These 3 cybersecurity threats may not be the most sophisticated, but they're the most effective—and serious—threats for small businesses.

In an online world filled with extraordinarily sophisticated cyberattacks—including organized assaults on software supply chains, state-directed exploitations of undiscovered vulnerabilities, and the novel and malicious use of artificial intelligence (AI)—small businesses are forced to prioritize a different type of cyberattack: The type that gets through.

Without robust IT budgets or fully staffed cybersecurity departments, small businesses often rely on their own small stable of workers (including sole proprietors with effectively zero employees) to stay safe online. That means that what worries these businesses most in cybersecurity is what is most likely to work against them.

Here are the three biggest cybersecurity threats to small businesses right now. They may sound basic or even crude, but they are the biggest threats precisely because they are so effective.

**1\. Phishing**

In phishing scams, cybercriminals trick people and businesses into handing over sensitive information like credit card numbers or login details for vital online accounts.

Cybercriminals do this by sending messages—like emails and texts—disguised as legitimate communications from major businesses (think Slack, Uber, FedEx, and Google). These messages frequently warn recipients about a problem with their accounts, like a password that needs to be updated, a policy change that requires a login, or a delayed package that has to be approved.

But when victims follow the links within these malicious messages, they are brought to a website that, while appearing genuine, is completely controlled by cybercriminals. Lured in by similar color schemes, company logos, and familiar layouts, victims “log in” to their account by entering their username and password. In reality, those usernames and passwords are delivered directly to cybercriminals on the other side of the website.

In phishing attacks, there never is a genuine problem with a user’s account, and there never is a real request for information from the company. Instead, the entire back-and-forth is a charade.

As devastating as this is, the more complex threat of phishing lies in its adaptability. Whereas early phishing scams arrived almost entirely through emails, modern phishing scams can reach victims through malicious websites, text messages, social media, and even mobile app downloads.

In 2024, Malwarebytes found more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Disguised as apps such as TikTok, Spotify, and WhatsApp, these Android apps can trick victims into handing over their associated usernames and passwords when asking them to login.

Understandably, some small business owners might discount the threat of losing their login credentials to consumer tools like Spotify and TikTok. But here, the threat of phishing is compounded by another enormous problem in cybersecurity, which is that too many individuals and businesses reuse passwords across multiple accounts. That means that email login credentials that were successfully stolen in a phishing scam could also provide access to a small business’s financial accounts, payroll services, and even tax info.

Further, if a hacker were to use their wrongful access to steal customer data, then a small business might also have to front the cost for sending out data breach notifications, per their state’s regulations.

**How to protect your business:**

*   Use unique, strong passwords for each online account and store and create these passwords using a password manager
*   Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
*   Do not click on links from unknown senders
*   If you’re asked for login information through an email or online message, do _not_ input your login info in the email or through whatever link you’re directed towards. Instead, navigate to the site directly.

Social media is not just a vital tool for promoting many small businesses, it can often be the entire business itself.

YouTube video creators, Twitch streamers, and lifestyle influencers on TikTok and Instagram are effectively small business owners. They make a product and they earn revenue just like many online businesses—through ads and sponsored partnership deals.

If any of these social media business owners lost their login credentials through a phishing scam or data breach, they could potentially lose access to their entire operation.

In 2023, famous YouTube tech personality Linus Sebastian suffered a hack of three different YouTube channels associated with his company, Linus Media Group. The hackers hijacked the channels to spread cryptocurrency scams, while deleting some of the group’s old videos in the process. The attack was largely reminiscent of a 2022 YouTube account hack that repurposed a 2018 interview with Apple CEO Tim Cook to fool viewers into following a separate cryptocurrency scam.

Both incidents reveal the real threat to small businesses everywhere.

Social media account hacks are not only a risk to content creators—they’re a risk to any business with a legitimate online audience. Once scammers have control of any business’s social media account, they can send fraudulent messages to people on the business’s behalf and promote online scams that could tarnish the business’s reputation for years to come. Hackers could even swipe sensitive information before access is restored.

While social media hacks are often the byproduct of successful phishing attacks, cybercriminals can also gain wrongful access to a social media account through separate data breaches.

Hackers frequently buy usernames and passwords on the dark web from prior data breaches. They then use those login credentials on a variety of online accounts that belong to the same owner—entering the username and password for, say, a breached LinkedIn account into the username and password fields for QuickBooks, Shopify, and Hubspot. When people and businesses reuse passwords across accounts, hackers find an easy way in.

**How to protect your business:**

*   Use unique, strong passwords for each account and store and create these passwords using a password manager
*   Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
*   Avoid phishing attacks by refusing to click on links from unknown senders
*   Do not download any attachments from unknown senders or from unexpected emails. These attachments could contain malware that steals passwords, data, and multifactor authentication codes.

**3\. Ransomware**

Ransomware is more than a cyberthreat—it is an existential one, threatening to lock down computer systems, remove vital data, and waste potentially hundreds of thousands of dollars in recovery.

But because most ransomware news coverage focuses on major, multibillion dollar corporations that get hit with disruptive attacks, many boutique businesses might assume that ransomware gangs would never bother with a small outfit like theirs.

In reality, ransomware gangs do not care about the size, budget, or resources of their victims, because ransomware itself has become increasingly easy to scale and deploy.

Modern gangs operate on a “Ransomware-as-a-Service” model, where ransomware developers lease out their malicious software to “affiliates” who, if successful in launching an attack, return a small portion of their ill-gotten gains back to the ransomware developers at the top. LockBit, which was once the most active ransomware gang in history, had at least 194 affiliates doing its dirty work.

While LockBit most frequently attacked large conglomerates and governments, another Ransomware-as-a-Service group called Phobos was more than happy to prey on smaller organizations.

In 2024, when the US Department of Justice charged a Russian national named Evgenii Ptitsyn for his alleged involvement into running Phobos, its indictment revealed that one of the ransomware gang’s affiliates allegedly extorted a Maryland-based healthcare provider out of just $2,300. Other victims cited in the indictment included a marketing and data analytics firm in Arizona, a Connecticut public school system, and an automotive company out of Ohio.

According to data analyzed by Malwarebytes’ business unit ThreatDown, these smaller victims were the bread and butter of Phobos. Unlike other ransomware gangs that demanded up to $1 million or more from each victim in 2023, Phobos operators demanded an average of $1,719 from victims, with a median demand of just $300.

**How to protect your business:**

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The 3 biggest cybersecurity threats to small businesses 

Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an "influence-as-a-service" operation to engage with authentic accounts across Facebook and X.
The sophisticated activity, branded as financially-motivated, is said to have used its AI tool to orchestrate 100 distinct persons on the two social media platforms, creating a

Claude AI Exploited to Operate 100+ Fake Political Personas in Global Influence Campaign

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google's security team this week.

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google’s security team this week. While most attacks do still target personal technology like smartphones and browsers, the focus is moving increasingly to enterprise tech.

Zero-day vulnerabilities are those that are exploited before vendors have a chance to patch them – and often before they even know about them. Attackers using these flaws to compromise systems are still primarily espionage groups, says the Google Threat Intelligence Group in its annual analysis of zero-day exploits.

Government-backed groups and customers of commercial surveillance vendors (that’s sanitized corporate-speak for spyware) were responsible for over half the attacks that the researchers were able to attribute. Spyware continues to be a much bigger factor in zero-day exploits today than it was before 2023.

The Chinese government exploited five zero-day flaws that Google knows of, while for the first time North Korea equaled that number. Spyware customers used eight zero-day exploits.

But state and private espionage-focused attackers aren’t the only ones using zero-days. Google also sees crime groups using them to come after your data. However, as it points out, some of these groups involved in cybercrime also maintain strong links to the Russian government.

While the number of zero-day exploits that Google identified dipped to 75 from last year’s 98, the trend is still moving slowly upward, the company says. In 2022, it found 63 zero-day exploits, and the year before that it was 95, but 2019 and 2020 both showed just 31 zero-day exploits each.

Vendors are also doing better at protecting at least some of their products, found the research. Google said attackers are having less success targeting browsers and mobile operating systems. Attackers traditionally use these technologies to get at consumer users.

Perhaps that increased protection is one reason behind another key fact: The proportion of zero-day exploits targeting end-user technologies was lower this year at 56% than those targeting enterprise tech. That’s a consistently falling number; 90.32% of zero-day exploits targeted end-user tech in 2019, followed by 70.97%, 74.74%, 63.49%, and 63.27% respectively through 2023.

In particular, exploitation of browsers and mobile devices was far lower this year than last. Browsers saw a third fewer zero-day exploits than last year, with most targeting Chrome due to its popularity, while mobile device zero-day attacks halved.

This doesn’t mean attackers won’t continue trying their best to infiltrate end-user products. “Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation,” Google said.

When spyware attackers do target mobile devices, they will chain together multiple vulnerabilities in complex attacks on mobile devices to get around mobile vendors’ security practices.

As Google points out, it’s difficult to separate attacks against enterprise and end-user technology because enterprises often use these technologies too. Nevertheless, it has seen a 9% rise in zero-day attacks using purely enterprise tech, namely security and network products. They comprised 60% of all zero-day attacks on enterprise technologies, the company said.

What does all this mean for you? Just keep on doing what you already should be, applying basic cyber hygiene when using your devices. Admittedly, keeping your system up to date won’t help against a zero-day, but patching quickly could stop attacks reaching you if vendors see them and issue updates in time. In addition, some technologies use heuristics to try and stop software they haven’t seen before which look suspicious. And of course, avoiding opening links and files that you’re not sure about can stop zero-day exploits hitting your device in the first place.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Zero-day attacks on browsers and smartphones drop, says Google 

For years, North Korea has been secretly placing young IT workers inside Western companies. With AI, their schemes are now more devious—and effective—than ever.

North Korea Stole Your Job

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.…

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign. Learn about the GRU-linked attacks, tactics, and previous incidents like the TV5Monde hack.

France has accused the Russian state-backed hacking group APT28, linked to Russia’s military intelligence agency GRU (Russian General Staff Main Intelligence Directorate), of targeting or compromising a dozen French government and other organizations.

Active since at least 2004 under names like BlueDelta, Fancy Bear, Forest Blizzard, Sednit, and Sofacy; APT28 typically targets government, military, energy, and media in Europe and the US.

Now, a report by the French cybersecurity agency ANSSI has attributed recent attacks on French local government, administration, defence, aerospace, research, finance, and think-tank organizations to APT28.

APT28’s Targets in France since 2021 (Source: ANSSI)

These attacks, primarily aimed at governmental, diplomatic, and research entities in 2024, utilized phishing, vulnerability exploitation, and brute-force attacks for initial access, often relying on inexpensive, outsourced infrastructure.

This infrastructure, as per ANSSI’s report (PDF), includes rented servers, free hosting services, VPNs (Virtual Private Networks), and temporary email addresses. This approach provides flexibility and enhances their ability to remain undetected.  

ANSSI noted APT28’s targeting of Roundcube email servers to distribute the HeadLace backdoor, use of the OceanMap stealer, and phishing campaigns against UKR.NET and Yahoo users, employing compromised routers and other methods to conceal their infrastructure.

France’s Ministry for Europe and Foreign Affairs strongly condemned Russia’s use of APT28, highlighting past attacks on the 2024 Olympics, and attempted interference in the 2017 elections. They emphasized that such actions violate UN norms of responsible state behaviour in cyberspace and pledged to counter Russia’s malicious cyber activities.

“France condemns in the strongest terms the use by Russia’s military intelligence service of the APT28 attack group, at the origin of several cyber-attacks on French interests,” the French foreign ministry’s statement read.

****France Accused APT28 of Impersonating ISIS Hackers****

Hackread.com has been following the activities of APT28, with a previous report linking it to a 2015 cyberattack on TV5Monde. Initially, that attack was attributed to a group posing as ISIS/ISIL militants, known as “CyberCaliphate,” who claimed responsibility by posting pro-ISIS messages on the broadcaster’s social media and temporarily blacking out their global TV channel.

However, subsequent investigations revealed matching IP addresses and techniques used by APT28, leading French authorities and cybersecurity experts to suspect Russian government involvement.

A similar cyberattack targeted the BBC’s live transmission in April 2015. However, it remains unclear whether the British government linked the incident to APT28 or acknowledged its impersonation tactics.

Nevertheless, this pattern of targeted activity indicates APT28’s persistent threat to France and other nations. It also suggests efforts to gather strategic intelligence and influence public perception within French society.

From TV5Monde to Govt: France Blames Russia’s APT28 for Cyberattacks

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides itself, and even modifies core files like wp-cron.php for persistence. Stay protected.

Security researchers at Wordfence recently uncovered a tricky piece of malware targeting WordPress websites. This malicious software is designed to look like a genuine anti-malware plugin, often appearing in the file system with names such as ‘WP-antymalwary-bot.php’.

According to Wordfence Threat Intelligence Team’s technical blog post, this fake plugin contains several dangerous capabilities. Such as, it allows attackers to control an infected website, hide from the WordPress admin dashboard, and execute malicious code remotely. It also has a “pinging” function that sends information back to a C&C server, spreads into other directories, and injects harmful JavaScript, which is then used to display unwanted advertisements.

Further analysis revealed that the malware uses a check_plugin GET parameter for status checks and, more dangerously, an emergency_login GET parameter for immediate admin access by providing a password. It also uses the REST API for remote code execution via a POST request to execute_admin_command, enabling cache clearing or injecting PHP code into theme headers. The hide\_plugin\_from\_list function conceals it from the admin dashboard.

The malware often comes with a modified wp-cron.php file that can reactivate the plugin if removed, meaning even if the plugin file is deleted, the malicious code in wp-cron.php can reinstall it upon the next site visit, ensuring persistence.

An updated version reports to a C&C server (45.61.136.85) and differently handles code injection by fetching from a foreign ads.php file and injecting JavaScript into the header. It also stores ad server URLs, anticipating future use.

Initial infection likely occurs via wp-cron.php, possibly through compromised hosting or FTP credentials. The malware has been seen under names like WP-antymalwary-bot.php and addons.php.

According to the company’s blog post, the issue was discovered on January 22, 2025, during a website cleanup performed by a Wordfence security analyst after which a specific malware signature (a unique identifier for the malicious code) was released.

Since then, many new versions of this malware have emerged, but Wordfence confirms that their original signature from January is still effective at detecting them. To provide an extra layer of security, a firewall rule (a set of instructions to block malicious activity) was released on April 23, 2025, for Wordfence Premium, Care, and Response users, preventing the execution of the malware file. Free Wordfence users will receive this additional protection on May 23, 2025.

This WordPress malware, cleverly disguised as a security plugin, demonstrates the persistent and increasingly sophisticated threats targeting website owners. Its advanced persistence mechanism makes thorough cleanup crucial for affected websites. Lastly, website owners are strongly advised to stay informed about emerging threats, utilize reputable security plugins, and ensure timely updates to protect their sites effectively.

Sneaky WordPress Malware Disguised as Anti-Malware Plugin

As the field of artificial intelligence (AI) continues to evolve at a rapid pace, new research has found how techniques that render the Model Context Protocol (MCP) susceptible to prompt injection attacks could be used to develop security tooling or identify malicious tools, according to a new report from Tenable.
MCP, launched by Anthropic in November 2024, is a framework designed to connect

Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.…

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.

Google’s Threat Intelligence Group (GTIG) has released its findings for 2024, revealing a slight decrease in the exploitation of zero-day vulnerabilities compared to the previous year, with 75 instances tracked. However, GTIG emphasizes that this decrease is likely a temporary fluctuation within an overall upward trend of zero-day exploitation.

The M-Trends 2025 report, based on extensive incident investigations in 2024, highlights that while exploits remain the most common initial access point for attackers, the use of stolen credentials is on the rise, with the financial sector being the primary target. The report further details that the most common initial infection vector in observed attacks was via exploits (33%), followed by stolen credentials (16%), and email phishing (14%). Here’s a detailed breakdown:

(Source: Google)

Notably, there was a continued rise in attacks targeting enterprise-specific technologies, accounting for 44% of all zero-days exploited, primarily focusing on security and networking products. Cyber espionage actors, including government-backed groups and commercial surveillance vendors, remained the leading culprits behind attributed zero-day exploits, making up over half of the total. For the first time, North Korean actors were credited with exploiting the same number of zero-days as groups linked to China.

Simultaneously, Google Cloud Security is focusing on empowering security teams against such threats, especially with the integration of Artificial Intelligence. To combat these threats, Google has launched Google Unified Security, a platform that converges threat intelligence from Mandiant with security operations, cloud security, and secure enterprise browsing, all enhanced by Gemini AI, and aimed at enabling proactive security measures.

Source (Google)

Specifically, Google Security Operations now offers “Curated Detections” and “Applied Threat Intelligence Rule Packs” based on M-Trends 2025 findings to help detect malicious activities like infostealer malware and cloud compromise.

Google is also focusing on the development of “agentic AI” in security operations, utilizing intelligent AI agents to automate routine tasks like alert triage, investigation, response, threat research, and detection engineering. These agents are designed to learn and act autonomously, allowing security teams to focus on more complex threats. Google has introduced AI-powered features like an alert triage agent and a malware analysis agent, with plans for further development in their “SecOps Labs.”

Furthermore, the tech giant is aiming for an “agentic SOC” where AI enhances and automates security workflows. The tech giant is also promoting open standards like the Agent2Agent protocol and open-sourcing their Model Context Protocol (MCP) servers for interoperability between different security tools and vendors.

Casey Charrier, Senior Analyst at Google Threat Intelligence Group, told Hackread.com that while zero-day exploitation is growing steadily, efforts by major vendors are reducing attacks on historically targeted products. However, threat actors are now shifting focus to enterprise tools, highlighting the need for broader vendor action.

Google Introduces Agentic AI to Combat Cybersecurity Threats

Frankfurt am Main, Germany, 30th April 2025, CyberNewsWire

**Frankfurt am Main, Germany, April 30th, 2025, CyberNewsWire**

**Link11 has fully integrated DOSarrest and Reblaze to become one of Europe’s leading providers of network security, web application security, and application performance**

Link11, DOSarrest, and Reblaze have combined their strengths into a single, integrated platform with a new brand identity. The result: a consistent user experience, maximum efficiency, and seamless security. As a European provider, Link11 addresses the current business risks associated with geopolitical uncertainties and growing compliance requirements. At the same time, the company secures business-critical processes worldwide through the synergies created.

With the acquisitions of DOSarrest in 2021 and Reblaze Technologies in 2024, Link11 has expanded its market position. The new Link11 WAAP (Web Application and API Protection) SaaS platform combines comprehensive DDoS protection against web attacks with ML-based adaptive security and API protection. The result is an unmatched combination of adaptive real-time traffic filtering, AI-powered bot detection, and a next-gen web application firewall for secure and encrypted interactions in a single suite.

At the end of 2023, Link11 secured an investment of €26.5 million from Pride Capital Partners. This financing will support the company’s planned product developments and international go-to-market strategy.

**Maximum security through proprietary, sovereign cloud infrastructure and artificial intelligence**

Link11 is setting new standards in protection against DDoS attacks by using its own AI-based technology. The patented DDoS filter secures all traffic within the Link11 cloud – faster and more efficiently than conventional solutions. The advantages over competitors lie in users’ full control over scaling and intelligent real-time analysis of traffic, as well as continuous learning from attacks.

While other providers rely on third-party infrastructures such as AWS or Google, Link11 controls its own cloud infrastructure. This allows protection mechanisms to work in real time – without delays that can have critical consequences in a DDoS attack. As one of Europe’s leading IT security providers, Link11 enables platform-independent protection, even in multi-cloud environments.

**Technological independence as a security factor**

The solution is designed for workloads in any cloud environment. Link11’s network was developed specifically for modern cybersecurity requirements and sovereignty. It strengthens security at the network edge, accelerates global content delivery, and provides resilience and data sovereignty.

> Jens-Philipp Jung, founder and CEO of Link11: “Cybersecurity today means resilience against threats and outages. European companies that set global standards in data protection should also insist on independence when it comes to their cyber resilience. Especially in times of geopolitical uncertainty, sovereign, powerful and trustworthy IT solutions are needed. With Link11, we are demonstrating what European cutting-edge technology can achieve: maximum resilience, top performance and uncompromising compliance – independently and confidently”.

**European companies should rely on an EU-based DDoS protection provider**

Recent surveys of cybersecurity managers show that, given the option, independent and trustworthy security solutions from Europe will be used more in the future. Link11 has been successfully providing its services to companies such as financial institutions, media companies, retail and logistics companies, and the public sector for many years. With a strong brand and a multi-layered security approach, Link11 helps its customers reduce their dependence on cybersecurity. The goal is to make security architectures more resilient – technologically, functionally, and geopolitically. 

YouTube link: Link11 – Always at your side

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications and avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With ISO 27001 certification, it meets the highest standards in data security.  

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 brings three brands together on one platform with new branding

Meta on Tuesday announced LlamaFirewall, an open-source framework designed to secure artificial intelligence (AI) systems against emerging cyber risks such as prompt injection, jailbreaks, and insecure code, among others.
The framework, the company said, incorporates three guardrails, including PromptGuard 2, Agent Alignment Checks, and CodeShield.
PromptGuard 2 is designed to detect direct

Tag

#intel