PHISH & TELL™ –
The Cyber & AI Risk Triage Desk
So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.
Welcome back to Phish & Tell — your quick security tune‑up for busy founders and small business owners. This week we’re looking at TikTok business account compromises, ransomware that moves at AI speed, and other news stories — and how to protect yourself.
Let’s dive in 👇
THIS WEEK’S 10-MINUTE WIN
Protect your TikTok for Business account from phishing takeovers
If you…
You or your marketing team run ads, campaigns, or analytics from a TikTok for Business or Creator account — especially if you sign in with Google.
Should you care?
✅ YES — urgently
You manage your brand or ad account yourself. Attackers are actively stealing TikTok and Google credentials through fake login pages that look shockingly real.
🤷♀ MAYBE — worth doing anyway
Your team handles social logins or ad management. Even one compromised marketer’s login could cost you access, ad dollars, and reputation.
❌ NO — low priority (for now)
You don’t use Tiktok. Or your company already enforces hardware‑based MFA and centralized social logins with strict access controls. Still, share this with your marketing team just in case.
What’s happening (plain English)?
A new phishing campaign is impersonating TikTok for Business using Cloudflare Turnstile checks (those “prove you’re human” pop‑ups) to make fake sites look authentic. Victims are sent through Google cloud‑hosted links that redirect to counterfeit TikTok and Google sign‑in pages. The attackers then capture usernames, passwords, and session cookies — granting instant access without needing MFA. Domains trace back to NiceNIC registrations and Cloudflare hosting, making the scam appear even more legitimate.
Do this now
Bookmark official login pages. Type
business.tiktok.comorads.tiktok.comdirectly into your browser.Turn on passkeys or hardware‑based MFA for both TikTok and Google accounts. App‑based codes are good; physical keys are better.
Review account recovery settings to confirm backup emails and phone numbers are correct.
Watch for login alerts. If you get an alert you didn’t trigger, revoke sessions immediately.
Remind your team — especially contractors or agencies — never to log in through links sent by email, DMs, or ads.
AI REALITY CHECK
Ransomware at Machine Speed
What happened: A recent survey cited by Dark Reading shows that 78% of companies believe AI makes ransomware more effective — and they’re probably right. Ransomware crews now use AI for lightning‑fast data searches and polished extortion messages. Many rely on “living off the land” tactics — abusing legitimate tools and stolen credentials — instead of obvious malware, making detection harder than ever.
Why it matters: Time is no longer on your side. When automation fuels attacks, small businesses become prime targets — fast, valuable, and less defended. Beyond encrypted data, AI‑enhanced ransomware gangs threaten to leak sensitive documents or contact your customers for leverage.
What to do:
Layer up defenses: Backups, Endpoint Detection and Response (EDR, replacing old antivirus), MFA — never just one safety net.
Segment networks to contain infections. (Even if just talking to your internet provider about separate networks for business and home, if you work at home.)
Test your incident‑response plan quarterly: can you isolate a system in under 10 minutes?
Teach your team how remote‑control tools and unexpected MFA prompts can signal danger.
READER QUESTION OF THE WEEK
How do we stop phishing emails? Our employees keep clicking malicious links.
You’re not alone — about 80% of breaches still start with phishing. Security pros recommend a simple but powerful five‑layer plan:
Email filtering: Google Workspace or Microsoft 365 filtering (≈ $6/user) blocks the majority of junk and phishing messages.
Authentication: Set up SPF, DKIM, and DMARC — free guides at dmarcian.com — to detect and reject spoofed emails.
Simulations: Use GoPhish’s free monthly tests to see who clicks so you can train them.
Micro‑training: Five‑minute refreshers each month beat one‑and‑done annual sessions.
Browser armor: uBlock Origin and using safe browsing tools can block many phishing redirects.
Start with filtering and authentication — cheap, fast, and highly effective. Layer human training next. The Reddit consensus: this combo cuts phishing risk by roughly 90%.
I’ll add — create psychological safety, a blameless environment, so people can come to you if they realize they clicked a link. People are tired, busy, distracted, and it happens. Best to know as soon as possible rather than have people afraid and hide it. Read more here.
RISK RADAR
Also happening this week
Fake Résumés Deliver Malware
Attackers behind the FAUX#ELEVATE campaign are sending realistic job applications loaded with VBScript malware that steals credentials and mines crypto. The infection primarily activates or fully weaponizes inside corporate/domain‑joined environments, signalling targeted attacks.
Fix: Require applicants to upload resumes securely instead of by email, and scan all attachments before opening.
Compromised AI Library on PyPI
Malicious versions of LiteLLM (1.82.7–1.82.8) exfiltrated SSH keys, cloud tokens, and cluster secrets. Anyone building chatbots or automation tools may be affected.
Fix: Roll back and pin safe package versions, review dependencies, and rotate keys immediately.
TP‑Link Router Bug = Instant Takeover
Routers in the Archer NX line had an authentication‑bypass flaw (CVE‑2025‑15517) letting attackers upload firmware without a password.
Fix: Patch now and replace old consumer‑grade routers with business‑grade models supporting automatic updates.
Vendor Breach Hits Crunchyroll Users
A stolen SSO token from a support vendor exposed 6.8 million user records. This underlines how third‑party breaches can boomerang.
Fix: Demand MFA and SSO transparency from vendors, limit their access, and require contractually‑mandated breach alerts. I wrote here about how you can get ready to be a trusted vendor; ask for the same from your own vendors.
Benefits Platform Exposes HackerOne Employee Data
A vulnerability in the Navia benefits portal leaked the PII of nearly 300 employees.
Fix: Vet HR software providers, encourage credit freezes for exposed staff, and minimize sensitive data sharing.
You don’t need to act on these unless they apply to you.
ON THE PERSONAL SIDE
Balancing work and caregiving
As an only child and single mom, balancing work and caregiving is a constant tightrope walk. Maybe more like a pingpong game. I’m grateful that working from anywhere means I can show up — even if I can’t be in two places at once. Caregivers, I see you. The mom guilt is real. ❤️
Before you go
Running a small business is hard enough without worrying about hackers. Investing a little time in security awareness — like reading this newsletter — pays dividends. Stay vigilant, support one another, and keep building those amazing businesses.
~Alexia
P.S. No office hours this week because I’m helping my mother out, but don’t hesitate to reply to this email if you have questions.
My question to you: AI tools are becoming part of many people’s days. How do you decide what’s safe to automate?
You’re subscribed to Phish & Tell™️ because your business is worth protecting. |
🩷 |
