PHISH & TELL 034

The Cybersecurity Brief for Women Who Mean Business

Author

Alexia Idoura
December 19, 2025

vgws

đź‘‹ WELCOME to Phish & Tell™️, from Security Done Easy™️

You’re not just building a business.
You’re building something worth protecting.

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Whether you’re packing orders for holiday shoppers or closing out the books for year‑end, cybercrooks aren’t taking a break. In fact, attacks on small‑business networks, customer devices and even our favorite apps have surged over the past week. As always, Phish & Tell distills the news into plain English and offers steps you can take right now.

  1. Guardz 2025 SMB Cybersecurity Report: Nearly Half of SMBs Hit by Cyberattacks

    Source: PR Newswire — Guardz 2025 SMB Cybersecurity Report 
    What happened: A new report shows 43% of U.S. small and midsize businesses have experienced a cyberattack in the past five years, with 27% hit in the last year. Employee error, phishing, and ransomware top the threat list. The same Guardz report highlights that many SMBs are turning to done-for-you managed services for security due to rising threat awareness and complexity.
    Why it matters: Attack frequency is high, yet many SMBs still lack solid defenses like incident response plans or cyber insurance — making them easier targets than larger enterprises. Many small businesses don’t have internal cybersecurity expertise; trying to manage threats without it often leads to gaps and slower recovery.
    What to do: Build a formal incident response plan, ensure staff receive regular cybersecurity training, and consider cyber insurance aligned with your risk profile. Evaluate managed security services options that include 24/7 monitoring, patch management, backups, and incident response.

  2. For app developers: A Website Flaw Is Being Used to Install Ransomware—Fast

    Source: BleepingComputer — Critical React2Shell flaw exploited in ransomware attacks
    What happened: Security researchers uncovered a serious flaw—called React2Shell—in popular website technology used behind the scenes on many modern sites and apps (including React and Next.js).

    Once the flaw became public, attackers began exploiting it within minutes. In real-world attacks, criminals:

    • Broke into websites without needing a password

    • Installed ransomware in under a minute

    • Shut off security tools

    • Encrypted the server so the business couldn’t access its own data

    • Deleted backups and logs to make recovery harder

    This wasn’t theoretical. It’s already being used in active attacks.
    Why it matters: You don’t need to be a software company to be affected. Many small businesses rely on custom websites, SaaS tools, plugins, or apps built on modern frameworks. If those components aren’t updated, attackers can exploit them quietly—often without obvious warning—leading to data theft, website defacement, or malware installation.
    What to do: Ask your web developer or vendor how often dependencies are updated. If you manage your own site or app, prioritize regular patching and updates. Use security scanning tools (many have free tiers) to flag vulnerable components. Treat “we’ll update later” as a risk decision—unpatched software is one of the fastest paths to compromise.

  3. WhatsApp “device linking” feature abused in account hijacks

    Source: BleepingComputer – WhatsApp device linking abused in account hijacking attacks.

    What happened: A campaign dubbed “GhostPairing” tricks victims into linking attackers’ browsers to their WhatsApp accounts. Victims receive a message from a known contact with a fake Facebook link to an “online photo,” which redirects to a fake site that initiates WhatsApp’s device‑pairing workflow. The site asks for the victim’s phone number and displays the legitimate pairing code; entering it grants the attacker full access to messages and media. Many victims aren’t aware a second device was linked.

    Why it matters: WhatsApp is widely used by entrepreneurs and customer‑support teams. A hijacked account can expose client conversations, two‑factor authentication codes and sensitive media, and may be abused to scam your contacts.

    What to do: Educate employees to be wary of unexpected links, even from friends. If prompted to pair a device, never share codes via email or websites; pair devices only within the WhatsApp app. Regularly check Settings → Linked Devices for unknown sessions and enable two‑factor authentication. Report suspicious messages and block unknown senders.

    Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

  • This week’s blog post: Cybersecurity for Your Small Business: Where Do You Start?» Most small business owners don’t ignore cybersecurity because they don’t care. They avoid it because the advice out there feels overwhelming, overly technical, and disconnected from how small businesses actually operate.

  • Last Tuesday was the last Patch Tuesday of the year! Microsoft “only” patched 56 security flaws, some of which are already being exploited. Patch your operating systems, apps, and browsers. Better yet, set them to update automatically.

  • Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🙋‍♀️ Top Reader Questions of the Week

Below are five questions from small‑business owners over the past week. What questions do you have?

  1. What are the critical first steps to take if we suspect a data breach or cyberattack?

    • Do not shut the computer or server off. Turning it off can erase clues your tech team may need. Instead, disconnect from WiFi and unplug it from the network cable so the attacker cannot keep moving.

    • Call your tech or security person right away (IT support, managed security provider, or the savviest tech partner you have) and tell them exactly what you saw and when. Save any screenshots or strange emails.

    • If you have cyber‑insurance or a lawyer you work with, let them know the same day. Many policies require fast notice. Know your policy.

    • If you already have an incident response plan, follow it step by step; if you don’t, you are not alone—only about one‑third of small businesses have one, but those that do avoid major damage in about 80% of attacks.

  2. How should we respond to ransomware attacks—and how can we prepare now?

    • If you see a ransom note on screen, stop using the computer and disconnect it from the internet or company network right away so it does not spread to other devices.

    • Call your IT or security support and your cyber‑insurance contact. They can help confirm it is ransomware and guide next steps.

    • In most cases, paying the ransom is a bad bet. It does not guarantee you get your data back and it encourages the criminals to attack more businesses.

      How to prepare before anything happens:

    • Keep good backups of your important files using the 3‑2‑1 rule: three copies of your data, stored on two different types of storage, with at least one copy stored away from your office or fully offline.​

    • Use backup tools or services (for example Veeam, Backblaze, Acronis) and test that you can actually restore from them at least a few times per year.​

    • Make sure at least one backup is “air‑gapped” (not constantly connected to your main computer or network), so ransomware cannot reach and encrypt it.

  3. What should we do immediately if an employee clicks a suspicious link?

    • First, do not panic or shame the employee. Clicking a bad link is common, and fast action matters more than blame.​

    • Ask them to stop using the device and disconnect it from Wi‑Fi or the network.

    • From a different, trusted device, change passwords for your most important accounts: email, banking, payment processors, payroll, and any admin logins. Turn on multi-factor authentication (MFA) if it is not already enabled.​

    • Have your IT or security support run a malware scan (Windows Defender or Malwarebytes are good starting points) and check recent email logins and file sharing for anything unusual.​

    • For the next few days, watch for strange login alerts, password reset emails you did not request, or unusual charges, and report them quickly.

  4. What’s the most cost‑effective way to implement password management and MFA for our team?

    • Use a business password manager so your team can store and share passwords safely instead of in notebooks, text messages, or spreadsheets.​

    • Turn on MFA for your important accounts (email, banking, payroll, cloud tools) using free apps like Microsoft Authenticator, Google Authenticator, or Authy.​

    • Require your team to use different passwords for different systems and stop reusing the same password everywhere. The password manager makes this doable.

    • For sensitive roles—like anyone with admin access—consider hardware security keys (such as YubiKey) for even stronger protection.

    • For a 10‑person team, expect roughly $30–$70 per month for a password manager, plus free MFA apps; this is usually under $100 per month total and can block around 99% of automated account‑hacking attempts. (If you use a managed security services provider, this will often be included.)

  5. What are the essential security configurations for Microsoft 365 and Google Workspace?

    • Turn on MFA for everyone’s email accounts; email is the key to almost everything else in your business.​

    • Use strong password rules and encourage your team to use your chosen password manager instead of trying to memorize long passwords.

    • Turn on the built‑in security features: In Microsoft 365, enable Microsoft Defender for Office 365. In Google Workspace, enable advanced phishing and malware protection.​

    • Set file‑sharing defaults to “private to your company” and only open specific folders or documents to outside people when needed. Review who has access to important folders (finance, HR, customer lists) at least a few times per year.​

    • If you use many different cloud tools, consider single sign‑on (SSO) through Azure AD/Entra ID, Google Cloud Identity, or Okta so your team logs in once with a well‑protected account instead of juggling many separate logins. (These often require enterprise-level accounts, so not always practical for smaller businesses.)​

🤖 The LOL-gorithm

This is why I do NOT ask AI to come up with a joke or meme for this section:

Why did the hacker cross the road?

To get to the other site… but then their VPN dropped and they had to try 1.7 million passwords.

The funny part is this: I asked ChatGPT to explain why it was funny. It’s still thinking. lol

🧷 THE SAFETY SNAP

AI-Generated Kidnapping Scams Are Getting Scarier

The FBI is warning about a disturbing twist on extortion scams: criminals are now using AI to create fake photos, videos, or voice messages of loved ones and claiming they’ve been kidnapped.

Here’s how it usually plays out:

  • You get a frantic call, text, or message saying your child, partner, or family member has been taken.

  • The scammer sends an image, short video, or voice clip that looks or sounds real.

  • They demand immediate payment and pressure you not to verify the situation.

What makes this especially dangerous is the emotional shock. Scammers are counting on panic to override logic.

What the FBI says to watch for

AI-generated images and videos often have subtle flaws, such as:

  • Missing or incorrect tattoos, scars, or birthmarks

  • Unusual body proportions or facial details

  • Awkward movements, lighting, or backgrounds that don’t quite make sense

These details are easy to miss when you’re scared—but they matter.

How to protect yourself and your family

Do these before you ever get a call like this:

  • Create a family “safe word” or phrase
    Something only your family would know. If the person can’t provide it, that’s a red flag.

  • Pause and verify—no matter how urgent it feels
    Call or text the supposed victim directly. Reach out to another trusted person who might be with them.

  • Don’t trust images, videos, or voices alone
    AI can fake all three. Proof isn’t proof anymore.

  • Slow the conversation down
    Scammers push urgency. Real emergencies still allow verification.

  • If you believe the threat could be real, contact local law enforcement immediately
    Don’t negotiate or send money first.

Why this matters for business owners

Company leaders are juicy targets. Even if the scam targets your personal life, the fallout can affect your business—emotionally, financially, and operationally. Knowing how to pause, verify, and respond calmly is now part of modern digital safety.

Bottom line:
If someone demands immediate action and tells you not to verify—that’s your cue to stop and check. Panic is the scammer’s strongest weapon.

đź’¬ A PERSONAL NOTE

Take some time for yourself over the next few weeks—rest, reflect, and remember that each healthy boundary you set (digital or otherwise) is an investment in your business and your well‑being. I know starting and running a business takes a lot of energy — don’t burn out. I know I’ve come close a couple of times this year myself!

Speaking of a little downtime, we’ll be taking off next week and will see you again for the last newsletter of the year. Happy Holidays!

đź‘‚ TELL ME

Seen a scam in the wild? Have a security question you’d like answered? Hit reply and share your story. Your experiences help other women‑owned businesses avoid similar pitfalls

Stay safe and see you week after next. 🌟 

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

đź©·