TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Can Someone Hack Your Email Without The Password?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Most people assume an email hack starts with a stolen password. That’s not always true.

Yes, weak and reused passwords are still a major problem. But many modern email attacks work around the password entirely. Hackers are not always sitting in a dark room trying to guess your login. More often, they are tricking someone or slipping into the account through a connected app.

That is why email security cannot stop at “we have strong passwords.”

Your email is one of the most valuable keys to your business. Think about how many systems connect back to it: banking alerts, payroll, Microsoft 365, and cloud storage.

If a criminal gets into your inbox, they may be able to reset passwords for other accounts, read private conversations, and watch how money moves through your company.

One common trick is phishing. An employee receives what looks like a normal Microsoft login. They click the link, enter their information, and the attacker captures what they need.

Another method is account recovery abuse. If recovery options are weak, outdated, or tied to a personal phone number or email account, criminals may use that path to regain access. They do not need the current password if they can convince the system to issue a new one.

One we see far too often is email forwarding rules. A hacker gets access briefly, creates a hidden rule that forwards copies of messages to an outside address, then quietly leaves. From that point on, they can study invoices, customer emails, and payment patterns.

They may wait weeks before making their move. That is how business email compromise happens. A criminal watches a real conversation, then jumps in at the right time with fake banking instructions, a changed invoice, or an urgent request from someone who appears to be the owner or manager.

By the time anyone notices, the money may already be gone. So what should you do?

First, use multi-factor authentication on every email account. Not just the owner. Not just the office manager. Everyone. Email is the front door to your business, and one unprotected account is enough to create a serious problem.

Second, use strong, unique passwords and a password manager. Reusing the same password across personal and business accounts is asking for trouble.

Third, review email forwarding rules and login activity regularly. Strange logins, unexpected reset messages, missing emails, or messages in the sent folder that no one remembers sending are all warning signs.

Fourth, train your staff to slow down. Criminals rely on rushing people. A payment change, password alert, or “urgent” document should always be verified through a second channel.

Finally, ask your IT provider for proof. Are all users protected by MFA? Are suspicious logins monitored? Are old accounts removed quickly when employees leave? Are email rules being checked?

Email attacks do not always require a stolen password. Sometimes they only require one missed setting, one rushed click, or one account no one is watching.

The good news is that most of this risk can be reduced with practical, proven controls. Not scare tactics. Just the basics done consistently. And in cybersecurity, the basics done well still matter.

Where Are Your Cloud Files Really Going?

When people talk about “moving to the cloud,” it can sound like a single decision. But there are a few different ways to do it. The right choice depends on how your business works.

At its simplest, cloud storage means your data isn’t stored on a single computer or server in your office.

Instead, it’s stored in secure data centers run by providers (like Microsoft) and accessed over the Internet.

That’s what allows you to open files from anywhere, share them instantly, and collaborate in real time.

But not all cloud setups are the same. The most common approach is what’s known as the public cloud.

This is where your data is stored on shared infrastructure managed by a provider. Tools like Microsoft 365 and OneDrive fall into this category.

You’re effectively renting space in a highly secure, always-available environment without needing to maintain any hardware yourself.

At the other end of the spectrum is private cloud. This is where the infrastructure is dedicated to your business, either hosted on-site or in a data center.

It offers more control and can be useful for organizations with specific security or compliance requirements. But it also comes with more responsibility and cost.

Some businesses sit somewhere in the middle with a hybrid setup.

That might mean everyday files and collaboration tools live in the public cloud while more sensitive systems or data are kept in a private environment. It gives you flexibility to balance accessibility, control, and risk.

Whichever route you take, the benefits tend to be similar:

  • Your team can access what they need from anywhere
  • You can scale storage up or down without buying new equipment
  • And your data is protected by enterprise-grade security, including encryption and multiple backups across different locations

The important thing is that “the cloud” isn’t a one-size-fits-all solution.

The way it’s set up should reflect how your business operates, what data you handle, and how your team works day to day.

If you’re not sure whether your current setup is right, or you’d like a clearer picture of the options available, we can help. Get in touch.

Everyone’s Talking About AI, But What Are The Risks?

Do you ever get the sense that AI is showing up everywhere these days? It feels like every email, every meeting, and every industry headline is pushing the same message: adopt it now or get left behind.

Business owners and team leaders see it clearly. New tools pop up weekly, each one promising to cut hours off routine tasks, streamline operations, and free up people for more important work.

And in many cases, they deliver on those promises. Simple things like drafting reports, analyzing spreadsheets, or handling customer queries suddenly take a fraction of the time they used to.

But alongside the enthusiasm, a quieter conversation keeps surfacing in boardrooms and break rooms alike. What are we actually risking here?

Most leaders already recognize that rushing in without thinking carries real downsides. Still, the fear of watching competitors pull ahead often wins out. No one wants to be the cautious one who falls behind.

This pressure creates a tricky spot. AI systems are growing more capable by the month, and some are starting to act with surprising independence.

You have probably come across the term AI agent by now. These are not just chatbots that answer questions. They can perform real actions: pulling files, sending emails, updating records, or connecting with other programs on your behalf.

That kind of access is exactly where things get complicated. Once an AI tool is inside your systems, it sees the same information your employees do. Customer details, financial records, strategic plans.

Without tight boundaries in place, there is a genuine chance that sensitive data slips out in ways no one intended. The tool might follow instructions too closely, or it might get fooled by a carefully worded request from someone outside the company.

These deceptive inputs, often called malicious prompts, can be as straightforward as a phishing-style message that tricks the AI into revealing information or taking unwanted actions. It does not require sophisticated hacking – just someone who knows how to phrase things cleverly.

Then there is the growing problem of visibility. Different departments often test out their own AI solutions. Some get official approval.

Many do not. Over time, this patchwork of usage turns into what people call shadow AI. No central record exists of which tools are active, what data they are handling, or where that data ends up. It becomes almost impossible to track.

On top of everything else, the technology moves faster than most companies can update their policies or security practices.

What seemed safe six months ago might carry new vulnerabilities today. Organizations find themselves trying to hit a moving target.

None of this means businesses should step away from AI altogether. The potential gains are too significant to ignore. The smarter path is to bring some order to the process.

Start by selecting a few approved platforms that meet your security standards. Create straightforward guidelines about what data can and cannot be entered into these tools.

Assign clear responsibility to someone – whether it is a dedicated team or an existing manager – to keep an eye on AI usage across the organization.

Regular check-ins and simple training sessions can go a long way toward keeping everyone on the same page. The goal is not to slow things down unnecessarily, but to move forward without unnecessary exposure.

If your company is navigating these decisions and you would like a straightforward conversation about what makes sense for your situation, feel free to reach out.

We have helped plenty of businesses find a balanced approach that captures the benefits while keeping risks in check.

Why Human Habits Are Your Biggest Security Risk

Most cyberattacks do not start with a sophisticated intrusion. They start with a click on a personal email, a reused password, or a file uploaded to a familiar cloud service because the approved option felt slower.

The Verizon Data Breach Investigations Report found that 68% of breaches involve the human element.

Not a zero-day exploit or a brute-force attack on a hardened system. Human behavior, in the course of an ordinary working day.

For businesses running cloud-based workflows across multiple devices, the personal and professional overlap is now the rule. Understanding where that overlap creates risk is no longer optional. It is a core part of modern security strategy.

How personal web habits create business exposure

Personal channels are phishing’s preferred territory. Personal inboxes, messaging platforms, and social media feeds are where phishing thrives.

These environments are harder to filter, easier to spoof, and loaded with the emotional triggers that make people act before they think.

When those channels share a device or browser with business systems, a single click can cross the boundary instantly.

Phishing is the most common entry method for attackers precisely because it exploits distraction rather than technical weakness. The target does not need to be careless. They just need to be busy.

Password reuse is one of the most direct connections between personal and professional exposure.

When credentials from a personal account are compromised, attackers run them against business systems automatically. This technique, credential stuffing, is low-effort and highly effective because so many people use the same password across multiple accounts.

Unique credentials for every account, combined with multi-factor authentication, break that chain.

A personal breach has nowhere to go when the work account requires a second factor that the attacker cannot relay.

Why blocking behavior doesn’t work

The instinct is to lock things down: block personal apps, restrict browsing, enforce strict device policies.

In practice, blanket restrictions rarely stop the behavior. They relocate it. Users find workarounds.

Unapproved tools move to personal devices. IT teams lose visibility into exactly the activity they were trying to manage.

The risk does not disappear. It moves somewhere harder to see. Security strategies that assume perfect compliance perform poorly in real workplaces.

The goal is not eliminating the overlap between personal and professional digital activity. It is managing it without breaking how people work.

What actually reduces risk

The controls that work are the ones that match how people actually operate.

Separate contexts, not people

The simplest way to reduce crossover risk is to reduce crossover.

Separate browser profiles for work and personal activity, provide clear guidance on where business accounts should be accessed, and identified boundaries that prevent accidental mixing all reduce exposure without restricting what people do with their time.

Design for credential failure

Assume passwords will eventually be exposed somewhere. Design for that outcome rather than hoping to prevent it. CISA reports that enabling multi-factor authentication makes accounts 99% less likely to be compromised, even when the underlying password has already been stolen.

Make secure behavior easier than unsafe behavior. Contact us or schedule a consultation to review current controls and identify where the most important gaps are.

Your Next Best Employee Probably Won’t Be Human

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

What would happen if your competitor could suddenly get twice as much work done… without hiring anyone new?

No extra desks, recruitment fees, or bigger payroll. Just more output.

That’s the shift we’re moving into.

You’ve probably heard people talk about AI and wondered what that means for a normal business like yours.

An AI worker isn’t a robot. It’s software that can think through tasks in a surprisingly human way.

It can read documents, write emails, summarize meetings, analyze numbers, draft proposals, create job descriptions, and even help write computer code.

If you’re using Microsoft 365, you’re already seeing early versions of this built into tools like Word, Outlook and Teams.

Right now, many SMBs are dabbling. Someone asks AI to tidy up an email. Someone else uses it to help write a report.

But the real advantage comes when a business is properly set up to use AI across the organization.

And this is where some companies are going to struggle.

AI tools work best when your data is organized and accessible. If your files are scattered across personal laptops, old servers, and mystery cloud apps no one remembers signing up for, AI can’t safely “see” the information it needs.

If your security is weak, giving AI deeper access could create risk.

Being ready for AI doesn’t mean being technical. It means having tidy systems, clear permissions (who can access what), strong security, and leadership that’s willing to adapt processes.

Because this isn’t a small improvement.

The people building these tools are predicting dramatic leaps forward very quickly. Tasks that currently take hours could shrink to minutes.

Research that once required days might happen in seconds.

When that becomes normal, businesses that can plug in AI workers smoothly will accelerate. Those that can’t will feel slower, more expensive, and less responsive.

And this isn’t about replacing your team. It’s about giving them superpowers.

And in the next few years, the businesses that win won’t necessarily be the biggest or the oldest. They’ll be the ones that were ready.

If you’d like to discuss how AI could benefit your business, get in touch.

Beware The Next Generation Of Phishing Attacks

If phishing scams are supposed to trick people, why do so many of them still feel clumsy?

For years, the answer was simple: Most scams were mass-produced.

The same email, the same fake website, sent to thousands of people and hoping a few would fall for it.

That approach is still around, but it’s starting to evolve.

When generative AI first appeared, there was a lot of talk about “dynamic websites.”

Instead of one fixed site for everyone, pages would be generated on the spot, shaped by who you are, where you are, and what device you’re using.

That future never really arrived for everyday businesses. It was complex and rarely worth the effort.

Cybercriminals, however, don’t need perfect systems.

They need something convincing.

Security researchers have shown how this idea could be used for phishing. While it’s still largely experimental, it gives a clear picture of the next generation of scams.

A victim clicks a link and lands on a webpage that looks harmless. There’s no obvious malicious code sitting on the page.

Once it loads, the page asks a legitimate AI service to help generate content.

That content is then assembled and run directly in the person’s browser.

The result is a phishing page that’s created especially for that visitor.

The wording, layout, and code can all be different every time. There’s no single fake website for security systems to spot and block – because the scam doesn’t fully exist until someone opens it.

Before you panic, this method isn’t widespread yet. But the building blocks are in use.

AI is being used to write malicious code, malware is increasingly assembled as it runs, and AI-assisted scams are becoming more common.

For you, this changes the rules slightly.

Phishing is no longer just about spotting bad spelling or sloppy design.

Future scams may look even more polished, personalized, and completely legitimate. Some will appear to come from legitimate senders.

That’s why modern protection focuses less on “don’t ever click the wrong thing” and more on limiting the damage if someone does.

Tools like multi-factor authentication, secure browsers, and email filtering still work, even when a fake page looks convincing.

Remember this: phishing isn’t going away.

To stay protected now, you must assume the next scam will look professional and make sure your defenses don’t rely on people spotting obvious mistakes.

Tech Overload Or Tech Opportunity?

Has your team had to adapt to new systems recently?

Perhaps you’ve rolled out new software, introduced automation, or started experimenting with AI tools inside Microsoft 365.

A few years ago, that level of change might have left people feeling overwhelmed.

Today, something different is happening.

Research shows that most employees have experienced organizational change in the past year, and the most common reason is new technology.

You might expect that constant updates and new tools would drain energy. In reality, many workers report feeling more engaged, not less.

Artificial intelligence is playing a big role in this shift.

Around half of employees now use AI tools regularly at work. They say it helps them complete tasks faster, improve the quality of what they produce, and generally feel more productive.

When technology removes repetitive or frustrating parts of a job, it creates breathing space.

That said, there is a clear warning for business owners.

When companies don’t provide approved, secure AI tools quickly enough, employees don’t stop using them. They find their own.

This is known as shadow AI, where staff use unapproved tools without IT oversight.

It usually comes from good intentions. People want to work efficiently. But it can expose sensitive company data and create security risks.

The demand for smarter tools is coming from inside your business, not from software vendors pushing features.

There’s another factor that matters just as much as the technology itself: employees want to feel listened to during periods of change.

When leadership checks in, explains decisions clearly, and responds to feedback, engagement rises sharply.

When change feels imposed without conversation, enthusiasm drops.

The businesses thriving right now are guiding innovation carefully.

They are introducing new tools with structure, strengthening security, and having regular conversations about what support people need.

Technology isn’t settling down any time soon.

Handled properly, though, it can energize your workforce rather than exhaust it.

And if you need help working out the right tech for your business, we can help. Give us a call at (734) 457-5000, or email info@mytechexperts.com.

The “Session Cookie” Hijack: Why MFA Can’t Always Save You

MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in.

After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there.

If an attacker steals that wristband, they may not need to beat your MFA prompt at all.

That’s the core of session cookie hijacking. The attacker isn’t “cracking” MFA. They’re skipping it by replaying your already authenticated session.

This isn’t a reason to stop using MFA. It’s a reason to stop treating MFA as the finish line.

Why MFA isn’t a “game over” control

MFA is still one of the best upgrades most businesses can make, but it doesn’t end an attack on its own.

The reason is that attackers don’t always try to beat the login step. They try to go around it.

Cloudflare notes that “attackers are finding new ways to circumvent MFA” and that modern incidents are rarely one isolated technique. They’re “part of a chain of attacks.”

In other words, MFA can block a lot of credential theft, but it doesn’t automatically protect what happens after a user successfully signs in.

That’s where session cookie hijacking comes in.

What a session cookie is and why attackers want it

When you sign into a web app, the site needs a way to remember that you’ve already proved who you are.

That’s what a session is: a temporary “logged-in” state that saves you from entering your password and MFA code on every click.

Kaspersky explains that session hijacking is “sometimes called cookie hijacking” because cookies are commonly used to store the session identifier that keeps you authenticated.

Proofpoint describes session tokens as digital “keys” that let a user stay authenticated. It warns that stealing valid tokens lets attackers impersonate legitimate users and potentially bypass authentication measures “like MFA.” That’s why session cookie hijacking is so highly leveraged.

If an attacker can steal the cookie or token that represents your active session, they’re not trying to defeat the login process. They’re attempting to reuse what you already completed and access the same apps and data as if they were sitting at your keyboard.

How session cookie hijacking actually happens

AiTM phishing – Adversary-in-the-middle (AiTM) phishing is the “proxy login” trap. You think you’re signing into a normal service, but you’re actually signing into a lookalike page that sits between you and the real site.

The attacker relays the login in real time, so everything appears to work, including MFA.

Browser-in-the-Middle session stealing. It’s similar in spirit, but it’s even more “hands- on” from the attacker’s side. Instead of stealing a password and running away, the attacker effectively places themselves in control of the browsing session.

Cookie theft from the endpoint. Not every session hijack starts with a fancy proxy. Sometimes, the attacker simply steals session data from the device itself, allowing attackers to impersonate legitimate users.

MFA is a baseline, not a finish line

MFA is still essential. It blocks a huge amount of credential theft and makes basic account takeover harder.

But session cookie hijacking is a reminder that attackers don’t always try to defeat the login step. Sometimes, they reuse what happens after it.

The practical response is layered and realistic. When those controls work together, MFA stops being a checkbox and becomes a strong baseline backed by protections around the session itself.

Would Your Business Survive A Serious Cyberattack?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

It’s not a comfortable question, and it’s one many SMB owners assume they never really need to answer.

Cyberattacks feel like something that happens to other people. Big brands. Global companies. Organizations with huge IT teams and budgets.

The reality is very different.

Recent research shows that a worrying number of businesses believe they simply wouldn’t survive a major cyber incident.

That might sound dramatic, but it’s a fair reflection of how exposed many businesses still are.

Cyberattacks have changed. They’re no longer just a hacker guessing a password. Attacks today are faster, more targeted, and often designed to shut a business down completely.

Ransomware, for example, is a type of attack where criminals lock your systems and demand payment to unlock them. If you can’t access your data, your systems, or your customer information, normal business stops very quickly.

What’s interesting is that most business leaders know the risk is rising. Many openly admit they expect their staff to fall for a phishing attack.

Phishing is when a fake email or message pretends to be legitimate, tricking someone into clicking a link or handing over login details.

That single mistake can be all an attacker needs.

Despite this awareness, the basics are still being missed.

Password reuse is a big one. If someone uses the same password at work and across multiple personal accounts, one breach can quickly turn into many.

Cybercriminals know this, which is why stolen passwords are so valuable.

Basic cyber awareness training is another gap. Many employees have never been shown what to look out for or how to spot common scams.

But it’s not all doom and gloom.

High-profile attacks have made business owners more alert, especially around newer threats like AI-driven scams and deepfake video calls that pretend to be senior leaders. That growing skepticism is healthy.

The most important thing to understand is that surviving a cyberattack doesn’t need expensive tools or complex technology.

Preparation is your best tool.

Simple steps like strong, unique passwords and regular staff training make a real difference.

Do you think your business would survive a serious cyberattack? If you’re not sure, we can help you strengthen your defenses. Give us a call at (734) 457-5000.

The Real Reason You’re Struggling With AI

AI has become a regular topic in business conversations.

It comes up in meetings, strategy days and vendor pitches.

Yet for all the talk, many organizations are still struggling to turn AI from an interesting idea into something that genuinely helps people do their jobs.

In many organizations, AI is stuck in a trial phase.

Someone experiments with a tool. A small pilot runs for a few weeks. Then progress slows.

The AI works, but businesses struggle to move from experimentation to everyday use. The return on investment everyone expects stays just out of reach.

Uncertainty is usually to blame.

Leaders worry about security, privacy and compliance. They’re unsure what data AI tools are allowed to see or how decisions are being made. Others admit they don’t yet have a clear business case, so AI becomes something interesting rather than something essential.

Another big factor is confidence.

Many employees are curious about AI, but also nervous. They worry about making mistakes, relying on the wrong answers, or using tools incorrectly.

Without clear guidance, people either avoid AI altogether or use it quietly and inconsistently. That creates risk and limits the benefits.

It’s a shame, because when AI is used properly, the gains are very real. Teams can respond to customers faster, spot issues earlier, analyze data more easily and reduce time spent on repetitive admin.

In technical areas, AI can help monitor systems, improve security, and surface problems before they turn into outages.

These are practical, everyday improvements that add up quickly.

The businesses seeing progress tend to take a steady, human-first approach. They set clear rules around how AI should be used, what it can and can’t do, and where human judgment still matters. They focus on giving staff training and reassurance, not just new tools.

AI becomes a support act, not a replacement.

AI projects don’t usually stall because the technology isn’t ready. They stall because people aren’t. If you need help giving your team the confidence to use AI effectively, get in touch.