Phishing Explosion in Canada
The most vulnerable link in cybersecurity: humans
- We see that in 2025, cybercriminals will target individuals more than systems with increasingly credible, personalized and localized phishing campaigns and the exploitation of human psychology for scams.
Problem: Today, phishing accounts for more than 70% of attack vectors in Canada (source: CCC / Canadian Centre for Cyber Security).
Worrying increase in phishing
- Some recent figures:
- More than 47% of phishing attacks reported in 2024 compared to 2022
- Most targeted sectors: Healthcare, education, municipalities, SMEs
- More than 90% of incidents due to the compromise of professional emails begin with simple phishing emails
- Phishing campaigns are increasingly targeting Quebec and local public organizations
Why Phishing Works
- Social engineering
- Attacks are now contextual and personalized (Example: Fake Canada Post notice, Fake email from Management, or fake HR summons)
- The post-pandemic context
- With teleworking, information overload, and email management, people click faster and validate less.
- Human error remains unpredictable
- Despite annual training, a tired employee may click at the wrong time. No technical tool can prevent 100% of errors in judgment.
Real, fictional but probable case study
In March 2024, a small business in Laval received an email that appeared to be from its equipment supplier. An accounting employee clicked on a link leading to a fraudulent login page and then entered her credentials. Within 48 hours, the cybercriminals had:
- Accessed internal messaging
- Edit bank details on PDF invoices
- Wired $74,000 to a foreign account
Consequence: The shock was both financial and psychological because the company was not covered by cyber insurance, nor did it have an incident response plan.
Key recommendations
- Train Differently:
- Interactive phishing simulations (no PowerPoint training)
- A positive error culture (don’t blame, but learn)
- Frequent, concrete, role-based reminders
- Activate the right tools:
- Multi-Factor Authentication (MFA)
- Advanced anti-phishing filters (AI/Contextualization)
- Privilege segregation to prevent phishing
- React quickly:
- One-click internal alert procedures
- Ready-made incident contact list (IT, Legal, Cyber Advisor)
- Regular testing of the incident response plan
Cybersecurity is not only a matter of using security tools (firewalls and others) but it is also a human, cultural and organizational issue.
The 5 reflexes to avoid a booby-trapped email
- Check the sender carefully
- Carefully observe the displayed names and the full address
- Being suspicious of urgency or fear
- Example: “Your account will be suspended in 24 hours.”
- “Immediate action required”
- NB: Fraudsters want to force you to act quickly. It is advisable to take 10 seconds to breathe and check.
- Example: “Your account will be suspended in 24 hours.”
- Never click on a link without hovering over it first
- Check links to see the actual URL
- Long, weird, or distorted URLs = red flag.
- Example: www.banque-canada.net.secure-login.ru
- Check links to see the actual URL
- Beware of unexpected attachments
- Especially *.zip, *.exe, *.iso, *.html
- Even a Word or PDF file can contain a malicious macro.
- NB: Check with the sender through another channel (Example: Telephone)
- Especially *.zip, *.exe, *.iso, *.html
- Trust your instincts and signal
- If anything seems abnormal, check and report it
- Avoid clicking and responding
- Report the message to the IT department or security officer
- If anything seems abnormal, check and report it
Important: Always enable MFA on all accounts and keep software up to date as this can be considered the first line of attack blocking
Good anti-phishing reflexes
- Always verify the sender
- Take 10 seconds before clicking
- Review links before clicking
- Don’t download anything unexpected
- Report any suspicious messages
Good reflex: Pause – Think – Check – Report
