PHISH & TELL™ –
The Cyber & AI Risk Triage Desk

So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.

Not every headline deserves your attention — but some are worth a quick scan.
Here’s what’s happening in the broader cybersecurity world this week, so you can decide in under a minute whether anything applies to your business.

THIS WEEK’S 10-MINUTE WIN
Train your team to stop before they pick up the phone

If you…

Or your team get an email that urges you to call a number

Should you care?

YES — urgently
You or your team regularly receive invoices, purchase orders or “urgent” emails with phone numbers. Fraudsters love targeting accounts payable and customer‑service roles.

🤷‍♀ MAYBE — worth doing anyway
You seldom handle payments but occasionally field customer enquiries or support calls.

NO — low priority (for now)
You outsource all billing and support, and employees have strict rules about who can approve payments or call vendors.

What’s happening (plain English)?

Researchers say telephone‑oriented attack delivery (TOAD) emails are effective because recipients don’t click suspicious links; they call a phone number that looks legitimate. Once on the line, scammers convince them to share login credentials, install remote‑access software or pay bogus invoices. These attacks bypass typical email filters because the malicious payload is a phone number rather than a link or attachment.

Do this now

  1. Tell your team: Never call phone numbers from unsolicited emails or texts. Look up the company’s contact details on its official website or a previous invoice instead.

  2. Create a verification policy: For any payment, refund or account‑support request, require a secondary check with a manager or a known contact.

  3. Update your security training: Include TOAD examples during phishing awareness sessions and remind staff that scammers may push them to act quickly.

AI REALITY CHECK
Shadow AI is becoming the new shadow IT

  • What happened: Security teams are reporting a sharp rise in “shadow AI” — employees signing up for AI tools without approval and using them for real business work. Examples include:

    • Uploading spreadsheets to AI analytics tools

    • Feeding contracts into AI summarizers

    • Using AI browser extensions that read every page you visit

    • Connecting AI tools directly to Google Drive, Slack, or email

    These tools often request broad permissions — including read/write access to documents and inboxes.

    Most businesses don’t realize how much access they’ve granted.

  • Why it matters: When an AI tool connects to your email or cloud storage, it can:

    • Index large amounts of internal data

    • Store conversation context long-term

    • Retain access even after an employee leaves

    If that account is compromised, the attacker doesn’t just get one file — they may inherit the AI tool’s full access permissions.

  • What to do:

    • Audit which AI apps are connected to Google Workspace or Microsoft 365

    • Remove unused third-party integrations

    • Restrict app installation permissions

    • Use least-privilege access when connecting AI tools to business systems

READER QUESTION OF THE WEEK
What should small businesses avoid when choosing cybersecurity tools and vendors?

Biggest mistake?
Buying advanced tools before securing the basics.

2026 SMB data shows:

  • 84% of small businesses manage security in-house

  • 28% lack formal training

  • Many invest in expensive tools while MFA isn’t enabled everywhere

That’s backwards.

The three most common mistakes:

1. Fancy dashboards, weak foundations
If multi-factor authentication, patching, and backups aren’t solid, no premium tool will save you.

2. Ignoring what you already pay for
Microsoft 365 and Google Workspace include powerful security features. Most businesses never turn them on.

3. Buying from fear
If the sales pitch is panic-based, stop for a second. Good security is layered and strategic — not dramatic. Watch out for “FUD” selling: fear, uncertainty, and doubt.

What works instead:

  1. Run a basic security assessment

  2. Lock down MFA everywhere

  3. Patch consistently

  4. Train your team

  5. Then consider specialized tools

The right support can cost less than stacking tools you don’t fully use — especially if you’d rather not manage it yourself.

RISK RADAR
Also happening this week

  • Ransomware victims are paying less — but demands are rising. Criminals collected less overall last year, but the median ransom demand jumped. Translation: attackers are asking for bigger payouts when they strike. Make sure you have offline backups and a response plan — before you need one.

  • Vendor misconfigurations can lead to breaches. A cloud backup change exposed sensitive configuration data and helped trigger a ransomware incident. Ask your vendors how they secure backups and restrict API access. Your security is only as strong as your partners’.

  • Attackers move faster than ever. New research shows criminals can move from initial access to deeper network control in under 30 minutes — sometimes seconds. Enforce multi-factor authentication everywhere and limit admin privileges.

  • Claude Code AI tool patched after critical vulnerabilities. Flaws allowed potential command execution and credential theft through malicious project files. If you use AI coding tools, update immediately and treat them like any other development dependency.

You don’t need to act on these unless they apply to you.

ON THE PERSONAL SIDE
Don’t fall for the “easy side hustle” trap

Scammers are promoting fake “reshipping” and data‑entry jobs that promise flexible hours and quick money. They’ll ask for your bank account or Social Security number to set up direct deposit — or send you a check and instruct you to wire some of the money back. Once you deposit the check and return the funds, it bounces and you’re on the hook. Research any employer by searching its name with “scam” or “complaint,” never pay to get a job and never deposit a check for someone you don’t know. Protect yourself the same way you protect your business: verify, slow down and trust your instincts.

Before you go

You don’t need to act on all of this.
Just note what touches your tools, vendors, or workflows — and ignore the rest.

Security isn’t about reacting to everything.
It’s about responding to the things that actually affect you.

Until next week,
~Alexia

P.S. If you’d rather talk it out than read about it, you’re welcome in my free drop-in office hours on Roam at 1pm EST on Fridays (later today!) When the light is green, I’m available—click here to drop in to my lobby and check:
https://ro.am/alexia-idoura/

My question to you: What AI tool are you using most in your business right now? Hit reply and tell me — I’m curious.

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷

Keep Reading

© 2026 Phish & Tell from Security Done Easy.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv