractor—have a 10-minute off-boarding checklist:

      • Remove from email and shared drives

      • Revoke access to website, hosting, payment systems, social media

      • Change shared passwords they knew.

    • Use role-based logins (their own account) rather than sharing a single “admin@” password with everyone.

  2. Trend Micro: 2026 will be the year of AI-assisted ransomware

    Source: The Register 
    What happened: Trend Micro’s new predictions say ransomware crews are already experimenting with agentic AI—AI that can take actions, not just answer questions. They expect AI to automate key attack steps in 2026: scanning for vulnerable systems, building phishing lures, and even negotiating ransoms.
    Why it matters: Even small businesses could see more frequent and faster-moving attacks because AI can do the “boring work” for criminals at scale. That means less time between “oops, I clicked” and “all our files are locked.”
    What to do:

    • Patch the basics: keep your laptops, phones, and key apps updated—turn on automatic updates where possible.

    • Make sure you have offline or cloud backups that are:

      • automatic

      • versioned (can roll back in time)

      • tested (you’ve actually restored from them at least once).

    • Decide now what you’ll do if you get a ransom note (who you’d call, what systems you’d shut down first).

  3. Sneaky 2FA phishing kit uses fake browser windows

    Source: The Hacker News
    What happened: A Phishing-as-a-Service kit called Sneaky 2FA just got an upgrade: it now uses Browser-in-the-Browser (BitB) techniques to pop up fake login windows that perfectly mimic your browser’s address bar while stealing your username, password and 2FA code.
    Why it matters: Even security-savvy users who “always check the URL” can be tricked if the fake window looks like a real browser. This is especially dangerous for logins to email, Microsoft 365, Google Workspace, banking and password managers.
    What to do:

    • Be suspicious of login pop-ups launched from links in email or chat. When in doubt, close it and go directly to the site by typing the address yourself.

    • Prefer hardware security keys or passkeys where available; they’re harder for these kits to phish.

    • Teach your team: if a login window appears in a weird place (inside a page, inside an iframe, or with odd resizing), cancel it and report it.

    Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

  • This week’s blog post: Cybersecurity That Actually Saves You Money (Yes, Really)» Most incidents aren’t caused by genius hackers. They often happen because of messy systems and small oversights — things you can control. The other bit of good news about that is that many of the things that you can do also save you money. Read the article for a list of 20.

  • Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

One group project I had in a grad school class was to phish our TA. lol Not easy when they expect it! We spoofed the university employee scheduling webpage and everything.

🧷 THE SAFETY SNAP

This week’s Safety Snap is about the scams you’re going to see everywhere between now and New Year’s—many of them boosted by the same AI tools we just talked about.

The scam

  • Text or email saying:

    • “There’s a problem with your delivery…”

    • “Fraud alert: we noticed unusual activity…”

    • “Your gift card/loyalty points are about to expire…”

  • It asks you to click a link, log in to “verify” your identity, or read back a code from your phone.

What’s really happening

  • The link leads to a phishing site (possibly with a fake browser window like in Story #3 above) to steal your login and 2FA.

  • Or the “support agent” on the phone tricks you into authorizing a payment or Zelle transfer to “reverse” fake fraud.

How to protect yourself (and your loved ones)

  1. Never act directly from the message.

    • Close it, open your bank/shipping app directly, or type the URL yourself.

  2. Use your own bookmarks or saved apps for banks, PayPal, Amazon, etc.—not links in email or SMS.

  3. If someone calls you:

    • Hang up, then call back using the number on the official website or the back of your card.

  4. Tell your family group chat about one scam you’ve seen this week.

    • The more people talk about it, the fewer people fall for it.

đź’¬ A PERSONAL NOTE

If you are in the US, I hope you had a good Thanksgiving. (I know it can be a tough day with family stuff, so if that’s the case, I hope you took care of yourself.)

My youngest was aghast that I didn’t roast a whole turkey. After eating and fixing plates to deliver, pretty much the only leftovers we have are stuffing and sautéed root vegetables. Lesson learned. lol. (I offered to roast a whole turkey for Christmas, but then my youngest was aghast that I would change up our traditional Christmas meal, which is a Raclette.)

Nerd note: Normally I sketch out the timeline (on paper) to make sure everything is ready at the same time. This year, I asked Perplexity AI given that I was cutting down on quantities so I expected times to change. I took a photo on my phone of each recipe and wrote a prompt that included: time to be ready, how many helpers I had and what they could do (such as set the table, peel vegetables), how many burners I have on my stove and pots and pans available, that I have a double oven and a crockpot, how long my dishwasher cycle was, any recipe customizations (no mushrooms in our gravy, alas), a possible emergency run to the store 15m away (just in case!), and what had already been completed (cranberry sauce, pie). And to ask me clarifying questions. Perplexity asked me if the time to be ready meant we were sitting down to eat or plating the food and a couple of other details and then created a fantastic checklist that was designed to lessen stress.

I thought my timelines were great, but this leveled things up. Saved about an hour of planning and I was able to enjoy the day more rather than being stressed and rushed. 5 out of 5, would recommend.

đź‘‚ TELL ME

What triggers you to look for security solutions? Hearing about a hack? Being asked about your security by a customer? Needing to meet compliance requirements?

Stay safe and see you next week 🌟 

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

đź©·