Today’s SME cyber brief: breach-driven impersonation scams and smarter phishing (including MFA push fatigue)

Today’s look-out: Supplier/brand impersonation scams and phishing that bypasses MFA via prompt bombing

What to look out for today

1) Breach-driven scams impersonating big brands. A reported data breach affecting 7‑Eleven customer details may trigger follow-on phishing and scam campaigns that reuse real personal information to look convincing.

2) More targeted phishing and “MFA prompt bombing”. Attackers are increasingly using realistic lures and techniques that pressure staff into approving sign-in prompts they didn’t initiate.

3) Background supplier risk: law enforcement action against hosting providers used to support cyberattacks is a reminder that criminal infrastructure can be disrupted suddenly, and attackers may shift to other providers quickly (which can change where malicious traffic comes from).

Why this matters to smaller businesses

Finance and admin teams are prime targets when criminals run impersonation campaigns after a high-profile breach (fake refunds, loyalty points, delivery issues, account “verification”, and payment requests).
MFA isn’t a magic shield if staff can be pressured into approving prompts. One approval can be enough to lose an email account, then lead to invoice fraud or payroll diversion.
Professional services, schools and charities are commonly targeted with believable “document sharing” and “portal login” emails, especially when attackers can personalise messages.

Warning signs

Emails or texts referencing a recent breach, “security upgrade”, “refund”, “voucher”, “points”, or “account locked” and pushing you to click quickly.
Unexpected multi-factor authentication (MFA) prompts, repeated approval requests, or staff saying “my phone keeps buzzing” with sign-in pop-ups.
Requests to change bank details, “reconfirm” payment info, or update payroll details, especially if sent outside normal process.
New or unusual email rules, changed signatures, or “sent items” messages staff don’t recognise (a sign of mailbox takeover).

How attackers may exploit the situation

Personal-data powered phishing: scammers reuse real details (name, email, phone) to make messages feel legitimate and lower suspicion.
Brand impersonation: fake customer support pages, fake “breach check” sites, or fake vouchers/refunds designed to capture passwords.
MFA push fatigue: attackers repeatedly trigger login prompts until someone taps “Approve” to stop the notifications, sometimes paired with a call pretending to be IT/support.
Mailbox-to-money chain: once in email, criminals watch invoice/payment threads and insert themselves at the right moment.

What to do today

Send a 3-line staff alert (especially to finance/admin): do not click “refund/points/account locked” links; do not approve unexpected MFA prompts; verify payment changes by calling a known number.
Reinforce your payment change process: any bank detail change must be verified out-of-band (phone call to a known contact, not the number in the email).
Review MFA settings: where possible, prefer number-matching or phishing-resistant methods over simple push approvals.
Check for mailbox compromise basics: review sign-in alerts, unusual forwarding rules, and newly authorised apps connected to Microsoft 365/Google Workspace.

Ask your IT provider

Can you show us recent failed sign-in patterns and whether any accounts experienced repeated MFA prompts?
Do we have controls to detect and block suspicious inbox rules (auto-forwarding to external addresses, hidden rules)?
Are we using number-matching / stronger MFA where available, and do we have a plan to reduce “push approval” risk?
What’s our process for rapidly resetting and securing an account if a user reports unexpected MFA prompts?

Patch watch - only one short paragraph, and only if relevant

Some industrial/operational technology vendors have issued advisories today (including denial-of-service and hard-coded credential scenarios). If you run any specialist lab/industrial equipment or manufacturing control systems, ask your support partner what is internet-exposed, what is remotely accessible, and whether any vendor-recommended updates or configuration changes are needed as part of routine maintenance.

One action today

Send a short internal note today: “If you get unexpected MFA prompts, do not approve—report it immediately; and verify any bank-detail or payment change by calling a known contact.”

Related Actions On Cyber resource

CTA: Use the Actions On Cyber “Invoice & bank detail change verification checklist” (and share it with anyone who approves payments).

Sources

7-Eleven data breach exposes personal information of 185,000 people (BleepingComputer)
MFA Prompt Bombing: Why Your Second Factor Isn't Saving You (The Hacker News)
Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning (The Hacker News)
MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries (The Hacker News)
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks (Krebs on Security)
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos (The Hacker News)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.