PHISH & TELL™ –
The Cyber & AI Risk Triage Desk
So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.
This week’s theme is the login that looks normal.
Not the messy phishing email with spelling mistakes. Not the weird attachment from a stranger. The more useful scams now send you to real Microsoft pages, real Google review tools, real login flows, and familiar business systems.
That is why the fix is not just “look for something fake.” Sometimes the page is real, but the request is fake.
Let’s make this practical. 👇
THIS WEEK’S 10-MINUTE WIN
Teach yourself and your team not to enter Microsoft device codes from email
If you…
Use Microsoft 365.
Should you care?
✅ YES – urgently – You use Microsoft 365 for email, calendar, OneDrive, SharePoint, Teams, or business files.
🤷♀ MAYBE – worth checking – You use Microsoft for personal accounts, client portals, or shared documents, even if your main email is elsewhere.
❌ NO – low priority (for now) – You do not use Microsoft accounts at all.
What’s happening (plain English)?
Device-code login is a real Microsoft feature. It is normally used when a device cannot easily use a regular browser sign-in, such as a TV app or command-line tool.
In this scam, the attacker starts the login on their side and gets a code. Then they send you to a legitimate Microsoft page and ask you to enter that code. If you complete the sign-in and approve MFA, you may be authorizing the attacker’s device, not your own.
That is what makes this so dangerous. The page can be real. The Microsoft branding can be real. MFA can still happen. The problem is that the code came from the attacker.
Do this now
Never enter a Microsoft device code that came from an email, invoice, text, chat message, or unexpected web page.
If a login flow asks you to enter a code at microsoft.com/devicelogin, stop and ask why.
If your business does not need device-code login, ask your Microsoft 365 admin or IT provider whether it can be disabled or restricted.
Review risky sign-ins and unusual OAuth activity in Microsoft Entra if you have admin access.
Require admin approval for third-party app consent where possible.
If someone already entered a suspicious device code, revoke sessions and reset access from a clean admin account.
This is one of those cases where “the page was real” does not mean “the request was safe.”
AI REALITY CHECK
Attackers are using AI to move faster, not just sound better
Google Threat Intelligence reported that adversaries are using AI across vulnerability exploitation, malware development, and social engineering. The report describes attackers using AI to assist with exploit development, generate or modify malware, and improve operational scale.
For small business owners, the important point is not that attackers have magic AI. They do not. The point is that AI helps them produce more believable messages, test more versions, translate better, research targets faster, and package attacks in ways that look more polished.
That changes what “suspicious” looks like.
Why it matters
Old phishing training often told people to look for bad grammar, strange wording, or obviously fake logos. That still helps sometimes, but it is not enough.
An AI-assisted scam can sound professional. It can reference your industry. It can mimic a vendor’s tone. It can write a cleaner invoice email than a real human scammer would.
The safest habit is to verify the request, not the writing quality.
Do this now
Replace “look for typos” training with “verify unusual requests.”
Require a callback for payment changes, payroll changes, bank-detail updates, gift-card requests, and urgent file requests.
Use a known number from your records, not the number in the message.
Teach staff that polished language is not proof of legitimacy.
Keep one place where employees can forward suspicious messages for review.
AI is making scams smoother. Your process needs to be stronger than the story.
READER QUESTION OF THE WEEK
How can I tell if customer data was stolen during a cyber attack?
Start with this: you may not be able to tell from the first alert.
A hacked account, strange login, ransomware note, or suspicious admin activity tells you someone may have gotten in. It does not automatically prove customer data was stolen. But it does mean you need to slow down, preserve evidence, and look for signs of data access or data movement.
The worst move is to wipe everything immediately just to make the problem disappear. That can destroy the clues you need.
What to check first
Look for signs that data may have been viewed, copied, exported, or moved:
Unusual logins, especially from unfamiliar locations, devices, or times.
New admin users or permission changes you did not make.
Large file downloads or exports from cloud storage, CRM, accounting, email, or customer systems.
Forwarding rules added to email accounts.
Ransom notes that claim files were stolen before encryption.
Unexpected API keys, connected apps, or OAuth permissions.
Deleted logs, disabled alerts, or missing files.
Customer data appearing in a place it should not be.
If you use Microsoft 365, Google Workspace, Shopify, Stripe, QuickBooks, WordPress, or a CRM, check the audit logs and recent activity pages first. If you have an IT provider, ask them to preserve logs before they start cleanup.
What to do next
Disconnect affected devices from the internet, but do not wipe them yet.
Change passwords from a clean device, starting with email, admin, banking, accounting, and cloud storage.
Revoke suspicious sessions and connected apps.
Preserve screenshots, logs, ransom notes, suspicious emails, and timestamps.
Contact your cyber insurance provider if you have coverage.
Bring in qualified incident response or forensic help if customer data, payment data, health data, employee data, or regulated information may be involved.
When to notify customers
Do not guess in either direction.
You do not want to tell customers their data was stolen if you have no evidence. You also do not want to sit on a real exposure because you are hoping it was “just a login.”
The practical middle ground is:
Find out what systems were accessed.
Identify what data lived in those systems.
Determine whether there is evidence of viewing, export, download, forwarding, or copying.
Check your legal, contractual, insurance, and regulatory notification obligations.
Prepare a plain-English customer notice if notification is required.
If you are not sure, get help before making a public statement.
Bottom line: the question is not only “did someone get in?” The better question is “what could they reach, and is there evidence they took it?”
RISK RADAR
Also happening this week
QR-code phishing keeps growing
Microsoft reported that QR-code phishing increased 146% during the first quarter of 2026, rising from 7.6 million attacks in January to 18.7 million in March. Microsoft also said QR codes embedded directly in email bodies surged in March, which helps attackers avoid some link-scanning defenses.
Fix: Treat QR codes in emails like links. If a message says to scan a code for a payment, document, password reset, or account notice, go to the known website directly instead.
Business email compromise is still mostly conversation first
Microsoft reported about 10.7 million business email compromise attacks in Q1 2026 and noted that most initial messages were generic outreach, such as “Are you at your desk?”, rather than an immediate payment demand.
Fix: Train staff that the first harmless message may be the setup. Payment requests, payroll changes, and document requests still need a second-channel verification step.
Browser and extension hygiene matters for AI users
Microsoft previously reported malicious AI assistant browser extensions that harvested AI chat histories and browsing data, including activity across enterprise tenants. The issue is a reminder that browser extensions can see more than many users realize, especially when people use web-based AI tools for business work.
Fix: Open your browser extensions list and remove anything you do not recognize or actively use. Be extra strict with extensions that claim to add AI, meeting, writing, VPN, coupon, or productivity features.
Shared and hosted email still needs patch accountability
Recent Exim reporting highlighted how mail-server flaws can matter for businesses that use shared hosting, cPanel email, or self-hosted Linux email instead of Google Workspace or Microsoft 365.
Fix: If you use hosting-provider email, ask your host what email server software they run and how quickly they patch critical mail-server vulnerabilities. If you use Google Workspace or Microsoft 365, this particular issue is less likely to apply.
Review-bombing extortion now has a specific Google reporting path
PCMag reported that Google warned businesses about review-bombing extortion, where scammers flood a profile with negative reviews and demand payment to remove them. Google created a dedicated reporting process for these cases.
Fix: Bookmark Google’s Business Profile extortion guidance before you need it. If it happens, collect screenshots first and report through the official process.
Before you go
This week’s theme is simple: real-looking is not the same as safe.
A real Microsoft page can be used in a device-code scam. A polished AI-written message can still be fraud. A Google review threat can feel urgent and still be something you should report, not pay.
Pick one verification rule and make it visible this week. Device codes. QR codes. Payment changes. Review threats. Any one of those is a good place to start.
My weekly question to you: what security question or weird email made you pause this week?
Reply and tell me. I read every response.
~Alexia
P.S. If one of these checks raises a question, bring it to office hours — free and private using, Fridays at 1pm ET. Sometimes a quick 8-minute conversation is enough to figure out what matters and what can wait. Add office hours to your calendar and drop in when you have a question. (Some folks have asked whether ro.am drops you right in with me, face to face. No, don’t worry, you enter a lobby and I let you in. No surprises for either of us. 🙂)
You’re subscribed to Phish & Tell™️ because your business is worth protecting. |
🩷 |
