vgws
👋 WELCOME to Phish & Tell™️, from Security Done Easy™️
You’re not just building a business.
You’re building something worth protecting.
🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK
Some weeks it’s really hard to choose the key stories. This is one of those weeks.
Moltbot (Clawdbot) AI assistant deployments leak secrets
Source: Viral Moltbot AI assistant raises concerns over data security, BleepingComputer
What happened: Moltbot (originally called Clawdbot) is an open‑source AI assistant that can run locally and integrate deeply with messaging apps and file systems. It went viral last week, but this week security researchers found that many users deploy it carelessly. Misconfigurations leave hundreds of admin interfaces exposed to the internet, allowing unauthenticated access, credential theft and command execution. Publishing a malicious “skill” to the official skill repository resulted in downloads by developers in seven countries. Token Security says 22% of its enterprise customers have employees using Moltbot without IT approval. Risks include exposed tokens, plaintext credentials and an expanded prompt‑injection attack surface. There is no sandbox by default, so Moltbot has the same file‑system access as the user.
Why it matters: AI assistants promise productivity but can also be Trojan horses. Unsanctioned AI tools may expose client data, passwords and proprietary information. Attackers can also abuse publicly exposed instances to pivot into your network.
What to do: Adopt policies that prohibit installing AI assistants without approval, and remind your team to vet any third‑party skills before installation. Make sure they are configured correctly. Set up a scheduled AI task or Google alert to report any news stories about them to you on a regular basis.eScan antivirus server hacked to deliver malicious update
Source: eScan confirms update server breached to push malicious update, BleepingComputer
What happened: MicroWorld Technologies confirmed that one of its regional update servers for eScan antivirus was breached on January 20, 2026 and used to distribute a malicious update to customers for about two hours. The unauthorized file, delivered via the legitimate update mechanism, modified the Windows hosts file, blocked future updates and connected to command‑and‑control servers to download a backdoor. eScan isolated the affected infrastructure, rotated credentials and released a remediation update that corrects modifications, restores update functionality and requires a reboot.
Why it matters: Supply‑chain attacks exploit trust in software updates. Even if you buy reputable antivirus software, a compromised update server can install malware on your systems. Small‑business owners may assume their antivirus is “set and forget,” but this incident shows the need for vigilance.
What to do: If you use eScan antivirus, apply the remediation update immediately and block the domains listed in eScan’s advisory. For other software, enable automatic updates only for vendors with strong update integrity controls, and monitor vendor advisories for any unusual behavior (such as failures to update or unexpected pop‑ups). Consider running antivirus updates through a proxy or firewall that can block known malicious domains.Microsoft Teams adds ‘Report a Call’ button to fight scam calls
Source: New Microsoft Teams feature will let you report suspicious calls, BleepingComputer
What happened: Microsoft announced a new Report a Call option for Teams. Starting mid‑March, users on Windows, Mac or the web can flag suspicious one‑to‑one calls as potential scams or phishing attempts. When a call is reported, Teams shares limited metadata (time, caller ID and participant IDs) with your organization and Microsoft. The feature is enabled by default but administrators can turn it off; general availability is expected by late April.
Why it matters: Voice‑based phishing and brand‑impersonation scams are on the rise. Many women entrepreneurs rely on Teams to connect with clients; a single fraudulent call could trick staff into revealing invoice details or transferring money. Giving users a simple reporting mechanism helps organizations detect and respond to suspicious calls faster.
What to do: Familiarize your team with the new Report a Call button and encourage them to use it. Administrators should ensure Teams clients are updated, review reported call data in Microsoft Defender or the Teams Admin Center, and consider enabling Microsoft’s brand‑spoofing warnings when they roll out.Not sure what applies to your business or what your options are? Let’s talk.
🔍 In Case You Missed It (ICYMI)
This week’s blog post: Did You Know January 28 is Data Privacy Day?» Data privacy probably isn't at the top of your to-do list. But here’s the reality: every time you collect a customer’s email address, store client information, or process a payment, you’re responsible for protecting that data.
I contributed to this article on compliance: Cybersecurity Compliance Lessons: Insights From Industry Experts
🙋♀️ Top Reader Questions of the Week
Below are five questions from small‑business owners over the past week. What questions do you have?
Is a password manager really necessary for my small business?
Humans can’t safely remember unique passwords for dozens of accounts.
Password reuse is responsible for the majority of account takeovers.
Password managers generate and store long, unique passwords automatically.
Free or low-cost options (like Bitwarden) are sufficient for most small businesses.
Setup usually takes under 30 minutes and dramatically reduces breach risk.
Should I hire an IT security person or use a managed security service provider (MSSP)?
For most small businesses, MSSPs are more cost-effective.
MSSPs provide monitoring, patching, backups, and incident response.
Hiring in-house is usually expensive and hard to scale.
MSSPs offer access to tools and expertise you couldn’t afford alone.
Always check references and service coverage before signing.
Do I need to comply with GDPR or CCPA as a small business?
GDPR applies if you have any EU customers.
CCPA applies if you serve California residents and meet data or revenue thresholds.
Penalties can be severe, even for small businesses.
Core requirements include encryption, access controls, and breach notification.
Basic security practices (MFA, backups, encryption) cover most compliance needs.
How do I recover a hacked Facebook or Shopify business account?
Change passwords immediately and enable MFA.
Log out all active sessions.
Review connected apps and integrations.
Use official recovery tools from the platform.
Monitor for unauthorized changes and notify customers if needed.
Are those “account restricted” comments on LinkedIn a scam?
Yes—LinkedIn does not restrict accounts via public comments.
Scammers use urgency and fake links to steal credentials.
Legitimate alerts come through email or in-app notifications.
Report the comment and do not click the link.
Enable MFA on your LinkedIn account immediately.
🤖 The LOL-gorithm
🧷 THE SAFETY SNAP
A popular AI-powered toy recently exposed over 50,000 private chat logs between kids and their toy—and anyone with a Gmail account could access them. Researchers found that the company left its online dashboard completely unsecured. The exposed data included kids’ names, ages, and deeply personal conversations about their lives, interests, and feelings. The company fixed the issue once it was reported, but the exposure had already happened.
Why this matters to you:
This is a reminder that many “smart” toys and AI apps don’t just talk to your child—they store those conversations online. If security is weak, that information can be seen by people who were never meant to have access. Even products marketed as safe for kids can collect far more data than you realize.
What you can do right now:
Be cautious with AI-enabled toys and apps that record or store conversations.
Check the privacy settings and disable voice recording or data storage if you can.
Review the toy or app’s privacy policy to understand where your child’s data goes.
Regularly delete stored conversations or account data.
Talk with your child about what not to share with smart devices—names, school details, birthdays, or family information.
Smart toys can be fun, but your child’s privacy should always come first. When you’re unsure, collecting less data is the safer choice.
👂 TELL ME
P.S. If you found this issue helpful, forward it to a friend or fellow business owner who could use a little cyber‑confidence. And hit reply if you have questions or feedback — I love hearing from you.
You’re subscribed to Phish & Tell™️ because your business is worth protecting.
🩷
