Today’s SMB cyber brief: tech support scams, identity-led break-ins, and security tool risk

Today’s look-out: Tech support scam calls + identity/account takeover paths + endpoint security supplier risk

What to look out for today

Tech support scam activity remains a live risk — including call-centre style fraud designed to pressure staff into granting remote access or sharing codes.
Identity is still the easiest “way in” — attackers often don’t need malware if they can get hold of cached credentials, tokens, or persuade a user to approve access.
Dependency risk: telecoms and network services — reporting highlights targeting of telecoms providers, and law enforcement action against a VPN service used in ransomware and data theft. This can lead to knock-on disruption and opportunistic scams (“your provider has an issue… click here”).
Security software supplier risk — Trend Micro has warned about an Apex One zero-day being exploited in the wild (relevant if you use this product directly or via an MSP).

Why this matters to smaller businesses

SMEs are attractive because they rely heavily on outsourced IT, a small number of key cloud accounts, and third-party providers (telecoms, VPNs, security tooling). When criminals can social-engineer one staff member, or abuse a trusted tool/account, they can jump straight to email, payroll, payments, or customer data without “hacking” in the traditional sense.

Warning signs

Unexpected calls/emails claiming to be Microsoft, your ISP, your IT provider, or ‘security’, urging immediate action.
Pressure to install remote support software, approve a login, or read out MFA/passcodes.
Messages referencing real-world events (“VPN seized”, “telecom incident”, “security update”) to sound credible.
Unusual login prompts, repeated MFA notifications, or staff reporting ‘I keep getting approval requests’.
Unexpected AV/EDR alerts, service restarts, or management console changes (especially if you use Trend Micro Apex One).

How attackers may exploit the situation

Tech support fraud: criminals use believable scripts and call tooling to keep victims on the phone, then push remote access, payment, or bank transfer steps.
Identity-led intrusion: stolen/cached credentials or tokens from one machine can be enough to access wider cloud services and data.
Supplier/disruption piggybacking: if telecom/VPN/security news is trending, attackers send ‘incident update’ phishing to harvest logins or trick staff into changing payment details.
Security tool exposure: if your endpoint security product is targeted, it can become an attacker’s route to deploy malware or disable protections (particularly relevant where a zero-day is reported as exploited).

What to do today

Brief staff (5 minutes): no one should ever share MFA codes or allow remote access because of an unsolicited call. If in doubt: hang up, then call back using a known number from your supplier contract or official website.
Lock down remote access: ensure remote support tools are only allowed when requested through your helpdesk process, not ad-hoc installs.
Reduce account blast-radius: confirm admin accounts are separate from day-to-day user accounts; check who has access to email admin, banking, payroll and key SaaS consoles.
Prepare for ‘provider incident’ phishing: remind finance and office teams that any bank detail change still requires your normal verification (dual approval + call-back).
If you use Trend Micro Apex One: ask your IT provider to confirm your exposure and whether mitigations/updates have been applied.

Ask your IT provider

Do we run Trend Micro Apex One anywhere (directly or via you)? If yes, what’s been done in response to the actively exploited issue?
What controls stop staff from installing or using unauthorised remote support tools?
How quickly would we detect unusual sign-ins to Microsoft 365/Google/workplace SaaS, and who gets alerted?
Are admin credentials/tokens protected (e.g., least privilege, separate admin accounts, device controls) to reduce the risk of one machine leading to wider cloud access?
What’s our plan if a key provider (telecoms/VPN) has an outage or incident — and how do we validate supplier communications?

Patch watch - only one short paragraph, and only if relevant

Trend Micro has warned of an Apex One zero-day being exploited; if your business uses Apex One (or your MSP does on your behalf), treat this as time-sensitive and ask for confirmation of the vendor-recommended fix/mitigation status and any follow-up monitoring.

One action today

Send a short internal note: “We will never approve MFA codes or allow remote access because of an unsolicited call/email—hang up and call back via a known supplier number.”

Related Actions On Cyber resource

Actions On Cyber checklist CTA: “Stop payment-change and invoice fraud (call-back + dual approval checklist)”

Sources

Former US execs plead guilty to aiding tech support scammers (BleepingComputer)
Police seize “First VPN” service used in ransomware, data theft attacks (BleepingComputer)
Chinese hackers target telcos with new Linux, Windows malware (BleepingComputer)
When Identity is the Attack Path (The Hacker News)
Trend Micro warns of Apex One zero-day exploited in the wild (BleepingComputer)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.