Why It's Important
Phishing and scams are fraudulent attempts, usually made through email, text messages, or phone calls, to trick individuals into revealing sensitive information such as passwords, credit card numbers, or personal identification. For small communities and businesses, the impact of these threats goes beyond individual financial loss; a successful attack can disrupt essential services, erode public trust, and lead to significant economic setbacks. A single incident can compromise business continuity, costing a small business thousands in recovery, legal fees, and lost productivity. The Canadian Anti-Fraud Centre (CAFC) reported that Canadians lost a staggering $530 million to fraud in 2022, a 40% increase from the previous year, underscoring the escalating risk. Investing in awareness and prevention is a direct investment in local economic development, protecting community assets and ensuring the reliability of local commerce and administration.
History
The history of phishing dates back to the mid-1990s on the internet service provider America Online (AOL), where attackers used deceptive emails to steal user passwords. Early scams were often easy to spot, riddled with spelling errors and generic greetings. However, as e-commerce and online banking became mainstream in the 2000s, criminals grew more sophisticated, creating convincing fake websites for popular brands to harvest financial data. In Canada, the tactics have evolved to mirror national events and services, such as fraudulent messages about the Canada Emergency Response Benefit (CERB) during the COVID-19 pandemic. Today, these threats are hyper-targeted, using text messages (smishing) and automated voice calls (vishing) to create a sense of urgency and exploit trusted Canadian institutions.
Examples
City of Saskatoon, Saskatchewan: The city fell victim to a sophisticated phishing scam where a fraudster impersonated the chief financial officer of a construction company, resulting in the city improperly transferring over $1 million to a fraudulent bank account.
Mondoux, a Quebec-based company: A ransomware attack, often initiated through a phishing email, crippled the company’s operations, forcing it to rebuild its IT systems from scratch and highlighting the severe business continuity risks for small and medium-sized enterprises.
Carleton University, Ottawa, Ontario: The university has faced numerous phishing campaigns where attackers impersonate IT staff or other university officials to steal login credentials from students and faculty, granting them access to sensitive academic and personal data.
Government of Prince Edward Island: Employees of the PEI government were targeted by a phishing scam that resulted in the direct deposit information of hundreds of civil servants being compromised, leading to paycheques being diverted to fraudulent accounts.
Software and Tools
Adopting the right tools can significantly reduce the risk of falling victim to phishing and scams. Here are several low-cost and effective options suitable for small teams
CIRA Canadian Shield: A free DNS firewall service from the Canadian Internet Registration Authority that automatically blocks access to malicious websites known for hosting malware and phishing scams. It’s easy to set up on any device or network.
Bitwarden: A free and open-source password manager that helps users create, store, and auto-fill strong, unique passwords for every online account. Using a password manager mitigates the risk of a compromised password from one site affecting others.
uBlock Origin: A free, open-source browser extension that blocks ads and malicious scripts. Many phishing attacks originate from malicious advertisements (“malvertising”), and this tool prevents them from ever loading.
SpamAssassin: An open-source spam filtering platform that can be integrated into mail servers to identify and flag unsolicited and potentially malicious emails before they reach an employee’s inbox.
Microsoft Defender for Office 365: For organizations using Microsoft 365, this built-in service provides advanced anti-phishing, anti-spam, and anti-malware protection. It includes features like “Safe Links” to scan URLs in real-time.
AI Considerations
Artificial intelligence (AI) is a double-edged sword in the context of cybersecurity. Scammers are now using AI to make their attacks more convincing and harder to detect. Generative AI can create phishing emails with perfect grammar and a professional tone, tailored to a specific person or organization by scraping data from social media and corporate websites. This leads to highly personalized “spear phishing” attacks. Furthermore, AI-powered voice spoofing can mimic a trusted colleague or executive’s voice in a phone call, a tactic known as vishing.
To mitigate these AI-driven threats, organizations must emphasize a “human-in-the-loop” approach to verification. For local economic development, this means training staff to verify unusual or urgent requests through a secondary channel, like a phone call to a known number, before transferring funds or sharing sensitive personally identifiable information (PII). AI can also be used defensively, with modern security tools employing AI to detect anomalies in email traffic and user behaviour that may indicate an attack.
FAQ
Phishing is a specific type of scam that uses deceptive emails, texts, or websites to trick you into providing personal information. “Scam” is a broader term for any fraudulent scheme.
Spear phishing is a targeted attack where scammers research their victim and craft a personalized message, often impersonating a trusted individual like a boss or colleague, to increase their chances of success.
Yes, they can be. This tactic, known as “smishing,” uses text messages to send malicious links. Be just as cautious with links in texts as you are with links in emails.
No. Legitimate Canadian banks and government agencies will never ask you to provide sensitive personal information like your password, SIN, or full account numbers via email.
Immediately disconnect your device from the internet, run a full antivirus scan, and change your passwords for any accounts you think may be compromised. Report the incident to your IT support or manager.
Check the URL for spelling mistakes or unusual domain extensions. Look for a padlock icon in the address bar, which indicates a secure connection (HTTPS), though scammers are now using these as well, so it’s not a guarantee of safety.
Be cautious. Scammers can place malicious QR codes over legitimate ones. Before scanning, ensure the code hasn’t been tampered with and be wary if it takes you to a login page or asks for personal information.
Pro Tips
Cultivate a holistic cyber‑defence habit that blends human vigilance with supportive technologies. Train yourself to treat every unsolicited email or text as suspicious until it is proven legitimate—hover over links to check their destination, scrutinise sender addresses for subtle misspellings, and never act on a request that pressures you to respond quickly without independently verifying the source via a known phone number or trusted website. By practising these habits and using tools like password managers and multi‑factor authentication, you strengthen your own defences and model good security practices for your community.
Checklist
External Resources
- Phishing: Don’t get reeled in: The government of Canada’s Get Cyber Safe campaign explains what Phishing is and has tips on how to avoid it.
- Royal Canadian Mounted Police (RCMP) – Scams and Fraud: Provides current information on common scams targeting Canadians and guidance on prevention.
- Competition Bureau Canada – The Little Black Book of Scams: A detailed guide outlining various types of scams and how to recognize the warning signs.
- Cira Cybersecurity Awareness Training Offers practical cybersecurity resources, tools, and training specifically tailored to the needs of Canadian small businesses.