How do these fake Windows support sites catch people out?
Attackers win by exploiting normal behaviour:
* Someone Googles “Windows update error”, “support”, or “24H2 update” under pressure.
* The page looks official enough to pass a quick glance.
* The “fix” is an MSI or download that claims to be a cumulative update.
* Security tools may not alert immediately, especially on older endpoints or unmanaged devices.
This is why “we have antivirus” is not a strategy; it is a layer.
What cyber security for small businesses should you prioritise first?
Start with low-effort, high-impact controls aligned to Cyber Essentials thinking, without turning it into a paperwork project.
1. Turn on MFA everywhere it matters (today)
Prioritise Microsoft 365 admin accounts, finance mailboxes, and any remote access. Use strong MFA methods, not SMS where avoidable.
2. Stop local admin by default
Most staff should not be able to install software. If your outsourced IT insists, they need admin, use separate admin accounts and just-in-time elevation.
3. Create a “fake support site” rule of thumb
Staff should never install updates from search results or pop-ups. Updates come via Windows Update, Intune, or your managed patch tool. Make it a one-paragraph policy and repeat it.
4. Harden Microsoft 365 against mailbox takeover
Enforce MFA, disable legacy auth, and add alerting for new inbox rules and suspicious forwarding. This directly reduces Business Email Compromise risk.
5. Backups that ransomware cannot touch
Even though this campaign is a stealer, stolen credentials often lead to ransomware later. Keep at least one offline or immutable copy and test restores monthly.
Authority and evidence you can cite internally
* The NCSC recommends deploying strong MFA for corporate online services, particularly for admin and high-risk account
* The ICOexpects risk-based security controls to protect personal data, including access control, patching, and organisational measures such as training and incident response.
* UK government research shows breaches are common across business sizes, reinforcing that baseline controls are a board-level issue, not “IT hygiene”.
Run a 30-minute “credential theft readiness check” this week: confirm MFA coverage for every admin and finance account, remove local admin from standard users, and document one clear rule on where updates are allowed to come from.
