vgws

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

You’re not just building a business.
You’re building something worth protecting.

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Happy new year and welcome back! This issue brings several fast‑moving cyber and privacy stories from the past week. You’re growing a business, a family and a life you love — and you deserve to protect all of it without reading a stack of technical reports. Each item below explains what happened, why it matters to small‑business owners and what you can do today.

  1. Spoofed domains exploit email misconfigurations

    Source: Dark Reading – Phishers Exploit Office 365 Users Who Let Their Guard Down
    What happened: Attackers are abusing misconfigured anti‑spoofing settings in to send convincing phishing emails from look‑alike domains. Microsoft noted that organizations with weak MX records, SPF/DMARC setups, or email routing rules are particularly vulnerable. Criminals craft messages that appear to come from internal executives or trusted partners, tricking recipients into clicking malicious links or wiring money.
    Why it matters: Phishing is one of the top causes of data breaches for small businesses. Women‑owned companies are often targeted because attackers perceive them as less defended. Misconfigured email settings make it easy for criminals to spoof your domain and phish your customers or vendors.
    What to do: Use free tools such as my domain scanner or third‑party DMARC analyzers to check your domain records. Ensure SPF, DKIM and DMARC are correctly configured, and enable strict anti‑spoofing policies. Educate employees on spotting suspicious emails, especially those requesting urgent payments or sensitive information. Implement MFA on all email accounts to reduce the impact of credential theft.

  2. Android botnet invades home and office networks

    Source: Krebs on Security – The Kimwolf Botnet is Stalking Your Local Network
    What happened: Researchers uncovered a botnet that has compromised more than two million Android devices worldwide. The malware spreads through poorly secured TV boxes, streaming devices and even digital photo frames. Once inside, it hides its traffic, downloads additional payloads and can perform distributed‑denial‑of‑service (DDoS) attacks, sell proxy bandwidth or carry out click fraud.
    Why it matters: Many small businesses rely on affordable “smart” TVs and media devices in waiting areas, restaurants or shops. Infected devices could allow attackers to pivot into your Wi‑Fi network and access point‑of‑sale systems, security cameras or laptops.
    What to do: Audit any connected devices (TV boxes, streaming sticks, photo frames) for open ADB ports and disable remote debugging. Replace unsupported or off‑brand devices with reputable models and apply firmware updates. Segregate IoT devices on their own Wi‑Fi network and routinely monitor network traffic for unusual spikes. Remind staff not to install apps from unknown vendors or sideload software.

  3. Microsoft to mandate MFA for Microsoft 365 admin access

    Source: BleepingComputer – Microsoft to enforce MFA for Microsoft 365 admin center sign‑ins

    What happened: Microsoft announced that, starting February 9, 2026, all users accessing the Microsoft 365 admin center must authenticate with multi‑factor authentication (MFA). This expansion builds on prior phases rolled out in 2025 and follows research showing MFA blocks over 99.99 % of account‑takeover attempts. Users without MFA enabled will be unable to sign in after the enforcement date.

    Why it matters: Admin accounts have broad access to customer data, invoicing, document storage and employee information. Attackers regularly target small‑business admins with phishing and password‑spray attacks because compromising one account can give them free rein over a company’s digital assets. Microsoft’s enforcement reduces the risk but may catch unprepared organizations off‑guard.

    What to do: Enable MFA on all Microsoft 365 accounts immediately — not just for admins. Confirm that backup contact methods (such as authenticator apps or hardware tokens) are configured and that staff know how to use them. Conduct a quick audit of who has admin privileges and remove unnecessary admin roles. Train employees to resist MFA fatigue scams, where attackers bombard users with push notifications hoping they’ll approve one by mistake.

    Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

  • This week’s blog post: Getting Started with AI Agents Safely» AI agents are not a distant future. They are already in inboxes, task lists, calendars, customer service flows, and internal workflows, often helping quietly in the background. They can research articles, help you prepare for meetings, draft content, route support tickets, monitor online conversations, and automate repetitive work — which can be transformative for small businesses and solo founders.

  • Next Tuesday is the first Patch Tuesday of the year! Get ready to patch your operating systems, apps, and browsers. Better yet, set them to update automatically.

  • Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🙋‍♀️ Top Reader Questions of the Week

Below are five questions from small‑business owners over the past week. What questions do you have?

  1. How can I detect if my business website or email has been compromised?

    • Check web server logs and admin accounts for unusual activity.

    • Look for signs like unexpected redirects, new admin users, or spam emails sent from your domain.

    • Review recent changes to files or plugins, especially if you run a CMS.

    • Use external scanners and ask your hosting provider to run malware checks.

    • Even if you find nothing now, set up ongoing monitoring and regular backups.

  2. Are small businesses actually targets for ransomware, or is it just big corporations?

    • Small firms are common targets because attackers assume they have weaker defenses.

    • Attackers typically use broad phishing campaigns or exposed RDP ports rather than highly targeted attacks.

    • Regularly back up data offline or via immutable storage, enable MFA everywhere, and disable unused remote desktop services.

    • Apply patches promptly and deploy endpoint detection and response (EDR) tools.

    • Many small local firms have faced six-figure ransom demands, so the threat is very real.

  3. Is a formal cybersecurity policy necessary for a very small team?

    • Yes, but keep it short (1–3 pages) and practical rather than bureaucratic.

    • Cover acceptable use, strong passwords/MFA, remote work rules, incident reporting, and data handling.

    • A formal policy helps with insurance, compliance, and onboarding new staff.

    • Start with a template and customize rather than writing from scratch.

  4. What are my PCI compliance requirements if I use a third-party payment processor like Stripe?

    • Even with Stripe/Square, you still have a simplified PCI scope (e.g., SAQ A).

    • You need to complete the relevant self-assessment questionnaire (SAQ) and maintain basic controls.

    • Ensure your networks are secure, systems are patched, and you never store card data yourself.

    • Confirm your exact scope with the payment processor and your bank.

  5. Are the built-in security features of Google Workspace and Microsoft 365 enough for a small business?

    • Both platforms offer strong security by default if configured properly (MFA, conditional access, device policies, restricted sharing).

    • Many issues arise from misconfiguration rather than the platforms themselves.

    • For higher-risk environments, add advanced email security, data loss prevention (DLP), and log monitoring.

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

Wegmans may be scanning your face when you shop

A post on Schneier on Security linked to reports that the Wegmans supermarket chain in New York City is collecting customers’ biometric information via facial recognition cameras. While the company says it doesn’t share data with third parties, privacy advocates worry that such systems could be used for personalized pricing or handed to law enforcement.

Even if you don’t shop at Wegmans, biometric surveillance is creeping into retail environments. Small‑business owners should consider how using similar technology might affect customer trust, especially for marginalized communities who are often subject to disproportionate surveillance.

Two lighter notes, related:

  • Juggalo face makeup stymies many facial recognition technologies, which would make trips to Wegmans pretty interesting 👀 .

  • There is a facial recognition system for… bears. Yes, bears.

💬 A PERSONAL NOTE

I blinked and the holidays flew by! I took my younger kids to New York City for a whirlwind trip and some fun! (And we got the “superflu” Flu A a few days later — oops.) We chose to do a few off-the-beaten path things this time and I can’t say enough good things about The Color Factory in SoHo.

👂 TELL ME

Have a security question you’d like answered? Hit reply and let me know. Your experiences help other small businesses avoid similar pitfalls

Stay safe and see you week after next. 🌟

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷

Keep Reading

No posts found

© 2026 Phish & Tell from Security Done Easy.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv