PHISH & TELL™ –
The Cyber & AI Risk Triage Desk
So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.
You’ll notice Phish & Tell looks a little different today.
I’ve rebuilt this newsletter to work for you, when you’re running a business:
“Do I need to worry about this?”
“Is there something I actually have to do this week?”
“Or can I ignore it and get back to work?”
So, from now on, every issue will give you:
One main risk, in plain English
A quick triage box so you can see if it applies to you
Tiny actions you can take this week
An AI Reality Check, so you can use AI without breaking trust or leaking client info
THIS WEEK’S 10-MINUTE WIN
Create a “Pause Before You Install” Rule
If you…
Occasionally download tools, extensions, or AI helpers to make work easier
Should you care?
✅ YES — urgently
You or your team regularly install browser extensions, plugins, AI helpers, or “quick fix” software
🤷♀ MAYBE — worth doing anyway
You rarely install software, but sometimes try new productivity tools or free utilities
❌ NO — low priority (for now)
Only an IT provider installs software on your devices and users don’t have install access
What happened (plain English)?
Malware can hide inside trusted services (like browser extensions, utilities, AI tools), so your computer may treat it like normal activity. That means security tools may not stop it — but hesitation often does.
Do this now
Tell your team: no installing new apps or extensions during busy moments
Wait 10 minutes and verify the company website and reviews
If it claims to “fix” something urgently → don’t install it
You’re not banning tools — you’re removing the attacker’s time pressure.
AI REALITY CHECK
AI assistants can act as secret channels for malware
Source: BleepingComputer
What happened: Check Point researchers built a proof-of-concept showing that AI chat assistants like Grok and Microsoft Copilot can be abused. Malware talks to the hacker by “chatting” through an AI assistant, so it looks like normal activity instead of an attack. The technique doesn’t require an AI account and can even encrypt the data to evade safety filters.
Why it matters: Many businesses now allow AI websites through their firewalls. If malware hides its traffic inside trusted AI sessions, it may slip past your security tools. This experiment shows that new technologies can create new attack surfaces.
What to do: Monitor which AI services your endpoints can access and restrict them to trusted domains. Limit which applications are allowed to launch web browsers. Keep your endpoint protection up to date and remind employees not to install untrusted software or run suspicious scripts. If you can, get someone knowledgable to evaluate the security of your AI tool “stack”.
Takeaway: Attackers can hide malware traffic inside trusted AI tools — so treat AI apps like any other risky internet service, not automatically safe.
READER QUESTION OF THE WEEK
Which affordable security tools should startups prioritize first?
Start with a password manager so your team (even if that’s just you!) stops reusing passwords
Turn on built-in email protections already included in Microsoft 365 or Google Workspace
Enable multi-factor authentication everywhere possible — this blocks most attacks instantly
Don’t buy advanced security tools yet — most breaches happen because basics weren’t set up (also, it may be cheaper to pay for done-for-you services, aka “managed” security services)
A quick risk check: protect email, protect money, protect customer data
RISK RADAR
Also happening this week
Chrome zero-day patched, Google released emergency updates — update your browsers. (Open Chrome → Settings → About Chrome and install the latest update. Enable automatic updates for future.)
Critical bug in Grandstream GXP phones allows eavesdropping. Check the model numbers of your desk phones. If they’re affected, install Grandstream’s firmware update immediately.
Cybercriminals increasingly misuse remote-support tools. Require multi-factor authentication for remote access. Regularly review audit logs to spot unusual sessions. If you outsource IT, ask your provider how they secure their remote tools.
You don’t need to act on these unless they apply to you.
ON THE PERSONAL SIDE
Scammers are now exploiting physical mail too
Have you received a letter or text that looks official, urges you to scan a QR code or call a number immediately, and threatens to disable your account? In one recent campaign, criminals mailed letters impersonating hardware-wallet makers Trezor and Ledger. The letters urged recipients to scan a QR code and complete an “authentication check,” claiming that failure to do so would permanently disable their wallet. The QR codes led to a fake site that asked for the recovery phrase — which the scammers then used to steal the victim’s crypto.
What to remember:
Never share your recovery phrase or private key. Hardware-wallet makers will never ask for it outside of your device.
Be cautious with QR codes. Only scan codes from trusted sources; a sticker placed on a public poster or a letter in your mailbox could be a trap.
Verify contact details by visiting the official website or using contact information from product packaging. Avoid calling numbers or visiting links provided in unsolicited messages or search-engine snippets.
Act quickly if you suspect a scam. Move funds to a new wallet and contact the vendor’s official support. Don’t be embarrassed — these scams are designed to trick smart people.
Don’t do crypto? Sometimes they send a cheap piece of jewelry you didn’t order and a QR code to “return” it. The thing to be cautious of is some random QR code.
Before you go
Keeping up with cybersecurity can feel like drinking from a fire hose, especially when you have a business to run. Remember that you don’t have to understand every technical detail to take meaningful steps: update your software, use strong unique passwords, and stay skeptical of unsolicited requests. I hope this week’s issue helps you feel informed.
Remember: Security isn’t about preventing every bad thing. It’s about removing the handful of surprises that can stop your business cold.
Add one small protection each week → your risk drops fast.
Until next week,
~Alexia
P.S. If you’d rather talk it out than read about it, you’re welcome in my free drop-in office hours on Roam at 1pm EST on Fridays (later today!) When the light is green, I’m available—click here to drop in to my lobby and check:
➜ https://ro.am/alexia-idoura/
My question to you: What platform would hurt most if you lost access for a day? Reply and tell me. I read every response.
You’re subscribed to Phish & Tell™️ because your business is worth protecting. |
🩷 |
