PHISH & TELL™ –
The Cyber & AI Risk Triage Desk
So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.
This week’s theme is account recovery.
That sounds boring until the account in question is your Instagram page, Facebook page, Google Business Profile, LinkedIn account, booking platform, payment app, or email inbox.
For a lot of small businesses, those accounts are not just “social media.” They are how customers find you, message you, book you, pay you, and decide whether you look legitimate. This week, we are making those accounts harder to lose.
Before we jump in, if you are a small supplier or vendor and you are looking to qualify for bigger contracts, check out our sister newsletter, Quote and Qualify™️, at newsletter.brightleafreadiness.com.
THIS WEEK’S 10-MINUTE WIN
Lock down your business-facing social accounts
KrebsOnSecurity reported that hackers circulated instructions on Telegram showing how to trick Meta’s AI support assistant during an account recovery flow, and Meta’s Andy Stone said the issue had been resolved and impacted accounts were being secured (KrebsOnSecurity).
What would you do if your social accounts were hijacked?
If you…
Use social media for your business
Should you care?
✅ YES – urgently – You use Instagram, Facebook, LinkedIn, TikTok, Google Business Profile, YouTube, WhatsApp, or another public account to get customers, take messages, show reviews, book appointments, or prove your business is real.
🤷♀ MAYBE – worth checking – You do not post often, but you still have old business pages, personal accounts that administer business pages, or social accounts connected to ads, shops, customer messages, or brand names.
❌ NO – low priority (for now) – You do not use public accounts for your business, and no customer, vendor, or employee would reasonably treat one of your social profiles as an official way to reach you.
What’s happening (plain English)?
Plain English version: this story is not just about Meta. It is about account recovery being a security door. If someone can convince a platform, chatbot, help desk, or reset flow that they are you, they may not need your password.
Here is the 10-minute fix.
Account recovery check | What to do now |
|---|---|
Multi-factor authentication | Turn it on for every business-facing account. Use a passkey or authenticator app when available, not SMS (easy to steal, but better than nothing). |
Backup codes | Download or print backup codes and store them with the business owner or trusted admin. |
Recovery email and phone | Make sure they belong to the business, not a former employee, old contractor, or personal account you rarely check. |
Page admins | Remove people who no longer need access, especially former employees, agencies, and old freelancers. |
Login alerts | Turn on alerts for new devices, password resets, and account changes. |
Account ownership note | Write down who owns each account, who has admin access, and where recovery codes are stored. |
Spending limits and payment methods | Remove payment methods if not actively using or set spending limits to limit damage |
One more important step: do not wait until an account is stolen to figure out who has the keys.
AI REALITY CHECK
AI support can become a new attack surface
The Meta story I just mentioned matters because the reported weakness involved an AI support assistant in an account recovery process, not a suspicious link or fake login page (KrebsOnSecurity).
KrebsOnSecurity reported that the attackers’ claimed method involved using a VPN near the target’s usual location, requesting a password reset, chatting with Meta’s AI support assistant, and getting the bot to link the account to a new email address (KrebsOnSecurity).
That does not mean AI support is bad. It means support flows are now part of your risk picture.
For small business owners, the practical lesson is:
Treat account recovery settings as seriously as passwords.
Turn on multi-factor authentication even if you think the account is not “important.”
Keep recovery emails and phone numbers current.
Save backup codes before you need them.
Do not let one person’s personal inbox become the only way to recover a business account.
KrebsOnSecurity noted that the hackers who released the video said the exploit failed against accounts with multi-factor authentication enabled, and the article said even SMS-based one-time codes likely would have blocked this specific exploit (KrebsOnSecurity).
If your business uses public platforms, do the boring recovery work now.
READER QUESTION OF THE WEEK
What should I do if my business Instagram or Facebook account gets taken over?
Short answer: act fast, but do not flail.
Start here:
Try the platform’s official recovery page from a browser you normally use.
Check your email for platform security messages about email, phone, password, or admin changes.
If you still have access from any device, change the password and remove unknown emails, phone numbers, devices, and admins.
Turn on multi-factor authentication immediately after regaining access.
Save screenshots of changed profile details, suspicious messages, ransom demands, or customer complaints.
Warn customers through another official channel if the account is posting scams or sending strange messages.
Do not pay someone who randomly messages you claiming they can recover the account. The FTC warned this week that scammers are pretending to be FTC employees who can recover money from a prior scam, and they may send a fake employee ID or badge to look credible (FTC).
The same logic applies here. Recovery help that comes from a random message is not trustworthy. Use the platform’s official help path, your password manager records, your known admin accounts, and your own trusted technical support.
RISK RADAR
Also happening this week
Android phones need the June security update
Google released June 2026 Android security patches for 124 vulnerabilities, including CVE-2025-48595, an Android Framework flaw under limited targeted exploitation that affects Android 14 or later and does not require user interaction (BleepingComputer).
Fix: Update Android devices used for business, especially phones that receive email, payment app alerts, authenticator prompts, banking texts, customer messages, or admin logins.
GitHub is not a password notebook
KrebsOnSecurity reported that a public GitHub repository named “Private-CISA” exposed CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs, and administrative credentials for three AWS GovCloud servers (KrebsOnSecurity).
Fix: If your business uses GitHub or any code repository, do not store passwords, API keys, .env files, cloud keys, exported logs, or backup files there. Turn on secret scanning and treat any exposed key as compromised.
Internet-exposed equipment is still getting found
CISA, the FBI, the NSA, the Department of Energy, and other partners warned that hackers are targeting internet-exposed automatic tank gauge systems used to monitor fuel and liquid storage tanks in sectors including energy, chemical, food and agriculture, and transportation (BleepingComputer).
Fix: If your business uses fuel, storage, building, camera, point-of-sale, access-control, or industrial equipment with remote access, ask who can reach it from the internet and whether default passwords were changed.
Doorbell cameras are privacy tools too
The Register reported that Ring is facing a class-action lawsuit over its Familiar Faces feature, which the suit alleges can collect facial-recognition data from people within a doorbell’s field of view without their knowledge or consent, while Ring says the feature is opt-in and not enabled by default (The Register).
Fix: Review smart doorbell and camera settings at your home and business. Turn off facial recognition features you do not need, and be clear with staff or household members about what is recording.
Your phone’s location can be more public than it feels.
The Register reported that the Pentagon confirmed commercial geolocation data tied to U.S. troops had been exploited by foreign adversaries, and the article said the data came from commercial data brokers using smartphone advertising profiles (The Register).
Most small business owners are not operating in a war zone. But the lesson still travels: location data can leak through ordinary apps, advertising IDs, and privacy settings.
Fix: This week, do a quick privacy check:
Turn off location access for apps that do not need it.
Change location permissions from “always” to “while using” where possible.
Reset or limit your device’s advertising ID.
Avoid posting real-time travel, client-site, school, or home-location details publicly.
Check the same settings on phones used by staff, drivers, family members, or anyone who posts for the business.
Privacy is not only about hiding. It is about choosing who gets a map of your day.
Before you go
Pick the accounts people use to find or trust your business. Turn on multi-factor authentication. Check recovery emails and phone numbers. Save backup codes. Remove old admins.
Then write down where the recovery information lives.
It is much easier to protect a business account while you still control it than to recover one after someone else has convinced a platform that they are you.
My weekly question to you: What security question or weird email caught your attention this week?
Reply and tell me. I read every response.
~Alexia
P.S. If one of these checks raises a question, bring it to office hours — free and private using, Fridays at 1pm ET. Sometimes a quick 8-minute conversation is enough to figure out what matters and what can wait. Add office hours to your calendar and drop in when you have a question. (Some folks have asked whether ro.am drops you right in with me, face to face. No, don’t worry, you enter a lobby on a web site (or app) called Ro.am, and I let you in. No surprises for either of us. 🙂)
P.P.S. Remember, if you are a small supplier or vendor and you are looking to qualify for bigger contracts, check out our sister newsletter, Quote and Qualify™️, at newsletter.brightleafreadiness.com.
You’re subscribed to Phish & Tell™️ because your business is worth protecting. |
🩷 |
