PHISH & TELL™ –
The Cyber & AI Risk Triage Desk
So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.
This week’s theme is simple: verify the helper before you hand over the keyboard.
Most small businesses are used to getting help from outside people. A managed IT provider remotes in. A software vendor asks for a screen share. A copier technician needs five minutes at the front desk computer. A web developer asks for admin access.
That is normal. It is also exactly why fake support scams work. The fix is not to distrust everyone. The fix is to make sure your team knows how to confirm that the person asking for access is really the person you already agreed to work with.
Before we jump in, if you are a small supplier or vendor and you are looking to qualify for bigger contracts, check out our sister newsletter, Quote and Qualify, at newsletter.brightleafreadiness.com.
THIS WEEK’S 10-MINUTE WIN
Create a support-verification rule
If you…
Use technology (yes, pretty much anyone)…
Should you care?
✅ YES – urgently – You let outside support providers, software vendors, web developers, copier technicians, point-of-sale support, accounting support, or IT providers access your computers or business accounts.
🤷♀ MAYBE – worth checking – You do not have regular IT support, but your team sometimes gets help through phone calls, screen shares, vendor portals, client portals, shared documents, or remote troubleshooting links.
❌ NO – low priority (for now) – No one outside your business ever gets remote access, admin access, physical access, or USB access to a company device or account.
What’s happening (plain English)?
The scammer is not trying to “hack” in the movie sense. They are trying to sound helpful enough that an employee lets them in and they can just get in without breaking in.
Do this now:
If this happens | Do this instead |
|---|
Someone calls and says they are IT support | Hang up politely and call the support number you already have saved |
Someone emails a link to start a remote session | Do not click it until the appointment is confirmed through a known channel |
Someone asks an employee to install a remote access tool | Pause and get approval from the owner, manager, or named IT contact |
Someone shows up in person to “fix” a device | Check the appointment, company name, and contact before they touch a computer |
Someone asks to plug in a USB drive | Treat that as a stop sign unless it was planned and approved |
Put this sentence where your team can see it:
No one gets remote access, admin access, or physical access to a company computer unless we verify the request using a contact method we already trust.
That is it. You do not need a long policy to start. You need one clear rule that slows people down at the right moment.
AI REALITY CHECK
AI can recommend bad links too
Researchers reported a crime campaign where attackers used manipulated AI chatbot recommendations to push fake download pages for common utilities such as PDFgear (BleepingComputer).
That matters because people are starting to treat AI answers like search results with extra confidence. If an AI tool gives a download link, it can feel like the link has already been checked. It may not be.
For small teams, the rule is practical:
Download software from the official vendor website, your managed software portal, or your device’s official app store.
Do not install a tool just because an AI answer suggested it.
Be extra careful with ZIP files, “free utility” downloads, and lookalike domains.
Ask before installing remote access tools, device cleaners, PDF tools, drivers, browser helpers, or anything that needs admin permission.
If you use AI at work, this is a good line to add to your internal guidance:
AI can help us find information, but it does not approve software for installation.
READER QUESTION OF THE WEEK
Someone says they are IT support. How do I know if they are real?
Short answer: do not try to decide from the call, email, or chat itself. Verify the request using a contact method you already trust.
Start with three checks:
Was this expected? Did you open a support ticket, book an appointment, or ask for help?
Is this the right channel? Call the known support number, use the vendor portal, or message the named contact you already work with.
Is the request reasonable? Remote access, admin access, password reset help, USB use, and MFA prompts should all get extra scrutiny.
If the person is legitimate, they should not be offended by a verification step. A real support provider should want your team to confirm access before handing it over.
What to say:
Thanks. For security, we verify support requests before allowing access. I’m going to call our saved support contact or check the ticket first, then we can continue.
What not to do:
Do not read out passwords or one-time codes.
Do not approve a login prompt you did not start.
Do not install remote access software from a link in an unexpected message.
Do not let an unknown visitor plug in a drive or use a company computer.
If the person pressures you, that is useful information. Pressure is not proof of fraud, but it is a reason to slow down.
RISK RADAR
Also happening this week
Chrome needs a restart
Google released Chrome fixes for high-severity vulnerabilities, including critical bugs that Malwarebytes said could allow remote code execution after a user visits a malicious webpage (Malwarebytes).
Fix: Open Chrome, go to Settings, choose About Chrome, let it update, then restart the browser. Ask your team to do the same today.
Travel data can turn into better scams
Carnival Cruise Line confirmed a breach affecting nearly 6 million people, and the exposed information analyzed by Have I Been Pwned included names, dates of birth, email addresses, genders, geographic locations, and loyalty program details (BleepingComputer).
Fix: Be cautious with travel, cruise, rewards, refund, and loyalty-program emails that include real personal details. Real details do not make a message safe.
CRM and franchise data are attractive targets
7-Eleven disclosed a breach involving systems used to store franchisee documents, and Have I Been Pwned analyzed exposed data that included names, dates of birth, emails, phone numbers, and physical addresses (BleepingComputer).
Fix: If your business stores customer, franchisee, member, patient, or client records in a cloud system, review who has admin access and turn on multi-factor authentication for every admin account.
Before you go
This week’s small business security move is not complicated: make access a little harder to fake.
Write down your real support contacts. Tell your team how to verify them. Save the rule somewhere visible. Then make it normal to pause before remote access, admin access, USB access, or unexpected software installs.
You do not have to make your business impossible to fool overnight. You just have to remove the easy moments where someone helpful-sounding can walk right in.
My weekly question to you: What security question or weird email made you pause this week.
Reply and tell me. I read every response.
~Alexia
P.S. If one of these checks raises a question, bring it to office hours — free and private using, Fridays at 1pm ET. Sometimes a quick 8-minute conversation is enough to figure out what matters and what can wait. Add office hours to your calendar and drop in when you have a question. (Some folks have asked whether ro.am drops you right in with me, face to face. No, don’t worry, you enter a lobby on a web site (or app) called Ro.am, and I let you in. No surprises for either of us. 🙂)
P.P.S. Remember, if you are a small supplier or vendor and you are looking to qualify for bigger contracts, check out our sister newsletter, Quote and Qualify, at newsletter.brightleafreadiness.com.
You’re subscribed to Phish & Tell™️ because your business is worth protecting. |
🩷 |
