So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.

Hello and welcome to this week's Phish & Tell! Every issue is written with you in mind, translating the week's cybersecurity headlines into plain English and actionable advice. Whether you're juggling customers, employees, or family responsibilities, staying safe online doesn't have to be overwhelming.

Let’s dive in 👇

If you…

Use Windows PCs, run a business website, or use PaperCut print management, Zimbra email, or Quest KACE in your office.

Should you care?

✅ YES – urgently – CISA added 8 new vulnerabilities to its ‘known exploited’ list this week, including… These are either confirmed or strongly suspected to be exploited in the wild right now.

🤷‍♀ MAYBE – worth checking – You use Windows PCs but haven't verified whether April's Patch Tuesday updates installed successfully and the machines were restarted. Updates don't take full effect until after a reboot — easy to miss.

❌ NO – low priority (for now) – Your business runs entirely on Mac and cloud-only SaaS tools, with no Windows servers, PaperCut, Zimbra, KACE, or Cisco SD-WAN on the network.

What’s happening (plain English)?

Every week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of software vulnerabilities that are confirmed or strongly believed to be actively exploited by real attackers. This week they added 8 new entries, including:

Federal agencies must patch these by April 23–May 4. You aren't legally required to — but attackers don't check that box before targeting you.

Do this now

This week's most instructive AI security story isn't about an external hacker building a clever tool. It's about what happened to Vercel — one of the largest web infrastructure platforms used by developers and small businesses worldwide.

On April 19, Vercel disclosed that attackers gained access to internal systems through an unexpected entry point: a third-party AI tool called Context.ai that one of its employees was using. The attacker compromised Context.ai, used that access to take over the employee's Google Workspace account, pivoted into the employee's Vercel account, and from there moved through Vercel's internal systems — accessing environment variables (including some decrypted secrets) and a subset of customer-related accounts. Vercel is working with Google Mandiant and law enforcement, and as of April 24 the investigation is still ongoing.

The attacker never needed to break through Vercel's front door. They went through a small AI productivity tool a single employee had connected to their work account.

This is being called out by the Cloud Security Alliance in a report published the same week: two-thirds of organizations have now suffered a cybersecurity incident caused by an AI agent or AI tool deployed on their network — with data exposure (61%), operational disruption (43%), and financial loss (35%) as the most common outcomes. More striking: 82% of organizations discovered AI agents running on their network that they didn't even know were there.

Why it matters: If you or your team use AI tools — and nearly every small business does now — those tools connect to your accounts, your email, your files. Each one is a potential entry point. Vetting the security of a major SaaS platform doesn't protect you if a small, under-resourced AI tool that connects to it gets compromised first.

What you can do: Do a quick audit: which AI tools have your employees connected to work accounts (Google Workspace, Microsoft 365, project management tools)? Most platforms let you review connected apps in your account settings.

Is it realistic to stay current on cybersecurity threats when you are wearing so many hats in your business?

Short answer: yes, but don’t try to follow everything. Focus on the fundamentals.

Here's what actually works:

Focus on the basics, not the headlines. Most attacks against small businesses don't use cutting-edge techniques. They exploit software that hasn't been patched, passwords that haven't changed, and employees who weren't trained to spot a phishing email. Last year's vulnerabilities, not this week's nation-state threats, are what actually bite most small businesses.

Build a short quarterly checklist. The highest-value basics:

Set up a simple alert system. You don't need to read every security blog. Pick one newsletter (hi, like this one 🙂 ). Subscribe to CISA's KEV feed. Ask your IT person to flag anything that touches your specific software stack.

Outsource what you can't reasonably own. A reputable MSP handling patching, backups, and monitoring is often less expensive than a breach — and far less expensive than the downtime that follows one. Vet them carefully.

The honest answer: You won't catch every threat. Nobody does. The goal isn't perfection — it's about making your business a harder target than average. Attackers targeting small businesses are largely opportunistic. They go where the doors are unlocked. Your job is to keep your doors locked.

Beware “Apple” emails about unexpected purchases
BleepingComputer warned that scammers are embedding callback phishing messages in legitimate Apple account change notifications. The email claims you purchased an expensive iPhone via PayPal and urges you to call a phone number to cancel; because the message is sent from Apple’s own servers, it looks authentic. Once you call, scammers try to convince you your account was compromised and may ask for remote access or payment details.
Fix: Treat any unsolicited purchase notification with skepticism, especially if it includes a phone number. Never call numbers in email alerts; instead, log in directly to your Apple account or payment provider through a trusted link to verify.

Teams help‑desk imposters. Cyber‑criminals are using external Teams chats to impersonate IT support and request remote access; they then use legitimate tools like Quick Assist and Rclone to move laterally and steal data. Small businesses often rely on trust in collaboration tools.
Fix: Educate employees about verifying support requests and limit cross‑tenant communications.

Bluesky gets taken down for 24 hours
On April 15, Bluesky — the social network with over 43 million users — went down for roughly 24 hours after a DDoS (Distributed Denial-of-Service) attack. A pro-Iran group called the 313 Team claimed responsibility. No user data was accessed — a DDoS is about taking a service offline, not breaking into it.
Fix: Ask your hosting provider whether DDoS protection is included. Cloudflare offers a free tier for basic mitigation on small sites.

Npm supply‑chain worm spreads secrets. A self‑propagating attack compromised Namastex Labs npm packages and republished them to steal tokens and API keys. The malware spreads by infecting packages that in turn infect other projects. Developers who install these packages risk exfiltrating credentials.
Fix: Audit your npm dependencies, remove compromised packages, rotate keys and use tools like npm‑audit.

Android NGate malware hides in HandyPay. Researchers uncovered a HandyPay‑branded app that hides the NGate Android malware, which steals NFC payment card details and PINs. Employees who sideload apps or install from unofficial sites can compromise their devices and business payment cards.
Fix: Require staff to download apps only from official stores, disable NFC if unused and avoid granting unknown apps default payment status.

You don’t need to act on these unless they apply to you.

I spent time at Raleigh Durham Startup Week, soaking up talks from local founders and national speakers and working from bustling coworking spaces filled with creative small‑business owners. (Get signed up so you don’t miss it next year.) There’s nothing like watching entrepreneurs turn ideas into reality to energize you. Everything I went to was about AI, and the speed at which AI capabilities are developing is blinding. (Want to learn about agentic AI? Sara and Tyler gave an incredible transparent talk. They teach this stuff. No affiliation, just appreciation.)

I also attended the monthly National Association of Women Business Owners (NAWBO) meeting where author, speaker, and podcast host Tara Gooch gave a fantastic talk. Right after, I zoomed halfway across the state to receive a regional visibility award for Security Done Easy from the Carolinas LGBT Chamber of Commerce (CLGBTCC) at their annual gala. Being recognized alongside so many committed community advocates was humbling and energizing.

That’s all for this week! Remember, staying secure doesn’t have to be overwhelming – small, consistent actions like patching, double‑checking unusual emails, and training your team go a long way. Feel free to reply with your own questions or success stories, and if you find this helpful, forward it to a friend or fellow entrepreneur.