Today’s SMB cyber lookout: AI voice scam calls, ransomware automation, and router/Android risks

Today’s look-out: Impersonation scams and business disruption via phones, endpoints and edge devices

What to look out for today

AI “deepfake” phone calls that mimic a colleague, boss, supplier or family member to pressure someone into moving money or sharing access codes.
Ransomware becoming more automated, increasing the chances that a single compromised account or device quickly turns into a wider business outage.
Small office / home routers and Android devices being a practical entry point, especially where IT management is light-touch or devices are shared.
Minecraft/mod malware spillover: not just a “kids” issue—staff home devices (or student devices in schools) can get infected and later be used to access work accounts.

Why this matters to smaller businesses

SMEs and charities are often targeted because day-to-day operations rely on quick decisions (payments, payroll, supplier requests) and a small number of key people. A convincing phone call or a single infected device can lead to fraudulent payments, stolen credentials, or ransomware downtime that stops trading.

Warning signs

Caller insists on urgency and secrecy (e.g. “don’t message me, I’m in a meeting—just do it now”).
Request to change bank details, buy gift cards, share one-time passcodes, or approve a new login.
Phone call quality is unusually “clean” or slightly unnatural, with odd pauses or repeated phrases.
Unexpected MFA prompts, password reset messages, or login alerts after a call.
Slow devices, new browser extensions, unfamiliar “mods/tools”, or antivirus warnings—especially on home/shared PCs used for work logins.

How attackers may exploit the situation

Voice impersonation to authorise payments or extract verification codes used to take over email or banking accounts.
Automated ransomware playbooks that rapidly map a business network once a foothold is gained, increasing the speed from “first compromise” to “business-wide disruption”.
Edge device compromise (e.g. a vulnerable router) to intercept traffic, pivot into devices, or enable persistent access—particularly damaging for remote workers and small sites.
Malware from pirated or game-related downloads that steals passwords/cookies, then reuses them against Microsoft 365/Google/work email and finance tools.

What to do today

Set a “no phone-only payments” rule: any new payee or bank detail change must be verified via a second channel (known email thread, supplier portal, or a call-back to a number already on file).
Remind staff: never share one-time passcodes with anyone on the phone—ever.
Ask staff who use personal/home devices for work logins to stop using pirated software and risky downloads; consider a quick re-check of device security on BYOD.
For Android users: ensure Google Play Protect and basic device protections are enabled; treat unusual calls/messages as potential social engineering.

Ask your IT provider

Do we have a tested process to verify payment and bank-detail changes, and is it enforced (not optional)?
How quickly would we detect and contain ransomware activity on a single PC before it spreads?
Which routers are in use at our sites (and for key remote staff), and how do we track and update them?
Do we have controls for risky browser extensions and “shadow” tools that could expose accounts?

Patch watch - only one short paragraph, and only if relevant

Today’s reporting includes warnings about active attacks affecting Android/Linux and separate router zero-days impacting certain Acer Wave 7 mesh routers. For SMEs, the practical takeaway is to identify who uses these devices (office, home workers, schools) and make sure firmware/OS updates are being applied promptly through a managed process, especially for internet-facing kit like routers.

One action today

Send a same-day memo: “No payment/bank detail changes can be approved based on a phone call alone—verify via a second channel using known contact details.”

Related Actions On Cyber resource

Actions On Cyber checklist: Payment change verification & anti-impersonation process (call-back and dual approval)

Sources

Google adds Android protection against AI deepfake scam calls (BleepingComputer)
AI-built ransomware toolkit automates EDR evasion, AD discovery (BleepingComputer)
Acer working to patch max severity zero-days in Wave 7 routers (BleepingComputer)
CISA warns of active attacks exploiting Android, Linux bugs (BleepingComputer)
Over 116,000 Minecraft systems infected in WeedHack malware campaign (BleepingComputer)
Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content (The Hacker News)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.