PHISH & TELL™ –
The Cyber & AI Risk Triage Desk

So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.

Small-business owners are constantly told to add more tracking, more automation, and more “insight” to their websites and inboxes. The problem is that some of those conveniences collect more than you think, and attackers are getting better at using everyday business tools against you. This week’s stories are a good reminder that privacy and security are not separate problems.

THIS WEEK’S 10-MINUTE WIN
Turn on Apple's Background Security Updates — right now

If you…

You own or manage iPhones, iPads, or Macs used for work.

Should you care?

YES — urgently
You own or manage iPhones, iPads, or Macs used for work. Apple just shipped a silent patch for a serious browser flaw, and it only works if this setting is on.

🤷‍♀ MAYBE — worth doing anyway
You're not sure whether company devices have automatic updates enabled. Five minutes of checking beats discovering you were exposed.

NO — low priority (for now)
Your devices are fully managed by an IT department, MSP/MSSP, or other platform that handles update policy for you.

What’s happening (plain English)?

Apple shipped a new feature called Background Security Improvements that pushes small critical patches to your device without waiting for a full OS update. The first one fixed a WebKit flaw — the browser engine underneath Safari — that could let a malicious website peek at data from a completely different site. Browser bugs like this often get weaponized quickly after they go public.

Do this now

  1. Turn on the setting. Go to Settings → General → Software Update → Automatic Updates and make sure Security Responses & System Files is toggled on.

  2. Plug in overnight. Background updates apply silently when your device is plugged in and on Wi-Fi. Make it a habit.

  3. Check company devices. Ask anyone on your team with a company iPhone, iPad, or Mac to do the same thing before end of day.

  4. Still install full updates. Background patches are a supplement, not a replacement. When a full iOS or macOS update arrives, install it.

AI REALITY CHECK
Forget looking for typos — AI phishing emails are now polished on purpose

What happened: A new report from Kaseya (released this week) found that 83% of phishing emails now use AI-generated content, and AI-crafted messages have a 54% click rate — compared to just 12% for traditional phishing emails. The report called 2025 an "inflection point," saying AI-generated phishing has become the baseline, not the exception. Attackers are also ditching links and attachments altogether in favor of phone numbers, reply prompts, and QR codes — specifically to avoid spam filters.

Why it matters: Small-business owners have spent years training themselves and their teams to spot phishing by looking for red flags like awkward grammar, suspicious formatting, or urgent pressure. AI has erased most of those signals. A phishing email targeting your business today may read better than a legitimate vendor email. That means your instincts — and your employees' instincts — need a serious upgrade.

What to do:

  • Stop teaching staff that "bad grammar = phishing." Retire that advice immediately.

  • Train your team to verify intent and context, not just surface signals — if an email asks you to act fast, call the sender directly using a number you already have.

  • Be especially skeptical of emails with no links or attachments that ask you to call a number or reply with information.

  • Use email security tools that evaluate behavioral context, not just keyword patterns.

  • When in doubt about a message, treat it like a fire drill: pause, verify through a separate channel, then proceed.

READER QUESTION OF THE WEEK
Should I pay the $2,000 ransom if my small business gets hit with ransomware?

It's easy to say "don't pay" — but $2,000 might feel like a bargain compared to days of lost revenue, missed client deadlines, and the cost of professional recovery help. Here's the honest answer.

Paying is almost never the right move, and here's why: ransomware gangs have roughly a 20% success rate of actually returning your files after payment. Paying also marks you as a target who will pay — making a repeat attack more likely. And in some cases, paying may violate federal sanctions if the ransomware group is on a government watchlist.

Before you do anything else, try this:

  • Don't pay yet. Visit NoMoreRansom.org first. It's a free resource run by law enforcement and security firms that offers working decryptors for many ransomware variants, including Ryuk-family strains. It costs nothing and has saved businesses from paying millions in ransom.

  • Report it immediately. File a report with the FBI's Internet Crime Complaint Center at IC3.gov. This is fast, free, and may unlock federal resources that can help. Your report also helps law enforcement track and disrupt ransomware gangs.

  • Isolate the infected device. Disconnect it from your network right away to prevent the ransomware from spreading to other machines, backups, or cloud-synced folders.

  • Check your backups. Even partial backups can dramatically reduce recovery time and cost. Check cloud storage, external drives, and any email or platform attachments that might contain recent versions of your files.

  • Call a professional before you pay. An incident response consultant can often recover more than you expect — and their fee may still be less than the ransom. Your cyber insurance policy (if you have one) may cover it.

The $2,000 demand feels small, but paying opens a door you can't easily close. Exhaust your free options first — you may be surprised.

RISK RADAR
Also happening this week

  • A popular email and file-sharing tool has a dangerous unpatched flaw. Attackers are sending normal-looking emails — no sketchy attachments, no suspicious links — that can still compromise your webmail account or give an outsider full access to your internal file system. If your business uses Zimbra email or Microsoft SharePoint, your tech person needs to apply this week's security updates immediately. Takeaway: "It looked like a normal email" is no longer a safe reason to trust it.

  • New Android malware is reading your notes app. A new strain of malware spreads through fake streaming apps and, once installed, quietly watches everything on your phone — including Google Keep, Evernote, and Samsung Notes. Many business owners store passwords, client details, and sensitive ideas in note apps without thinking twice. Takeaway: Only install apps from the Google Play Store, and if your phone starts showing unexpected pop-ups asking for special permissions, take it seriously.

  • Microsoft released an important update this week. It fixes nearly 80 security issues, including some that can be triggered just by opening or previewing a document someone emailed you. Takeaway: Make sure Windows Update is turned on and running. If you or your team opens documents from clients or vendors regularly, this one matters.

  • Tax scammers are working overtime right now. Fake IRS calls, texts, and emails are spiking every March. Scammers now use AI to clone voices and fake caller ID, so a call can sound convincingly real. The IRS will never call, text, or email you demanding immediate action or payment. Takeaway: Hang up. Go to IRS.gov directly. Report suspicious contacts to [email protected].

  • Apple pushed a quiet security fix to iPhones and Macs this week. It patches a browser flaw that could let a malicious website snoop on what you're doing in another tab. The fix delivers automatically — but only if you have the right setting turned on. Takeaway: Check this week's 10-Minute Win section above to make sure your devices are covered.

You don’t need to act on these unless they apply to you.

ON THE PERSONAL SIDE
School STEM night — tons of fun

This week my daughters and I had the privilege of running a room for STEM night for elementary school kids in our community. We set up stations for lock picking, crypto puzzles, electronics, AI jailbreaking, and — my personal favorite — "spot the AI picture." Watching kids as young as six start to question what they see on a screen was one of the best things I've done all year.

It's a good reminder that cybersecurity isn't just a business problem. It's a life skill. And the earlier we start teaching it, the better equipped the next generation will be.

Before you go

As women entrepreneurs we juggle so much; taking a few minutes to update devices or train a team member can prevent hours or days of cleanup. Remember to celebrate the wins—each small step towards better security is progress. Thank you for making your business and community safer.

Thanks for reading Phish & Tell. Stay curious, stay skeptical, and I'll see you next week.
~Alexia

P.S. If you’d rather talk it out than read about it, you’re welcome in my free drop-in office hours on Roam at 1pm EST on Fridays (later today!) Come say, “Hi!” When the light is green, I’m available—click here to drop in to my lobby and knock:
https://ro.am/alexia-idoura/

My question to you: I’m noticing a bigger divide around AI — it seems like people are seeing it as super power or villain. Where do you stand?

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷

Keep Reading

© 2026 Phish & Tell from Security Done Easy.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv