vgws
👋 WELCOME to Phish & Tell™️, from Security Done Easy™️
You’re not just building a business.
You’re building something worth protecting.
🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK
Happy Valentine’s Day early (sounds better than Happy Friday the 13th :D)!
Before we jump in, next Friday 20 Feb, I’m going to be starting free weekly drop-in office hours on Ro.am! Got a question? Come ask, privately! Here’s how it will work — you click on my meeting link and pop in to my lobby. If the light is green, I’m available and I’ll invite you in right away. If the light is red, I’m with someone already and you are welcome to wait. There’s a little virtual bookshelf with back issues of this newsletter and a link to my site where you can check out my blog as well as a silly Sora video. This is an experiment, so I’ll be curious to hear your feedback!
Add the invite to the weekly drop-in office hours to your calendar here and drop in any time.
Now, on to today’s top news and top questions, hot off the press.
Have a contingency plan for payment disruptions.
Source: BleepingComputer – February 7, 2026
What happened: Payment gateway BridgePay confirmed that a ransomware attack caused widespread outages across its BridgeComm API, PayGuardian Cloud and other payment services. Merchants across the U.S. reported being unable to process credit card transactions and had to accept cash or delay sales. BridgePay said no payment card data was compromised and it was working with law enforcement.
Why it matters: Many small businesses rely on third‑party gateways to process payments. When those providers are hit, your cash flow can grind to a halt. Even if card data isn’t stolen, downtime can mean lost sales and frustrated customers.
What to do: Know how to switch to alternative processors or accept offline payments. Verify that vendors have strong cybersecurity and incident response plans, and consider cyber insurance that covers business interruption.Update this WordPress backup and migration plugin immediately.
Source: BleepingComputer – February 10, 2026
What happened: Researchers found a vulnerability in the WPvivid Backup & Migration plugin used by more than 900,000 WordPress sites. The flaw lets unauthenticated attackers upload malicious files when the “receive backup from another site” option is enabled. Version 0.9.124 fixes the issue.
Why it matters: If your business runs a WordPress site, a single vulnerable plugin could let attackers take it over. E‑commerce sites are especially attractive targets because they often store customer data.
What to do: Update the WPvivid plugin to the latest version immediately or disable the feature for receiving backups. In general, only enable backup migration when needed and keep all plugins and themes current. Consider using a Web Application Firewall (WAF) to block malicious traffic.If you host a SmarterMail server, update it now.
Source: Bleeping Computer – February 6, 2026
What happened: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a remote‑code‑execution flaw in SmarterTools’ SmarterMail server to its Known Exploited Vulnerabilities catalogue. The bug allows unauthenticated attackers to run commands and has been used in ransomware campaigns.
Why it matters: Many managed service providers and small businesses use SmarterMail to run their own email servers. A successful exploit could give attackers complete control of your mail server, leading to data theft or business disruption.
What to do: If you host a SmarterMail server (or rely on a provider that does), ensure it’s updated to build 9526 or newer. Disable unused features and restrict admin interfaces to trusted IP addresses. Monitor your email logs for unusual activity and implement regular backups so you can restore data if needed.Not sure what applies to your business or what your options are? Let’s talk.
🔍 In Case You Missed It (ICYMI)
This week’s blog post: How Do I Train My Employees on Cybersecurity Without Boring Them to Death?» This post breaks down how to train your employees on cybersecurity in a way that actually works, keeps people engaged, and doesn’t require you to be a tech expert.
🙋♀️ Top Five Questions of the Week
Below are five questions from small‑business owners over the past week. What questions do you have?
Why did a phishing invoice get through my email filters, and what additional protections should I add?
DMARC/SPF/DKIM only authenticate sender domains; they don’t analyze content. Layer defenses with AI‑based email gateways that inspect attachments and links.
Train employees to spot subtle domain mismatches in sender addresses (e.g., “@vendor-services.com” instead of “@vendor.com”).
Implement strict payment‑approval processes: call vendors using verified numbers before paying invoices and require internal sign‑off for large transfers.
Enable external email banners in Outlook or Gmail to alert users when messages originate outside your domain.
Consider subject‑line and attachment filters that quarantine messages with high‑risk keywords or file types.
Perform periodic security awareness training so staff remain vigilant as scam tactics evolve.
What are the best ways to train my team to recognize and avoid AI‑generated phishing emails?
Use phishing‑simulation tools such as Google’s free Phishing Quiz to run regular, realistic training exercises.
Teach employees to examine email headers and domain details (via tools like MX Toolbox) and hover over links before clicking.
Implement DMARC, SPF and DKIM on your domain to reduce spoofing, and enforce external sender warnings in your email client.
Deploy AI‑powered email filtering platforms (Microsoft Defender, Proofpoint, Mimecast) that can detect unusual language patterns.
Emphasize common red flags: perfectly written emails from normally casual contacts, urgency or threats, and requests for sensitive data.
Reinforce MFA on all accounts; while phishing can bypass weak MFA, hardware keys significantly reduce risk.
What should I do if someone hacks my QuickBooks Online account and changes my bank connections?
Immediately lock or disable the QuickBooks account via Intuit support, change the password, and enable MFA or hardware‑based security keys.
Audit all recent transactions and bank feeds; contact your bank(s) right away to reverse unauthorized transfers and report suspected fraud.
Enable transaction approval workflows and require dual authorization for large or unusual payments to prevent one‑click transfers.
Create separate admin accounts with limited privileges for bookkeeping tasks, and avoid sharing logins among multiple users.
Monitor bank feeds and QuickBooks notifications daily so you can catch suspicious activity quickly.
If Intuit’s support proves insufficient, evaluate alternative accounting platforms that may offer stronger security features.
What should I do if my Google Workspace account is compromised and shared files are deleted?
Force a password reset and enable MFA for every user; consider enforcing FIDO2 hardware security keys for stronger phishing resistance.
Use the Google Workspace Admin console to restore deleted files and drives from the trash or the Admin “Vault” within the allowable recovery window.
Audit recent account and login activity to spot suspicious IP addresses, devices, or third‑party access, and revoke anything unrecognized.
Implement Security Key enforcement so only users with approved hardware keys can access sensitive data.
Train your team to detect phishing emails that may bypass basic MFA and avoid entering credentials on untrusted links.
Consider using Google’s security tools (Alert Center, automated rules) to notify admins of unusual behavior.
What’s the most cost‑effective way to implement multi‑factor authentication (MFA) for a small team?
Start with free MFA tools included in your existing subscriptions—Microsoft Entra ID (Azure AD) with Microsoft Authenticator or Google Authenticator.
Avoid SMS codes due to SIM‑swap risk; instead, use authenticator apps or push notifications.
For phishing‑resistant security, invest gradually in FIDO2 hardware keys (YubiKey, Google Titan) at about $20–$50 per user.
Use conditional access policies to require MFA only on risky logins or when users access sensitive apps from new devices.
Evaluate MFA providers like Duo or Okta Essentials (around $2–$5 per user per month) if you need centralized management.
Provide training and support to ensure non‑technical staff understand and adopt MFA without frustration.
🤖 The LOL-gorithm
🧷 THE SAFETY SNAP
Valentine’s Day brings an uptick in scam emails and “special offers,” and researchers warn that nearly 40 % of Valentine‑themed emails this year are fraudulent. Scammers impersonate brands, dating sites or long‑lost admirers, using AI to craft convincing messages. Here’s how to protect your heart and your wallet:
Slow down: Urgent messages about surprise deliveries or expiring offers are red flags. Take a breath and verify before clicking.
Watch the language: AI‑generated dating profiles often have generic bios or inconsistencies. Be skeptical if someone professes strong feelings quickly or pushes you to move the conversation off the platform.
Stick to official sites: Only purchase flowers, gifts or dating services from reputable websites. Avoid clicking links in unsolicited emails—type the retailer’s URL yourself.
Never send money or personal photos to strangers: Scammers will invent emergencies or romantic gestures to ask for gift cards or wire transfers. Protect your finances and personal images by saying no.
Trust your instincts: If something feels off, end the conversation. Many victims feel embarrassed, but scams prey on everyone. Reach out to friends, family or a trusted support group if you think you’ve been targeted.
👂 TELL ME
P.S. Hit reply if you have questions or feedback — I love hearing from you!
You’re subscribed to Phish & Tell™️ because your business is worth protecting.
🩷
