Phishing Attacks Rising in Canada

Written By Mathew Hunter

What you can do to prevent them

Cybercrime is on the rise in Canada, including cyber fraud which has almost doubled since 2019 according to Statistics Canada’s 2023 police-reported data. In the first half of 2024 alone, fraud has accounted for 56% of cybercrime violations.

One of the most common types of cyber fraud is phishing where attackers send deceptive emails or messages that trick employees or business owners into sharing information that will give them access to your system. These attacks often involve an impersonation scam where criminals pretend to be real businesses or people to tempt you into sending money.

This threat is not only affecting large firms, but increasingly small businesses are also becoming victims of phishing. In the building industry, we are seeing phishing attacks with an end goal of intercepting payment.

Here is an example of how this type of phishing attack plays out:

  • The scammers send an email designed to trick you into handing over your login credentials to them.

  • With your login information, the scammers exploit holes in the multi-factor requirements to gain access to your inbox.

  • The scammers are then able to monitor your mailbox (sometimes for several months) learning client names, project names, and payment dates so they could craft a fake request that is convincing.

  • Once they’ve collected sufficient information, they send emails from your mailbox (impersonating you) to your clients requesting they pay your next invoice via a new payment method. 

  • If your client obliges the request, they send payment directly to the scammer instead of you.

This type of attack is not only damaging to you financially with possible legal implications but has the potential to damage your relationship and reputation with clients.

A very similar attack was used to target MacEwen University in Edmonton. In 2017, a scammer impersonated a trusted vendor and requested changes to banking information. The university staff, believing the emails to be legitimate, transferred $11.8 million to the fraudulent accounts. Fortunately, MacEwen managed to recover $10.9 million, but only after extensive legal efforts.

How do we prevent it?

Prevention requires a combination of technical and non-technical approaches to fortify your business from attackers.

Technical approachprevention and early detection

An IT managed services provider committed to your cybersecurity is your first line of defence. To be effective, your IT group should employ the following strategies:

  • Managed detection and response products from leading security companies, such as Huntress, provide your IT group with information that will allow them to respond quickly to threats. Ideally, these products monitor your business 24/7, including sign-ins, country of origin, and suspicious activity such as mail rule generation which can detect malicious access.

  • Phishing and spam protection email products recommended by your IT group can also lower your risk of attack by filtering incoming emails, thereby reducing the instances that staff could be fooled by login credential phishing attempts.

  • Another form of protection is a strong conditional access policy that limits the ability of bad actors to even attempt to use your login credentials even if they were freely given. Combined with mobile device management, you can restrict access to your Microsoft 365 account to only selected devices that are approved by your IT group.

Non-technical approach

As your last line of defence, your accounting team should have strict rules about how you validate changes in payment information with existing clients, consultants, and vendors. The most effective rule would be to simply contact your client directly to validate the requested change before processing. You could also make it a requirement that multiple sign offs from internal stakeholders are needed before payment information can be changed.

These approaches, when used in combination, will create a robust system that protects your business from successful phishing attacks.

Don’t let your business be vulnerable to cyber fraud. We take cybersecurity seriouslycontact us today to find out more about our cybersecurity strategies designed to protect your business from attacks.

Mathew Hunter
Next

Should Employees have Admin Rights on their Work Computers?