So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.

Hello and welcome to this week’s Phish & Tell! Every issue is written with you in mind, translating the week’s cybersecurity headlines into plain English and actionable advice. Whether you’re juggling customers, employees, or family responsibilities, staying safe online doesn’t have to be overwhelming. Let’s dive into the latest threats and how you can keep your business—and your personal life—secure.

Let’s dive in 👇

If you…

Use Windows PCs, Office applications or SharePoint servers in your business.

Should you care?

✅ YES – urgently – Your computers and servers handle customer data and business finances. April’s Patch Tuesday included fixes for 169 vulnerabilities across Windows and Office, including an actively exploited SharePoint spoofing flaw and the “BlueHammer” Windows Defender bug. Ninety‑three of these flaws allow attackers to elevate their privileges to SYSTEM level, including an actively exploited SharePoint spoofing flaw (CVE‑2026‑32201) and the ‘BlueHammer’ Microsoft Defender privilege escalation bug (CVE‑2026‑33825).

🤷‍♀ MAYBE – worth checking – You run a small office with only a couple of Windows machines that auto‑update. It’s still important to verify that updates have applied and restart the devices so patches take effect.

❌ NO – low priority (for now) – Your business uses only Macs and cloud‑hosted SaaS tools, and you don’t have any Windows servers or PCs.

What’s happening (plain English)?

Microsoft’s monthly security release for April is one of the largest in recent years, addressing over 160 vulnerabilities in Windows, Office and related products. Attackers are already using these to hijack user sessions and more. Failing to patch leaves you vulnerable: Dozens of the flaws allow attackers to turn a minor foothold into full system control.

Do this now

Security researchers at Abnormal discovered ATHR, a cybercrime platform that automates voice phishing (vishing). For $4,000 plus a 10 % commission, the platform provides email templates, brand impersonation and AI‑driven voice agents that guide victims through fake security alerts and account recovery processes. The goal is to harvest six‑digit verification codes, enabling attackers to compromise accounts on Google, Microsoft, Coinbase and other major email and crypto services. The automation makes TOAD (telephone‑oriented attack delivery) accessible to less technical criminals.

Why it matters: Small‑business owners and their staff may receive convincing emails and phone calls that appear to be from legitimate providers. If someone reads a verification code over the phone, attackers can take over accounts.

What you can do: Train employees to be skeptical of unexpected security alerts or requests for verification codes. Remind them that legitimate support will never ask for a one‑time password. Implement phishing‑resistant multi‑factor authentication (e.g., hardware token such as a Yubikey) that doesn’t rely on SMS codes, and monitor login notifications for unusual activity.

A reader asked: “Is QuickBooks Online secure enough, or do I need extra layers?” It’s a common concern as more small businesses move their accounting and client records into the cloud. QuickBooks Online includes strong security features on Intuit’s side, but security is always shared responsibility—your devices, passwords and processes matter just as much.

In short, think of QuickBooks Online as one secure component inside a larger defense‑in‑depth strategy. When you add strong MFA, hardened devices, careful access control and independent backups, you dramatically reduce the chances that a single mistake turns into a financial disaster.

LinkedIn phishing emails mimic LinkedIn’s brand
A phishing campaign uses look‑alike domains to send fake LinkedIn notifications, tricking recipients into entering their credentials on a spoofed login page.
Fix: Always verify sender addresses and hover over links before clicking, enable multi‑factor authentication on LinkedIn and navigate directly to the site when you receive an invitation.

Malicious “Claude Code” leak drops Vidar malware
A GitHub repository posing as a leaked version of Anthropic’s Claude Code CLI secretly delivered Vidar credential‑stealing malware and GhostSocks proxies to people who downloaded and ran it.
Fix: Download software only from official sources, use endpoint protection (formerly commonly antivirus), and delete any clones of the fake repository and change credentials if you downloaded it.

Sharing accounts with virtual assistants can expose your data
Businesses often share full account credentials with virtual assistants; if a VA’s device is compromised or they’re not vetted, attackers can steal data or impersonate staff.
Fix: Use separate, role‑based accounts, share passwords through a manager, enable MFA on all accounts, audit and revoke VA access regularly and hire through reputable providers.

Attackers impersonate Microsoft, Apple, Google and others
Check Point Research reports that Microsoft, Apple, Google, Amazon, and LinkedIn were the most spoofed brands in phishing campaigns in Q1 2026.
Fix: Train yourself and your staff to inspect URLs carefully, avoid clicking links in unsolicited emails, enable multi‑factor authentication, filter emails and monitor for impersonations of your own brand.

Booking.com breach exposes reservation data
Booking.com reset PINs after a breach exposed customers’ names, emails, addresses, phone numbers and communications with property providers. Some victims reported receiving scam emails using their reservation details.
Fix: Reset your booking PIN through the official app, verify any requests for payment via Booking.com’s portal and treat unsolicited booking emails with suspicion.

You don’t need to act on these unless they apply to you.

It's been an unsettling week for those of us concerned about personal safety online and offline. The widespread report of an “academy” teaching men to drug and rape their partners, share their partners, and then make and share the videos with each other (a la the Pelicot rape case from France) is beyond disturbing. (That one website had 62 million hits, mostly from the US, in just the month of February.) In the same vein, Investigators found Telegram channels with tens of thousands of members offering services to hack, doxx and surveil wives or acquaintances, including “nudification” apps and doxxing packages. Then there is the continued rise of AI “nudify” apps that are spreading through high schools and turning innocent photos into explicit deepfake nudes, traumatizing girls.

What do we do in these cases? These women and girls didn’t do anything “wrong”. There’s no easy “use a stronger password” advice to give in cases like these. We need to make sure women and girls know that it’s not their fault, support them, support organizations pushing for stronger laws against non-consensual deepfakes, and report abusive content when we see it; holding perpetrators accountable is essential for creating a safer online environment for everyone.

Thank you for taking the time to stay informed and proactive about your digital safety. Remember, every small step counts: a password change, a software update, or a conversation with your team can make all the difference. Keep up the great work, and never hesitate to reach out with questions or success stories. Stay vigilant, and have a wonderful weekend!
~Alexia

P.S. I’ll be here for office hours at 1pm Eastern if you have any questions — sometimes a quick 8 minute meeting is all it takes! Click here.