So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.

This week’s theme is simple: if a website tells you to prove you are human by running commands on your computer, stop.

Most small-business security problems do not start with a movie-style hacker. They start with a normal work moment: logging into Microsoft 365, checking a browser popup, updating Chrome, opening a customer support ticket, or trying to get through a “security check.” The goal this week is to make those moments easier to spot before they become a mess.

The FTC is warning about fake CAPTCHA pages that look like the usual “prove you are human” checks, but instead tell people to press keys such as “Windows + R,” “Ctrl + V,” and “Enter” (FTC Consumer Advice). That is not a verification step. It is a way to trick someone into pasting and running hidden malware on their own device (FTC Consumer Advice).

Should you care?

✅ YES – urgently – You or your team use Windows computers for email, banking, invoices, customer files, payroll, or admin work.

🤷‍♀ MAYBE – worth checking – You mostly work on Macs, tablets, or phones, but your team sometimes uses shared Windows devices, remote desktops, or contractor computers.

❌ NO – low priority (for now) – You have no Windows devices in the business and no one logs into business accounts from Windows machines.

What’s happening (plain English)?

Scammers are making fake CAPTCHA screens that look like routine security checks. Instead of asking you to pick traffic lights or type letters, the page tells you to open the Windows Run box, paste something, and press Enter (FTC Consumer Advice).

That pasted command can install malware. Once it is on the device, scammers may be able to steal email logins, mobile banking credentials, or other information they can reach from that computer (FTC Consumer Advice).

This scam works because it does not ask the victim to “download a virus.” It makes the victim feel like they are completing a normal security step.

Remember this:

What to do now

If you have a team, let them know:

“If a website, popup, CAPTCHA, or support chat tells you to press Windows + R, paste a command, install a tool, or change computer settings to prove you are human, stop and ask for help.”

Then do three quick checks:

If someone already followed the fake CAPTCHA instructions, the FTC recommends disconnecting from the internet, running a security scan, changing passwords from a different device, enabling two-factor authentication, and reporting the scam at ReportFraud.ftc.gov (FTC Consumer Advice).

OpenAI says it banned two clusters of ChatGPT accounts likely originating from China after they were used in apparent covert influence operations around U.S. AI and technology debates (OpenAI). One cluster was connected to likely inauthentic social accounts that claimed ChatGPT user data had been compromised, and OpenAI said those allegations were false (OpenAI).

For small businesses, the lesson is not political. The lesson is operational: AI can help bad information look polished, coordinated, and urgent.

That matters because “data breach” claims travel fast. A fake claim can make customers panic, cause employees to click fake “check your account” links, or push a business owner into posting before they verify.

What to do

Before sharing or acting on a security claim:

The practical rule: urgency is not proof.

Short answer: treat it as suspicious until you confirm you are on the real site.

A new Browser-in-the-Browser phishing campaign is targeting Microsoft 365 users with fake login popups that mimic real browser authentication windows (Help Net Security). The fake window can look convincing because it can be dragged around the screen, has buttons that look like normal browser controls, and changes its appearance to match Windows, macOS, Linux, Chrome, Firefox, Edge, or Safari (Help Net Security).

Here is the quick test:

For business owners, this is also a training issue. People have been told for years to “check the address bar,” but this attack puts a fake address bar inside the page. The safer habit is to leave the page and go directly to the service yourself.

Microsoft’s June 2026 Patch Tuesday included fixes for over 200 flaws (BleepingComputer). For a small business, the plain-English takeaway is not to memorize the vulnerability list. It is to make sure Windows and Microsoft apps are actually installing updates and restarting when needed.

Fix: Confirm that laptops used for the business are set to update automatically, then schedule a restart window this week. Updates do not take effect without a restart.

Google released a Chrome update fixing 74 vulnerabilities, including CVE-2026-11645, which Google says is being actively exploited in the wild (Malwarebytes). Malwarebytes notes that Chrome may lag behind if people never close the browser or if an extension interferes with the update, so restarting matters (Malwarebytes).

Fix: Open Chrome, go to Settings, About Chrome, let it update, and relaunch the browser.

ServiceNow warned customers about a security incident after a vulnerable unauthenticated API endpoint allowed data from customer instances to be queried (BleepingComputer). The concern is not just the platform name. Support and workflow systems often contain IT tickets, employee details, internal notes, asset information, incident reports, and sometimes credentials or tokens pasted during troubleshooting (BleepingComputer).

Fix: Do not paste passwords, API keys, backup codes, or private customer data into support tickets unless there is a secure process for it.

CISA’s new BOD 26-04 tells federal agencies to prioritize vulnerabilities based on whether they affect public-facing assets, can be fully automated, allow system takeover, or are already being exploited in the real world (CyberScoop). It is not mandatory for private businesses, but the idea is useful: do not treat every update as equal when you are short on time.

Fix: Make your own “patch first” list: browsers, email, remote access, firewalls, VPNs, accounting systems, website admin tools, and anything exposed to the internet.

A browser-security analysis tied to the 2026 Verizon Data Breach Investigations Report says the average enterprise had more than 15% of users with unauthorized AI extensions installed, and that risky extensions can look like ordinary productivity tools (BleepingComputer). Even if you are small, the point applies: extensions can see and interact with pages where you work.

Fix: Remove browser extensions you no longer use, especially AI, coupon, PDF, productivity, screenshot, and shopping extensions.

This week, do not try to fix everything. Use (and teach) one rule:

If a security check asks you to run commands, paste code, install something, or change settings, stop.

That one pause can protect your email, banking, customer records, and business accounts from a very avoidable mistake.

Reply and tell me. I read every response.

~Alexia

P.S. If one of these checks raises a question, bring it to office hours — free and private, Fridays at 1pm ET. Sometimes a quick 8-minute conversation is enough to figure out what matters and what can wait. Add office hours to your calendar and drop in when you have a question. (Some folks have asked whether ro.am drops you right in with me, face to face. No, don’t worry, you enter a lobby on a web site (or app) called Ro.am, and I let you in. No surprises for either of us. 🙂)

P.P.S. Remember, if you are a small supplier or vendor and you are looking to qualify for bigger contracts, check out our sister newsletter, Quote and Qualify™️, at newsletter.brightleafreadiness.com.