Phishing Explosion in Canada

The most vulnerable link in cybersecurity: humans

• We see that in 2025, cybercriminals will target individuals more than systems with increasingly credible, personalized and localized phishing campaigns and the exploitation of human psychology for scams.

Problem: Today, phishing accounts for more than 70% of attack vectors in Canada (source: CCC / Canadian Centre for Cyber ​​Security).

Worrying increase in phishing

• Some recent figures:
  • More than 47% of phishing attacks reported in 2024 compared to 2022
  • Most targeted sectors: Healthcare, education, municipalities, SMEs
  • More than 90% of incidents due to the compromise of professional emails begin with simple phishing emails
  • Phishing campaigns are increasingly targeting Quebec and local public organizations

Why Phishing Works

1. Social engineering
   • Attacks are now contextual and personalized (Example: Fake Canada Post notice, Fake email from Management, or fake HR summons)
2. The post-pandemic context
   • With teleworking, information overload, and email management, people click faster and validate less.
3. Human error remains unpredictable
   • Despite annual training, a tired employee may click at the wrong time. No technical tool can prevent 100% of errors in judgment.

Real, fictional but probable case study

In March 2024, a small business in Laval received an email that appeared to be from its equipment supplier. An accounting employee clicked on a link leading to a fraudulent login page and then entered her credentials. Within 48 hours, the cybercriminals had:

• Accessed internal messaging
• Edit bank details on PDF invoices
• Wired $74,000 to a foreign account

Consequence: The shock was both financial and psychological because the company was not covered by cyber insurance, nor did it have an incident response plan.

Key recommendations

1. Train Differently:
   • Interactive phishing simulations (no PowerPoint training)
   • A positive error culture (don’t blame, but learn)
   • Frequent, concrete, role-based reminders
2. Activate the right tools:
   • Multi-Factor Authentication (MFA)
   • Advanced anti-phishing filters (AI/Contextualization)
   • Privilege segregation to prevent phishing
3. React quickly:
   • One-click internal alert procedures
   • Ready-made incident contact list (IT, Legal, Cyber ​​Advisor)
   • Regular testing of the incident response plan

Cybersecurity is not only a matter of using security tools (firewalls and others) but it is also a human, cultural and organizational issue.

The 5 reflexes to avoid a booby-trapped email

1. Check the sender carefully
   • Carefully observe the displayed names and the full address
2. Being suspicious of urgency or fear
   • Example: “Your account will be suspended in 24 hours.”
     • “Immediate action required”
     • NB: Fraudsters want to force you to act quickly. It is advisable to take 10 seconds to breathe and check.
3. Never click on a link without hovering over it first
   • Check links to see the actual URL
     • Long, weird, or distorted URLs = red flag.
     • Example: www.banque-canada.net.secure-login.ru
4. Beware of unexpected attachments
   • Especially *.zip, *.exe, *.iso, *.html
     • Even a Word or PDF file can contain a malicious macro.
     • NB: Check with the sender through another channel (Example: Telephone)
5. Trust your instincts and signal
   • If anything seems abnormal, check and report it
     • Avoid clicking and responding
     • Report the message to the IT department or security officer

Important: Always enable MFA on all accounts and keep software up to date as this can be considered the first line of attack blocking

Good anti-phishing reflexes

1. Always verify the sender
2. Take 10 seconds before clicking
3. Review links before clicking
4. Don’t download anything unexpected
5. Report any suspicious messages

Good reflex: Pause – Think – Check – Report