vgws
👋 WELCOME to Phish & Tell™️, from Security Done Easy™️
You’re not just building a business.
You’re building something worth protecting.
🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK
The first few weeks of the year have been packed with cyber‑news, so this issue will help you stay ahead. Each item below explains what happened, why it matters for your business and what you can do today. Grab a cup of coffee and let’s dive in!
WordPress plugin flaw lets intruders become admins
Source: The Hacker News – Critical WordPress Modular DS Plugin Flaw
What happened: Researchers discovered a serious vulnerability in the Modular DS plugin used by more than 40,000 WordPress sites. A flaw in how the plugin trusted internal requests allowed attackers to bypass authentication and directly call a function that grants administrative privileges. Exploit attempts began around 13 January. The developer released a patched version 2.5.2 on 14 January.
Why it matters: Many small businesses rely on WordPress plugins to add features without coding. An attacker who becomes an admin can deface your site, inject malware, or steal customer data. Because the vulnerability is easy to exploit and proof‑of‑concept code is public, unpatched sites are at high risk.
What to do: If you or your web designer use Modular DS, update immediately to version 2.5.2 or later. Regularly review your site’s plugins and remove anything you no longer need. Enable automatic updates and when granting access, give people the least amount of access they need to get their work done on your site. Monitor logs for unexpected admin activity.Patch Tuesday is here! Microsoft patches 114 Windows flaws – including an active zero‑day (and remember, not just Microsoft patches!)
Source: The Hacker News – Microsoft January 2026 Patch Tuesday
What happened: Microsoft’s first Patch Tuesday of 2026 fixed 114 vulnerabilities across Windows, Office and other products. The most urgent fix addresses an actively exploited flaw in the Desktop Window Manager that allows an attacker to give himself more access. Two Office bugs let attackers execute code when a victim previews a malicious email. (← Let that sink in — no clicking, just previewing.)
Why it matters: Attackers often weaponize security updates within days. Small‑business owners typically delay patching out of fear of downtime, but leaving systems unpatched leaves the door open to ransomware, data theft or service disruptions. Even flaws with moderate severity can be dangerous when there is a working exploit. The patch is a double-edged sword — stuff gets fixed, but if you don’t patch it, that also means that the unfixed stuff has been publicized.
What to do: Apply January’s security updates to Windows, Office and related products as soon as possible. Turn on automatic updates and reboot your systems. For Windows 365 Cloud PC users, test updates on a non‑production machine first. Ensure all admin accounts use multifactor authentication (MFA) and consider a managed patching service if you don’t have IT staff.Reprompt attack hijacks Microsoft Copilot sessions
Source: BleepingComputer – Reprompt Attack Hijacked Microsoft Copilot Sessions for Data Theft
What happened: Security researchers demonstrated a “reprompt” technique that uses malicious links to hijack Microsoft Copilot sessions in Windows 11 and Edge. By embedding crafted prompts in a page’s URL parameter and then forcing Copilot to fetch additional prompts from an attacker‑controlled site, the attacker can steal sensitive data and maintain control over future interactions. The exploit leverages features designed to allow Copilot to process web content.
Why it matters: AI assistants are increasingly integrated into operating systems and productivity tools. A simple link could quietly capture chat histories or business documents from employees using Copilot. Small businesses often adopt new tools quickly without thoroughly vetting their security.
What to do: Educate staff about the risks of clicking unknown links, even within seemingly trusted AI tools. For now, limit Copilot’s web access settings, and avoid using it to handle sensitive internal data. Microsoft will likely patch this issue soon; in the meantime, monitor Copilot’s release notes and apply updates promptly.Not sure what applies to your business or what your options are? Let’s talk.
🔍 In Case You Missed It (ICYMI)
This week’s blog post: How to Identify, Stop, and Prevent Cyberattacks on Your Small Business Website» You do not need to become a cybersecurity expert to put in place basic protections for your website. You do need to know what’s normal, what’s not, and what to do when something feels off. Let’s talk about how website attacks actually work, how to spot them early, and what “good enough” protection looks like for most small business websites.
On our resources page, we include a Domain Scanner that checks whether your SPF, DKIM and DMARC records are configured correctly. Proper email authentication can stop spoofed emails before they reach your clients (and just as importantly, help your emails not end up in your prospects’ spam folders). Give it a spin and let us know what you think!
🙋♀️ Top Reader Questions of the Week
Below are five questions from small‑business owners over the past week. What questions do you have?
How should small business owners respond to the recent Betterment data breach if they use the platform for team 401ks?
The attacker accessed a marketing vendor, not Betterment’s core systems; no investment accounts or credentials were compromised.
Personal data exposed included names, emails, postal addresses, phone numbers and dates of birth.
There’s no need to close or freeze accounts, but verify that two‑factor authentication is enabled and monitor statements for unusual activity.
Hackers are using the stolen contact info to send phishing emails. Warn your staff to ignore unsolicited “triple your crypto” offers and never send cryptocurrency or passwords in response to emails.
Are the recent mass Instagram password‑reset emails a phishing attempt or just a platform glitch?
Meta acknowledged a bug that allowed an external party to trigger password‑reset emails for some users; there was no evidence of a breach and accounts remain secure.
You can safely ignore unsolicited reset emails and should not click any links in them.
If concerned, reset your password directly in the Instagram app and ensure two‑factor authentication is enabled.
Stay alert for follow‑up phishing messages exploiting the confusion.
Is SOC 2 compliance worth the investment for a 2‑person SaaS startup, or are there better alternatives?
A Type 1 SOC 2 audit typically costs $7,500–$15,000 and a Type 2 audit $12,000–$20,000, with total expenses potentially doubling when including prep and tooling.
Many small SaaS firms spend $30,000–$50,000 to achieve full certification.
Early‑stage startups can defer full certification by using compliance‑automation platforms (Drata, Vanta, Secureframe) that offer lower‑cost attestation and help implement controls.
Focus first on core security practices and a Type 1 report; pursue Type 2 when enterprise customers require it.
What are the best free tools for training small business employees against social engineering attacks?
Google’s phishing quiz offers a free interactive test with sample emails to teach users how to spot red flags.
A free Infosec IQ account provides access to awareness modules, assessments and phishing templates.
Share IRS Publication 4524 and related guides with employees to cover basic data security practices and phishing awareness.
The FTC’s small‑business resources and the National Cybersecurity Alliance offer free videos and tip sheets.
Schedule quarterly phishing drills rather than one‑off sessions to reinforce learning.
If you are paying for IT or security services, check if employee training modules are included.
What are the potential tax and identity theft implications for small businesses after a PII data leak?
The risk depends on the type of data stolen; exposure of names and addresses is less severe than theft of Social Security numbers.
The IRS advises businesses to notify law enforcement, their local IRS stakeholder liaison and credit bureaus if taxpayer identification numbers are compromised.
Individuals whose data was exposed should monitor for tax‑related identity theft, report any incidents and obtain an Identity Protection PIN to secure their tax account.
Continue filing returns and paying taxes as usual, and never share tax information in response to unsolicited calls or emails.
As always, check with your financial professional for tax and finance advice.
🤖 The LOL-gorithm
🧷 THE SAFETY SNAP
Bluetooth Headphones & Stalking Risks
Researchers recently discovered a serious flaw in the way many popular wireless headphones and speakers handle Bluetooth pairing. Normally, your ear‑buds or headset should only accept a connection when you deliberately put it into pairing mode. Many manufacturers didn’t enforce this rule, allowing a nearby stranger (within about 45 feet) to secretly connect to your device. Once connected, the intruder can crank up the volume, listen through the microphone, or even use Google’s location‑tracking network to follow you if the device hasn’t been paired with an Android phone. The problem is subtle — you might see a tracking alert that looks like your own device and dismiss it. Fixes are coming, but updates may take months to reach every model.
Why does this matter? Many of us wear Bluetooth headsets to chat with friends or listen to podcasts, or for that matter to do client calls. A hijacked headset could leak private conversations or give a stalker clues about your location. To stay safe, look up your headphone or speaker model and install any updates the manufacturer provides. Until your device is patched, avoid discussing sensitive topics on wireless headsets in public places, turn off Bluetooth when you’re not using it, and be wary of any unexpected pairing prompts or sudden volume changes. If you see a “Find My” tracking alert you don’t recognize, take it seriously. Encourage your team to keep their audio devices updated and consider using a wired headset for confidential calls.
💬 A PERSONAL NOTE
I love new beginnings. Fresh shiny new years, even Mondays and new weeks! I’m doing some speaking on security for startups and AI for entrepreneurs, and some traveling in the next couple of months for work and fun. I’m also planning a six week sabbatical for later this year or next. Where should I go?? So many possibilities! I’ll be staying within the US this time and traveling with kids. Let me know what interesting off-the-beaten-path or must-do experiences you know about!
👂 TELL ME
Running a small business means wearing dozens of hats — CEO, accountant, marketer and more. Cybersecurity may not be your favourite hat, but it’s one you can’t take off. Our goal is to make it lighter by turning complex news into plain‑English guidance you can use. If you found this issue helpful, forward it to a friend or fellow business owner who could use a little cyber‑confidence.
P.S. Do you have a burning question or a tip to share? Just hit “reply” and let me know. Your experiences help other small businesses avoid similar pitfalls.
You’re subscribed to Phish & Tell™️ because your business is worth protecting.
🩷
