Spam and Scams: Phishing in Canada

Phishing has become a prominent criminal activity in Canada –  cybercriminals have turned their sights on organizations based in Canada to obtain sensitive data and profit from malicious attacks. Phishing is the preferred method for attackers, who can send personalized messages to users, disguising themselves as a legitimate party or website. This form of social engineering has a high success rate for attackers, who can often gain entry into users' systems and networks quickly and thus insert their malware quickly.

An Ipsos poll published in February 2023 found that 43 percent of Canadians have been the victim of fraud or scam in their lifetime, and the Canadian Anti-Fraud Centre reported 92,078 fraud incidents in 2022.

Below is a list of cyberattacks on universities that were publically disclosed in 2024 and 2023.

With phishing so prevalent, why don’t more users know about it? Often, organizations lack proper security training and awareness programs to educate users on the risks of social media, spoofed emails, etc. While it is not always easy to spot a phishing attempt, knowing the common phishing attack mechanisms can help users be more alert and, thus, drastically lower the number of successful phishing attacks.

The Most Prominent Attack Methods Include:

Social Media

Especially in the past two years, there has been a significant focus on hacking or replicating Facebook accounts of friends and family members. Cybercriminals find this route easy, as all they have to do is guess a password correctly or create a convincing false user account. Once they have access to a fake user account, they often send messages to Facebook friends and family members requesting money or other users' personal information. Additionally, it is not uncommon for hackers to use the same credentials on Facebook and other social media accounts to gain access to email accounts and then to create an even more convincing story. 

Spam e-mails

Numerous phishing attacks leverage spam or emailing users to convince them to perform various tasks. Most commonly, these involve requests for money transfers. While it may seem obvious, many users have fallen for phishing attacks that convince a user to facilitate the transfer of money while keeping a percentage for themselves. Not only is this illegal, it is highly dangerous as users are often tricked into providing their banking information to attackers.
Additionally, other spam emails try to convince a user to safeguard the money to be transferred from other countries – often third-world countries in the Middle East or Africa. The attacker will claim to be traveling from said country and will convince a user to let them transfer money into their account and help them. Again, all this does is provide banking information to attackers, who can then wire transfer money out of the victim's accounts (instead of transferring money in – what a surprise!).

Governmental Agency or Collection Department Emails

It is common for cybercriminals to target individuals using scare tactics – such as posing as the Canadian Revenue Agency (CRA) and demanding specified amounts of money to be sent immediately to avoid criminal prosecution. These attacks seem more legitimate, especially when attackers can spoof email addresses, making the email message look like it is being sent from a reliable, verified source. How do you avoid falling into this snare? The easiest way to verify the email is to contact the agency/sender directly by contact forms or telephone numbers listed on their websites or other official sources. Most of these agencies avoid contacting individuals or organizations with money requests via email– you can expect phone calls and certified mail instead.

 Account Password Change Requests

Last but not least, another common (and successful!) phishing method is for an attacker to send spam emails regarding password change requests. The links lead to spoofed sites, leading the user to believe the password change request is from a valid source. A successful attack typically results in the download of malware to a user’s system. Still, it can also be used to obtain current account passwords – such as requiring the user to enter the old password to change the “new” (and fake) password. This has been seen numerous times, especially from hackers posing as large Canadian banking institutions such as RBC, Scotia, and TD Canada.

These attempts to spam and scam can be convincing – especially when the victim is an unsuspecting user without prior knowledge of these security threats. In the case of phishing, knowledge is power – and organizations are charged with the responsibility of educating users to prevent these attacks from occurring. Great ways to avoid this from a corporate side include spam filters, email gateway security appliances, and endpoint protection. Alongside preventative tools, educating users on how to spot fake emails (such as looking at domain names, checking for SSL certificates, etc.) can drastically reduce the number of successful phishing attempts. Additionally, updating cell phone software is crucial to protect against phishing attacks.

What is Phishing?

Phishing is a cybercrime where attackers trick individuals into revealing sensitive personal or financial information. This can include passwords, credit card numbers, bank account details, and other confidential data. Phishing scams often masquerade as legitimate communications from trusted sources like government agencies, banks, or well-known companies. The goal is to deceive and manipulate victims into divulging their sensitive information, which can be used for identity theft or financial fraud.

How Phishing Scams Work

Phishing scams typically start with an email, text message, or other communication that appears to come from a trusted source. The message might ask the recipient to click on a link, open an attachment, or provide personal or financial information. Once the victim complies, the scammer can use the information to steal their identity, access their financial accounts, or install malware on their device. These scams can be highly sophisticated, employing tactics like spoofing to create fake email addresses or websites that look legitimate.

Types of Phishing Attacks

Phishing attacks come in various forms, each with its tactics:

• Spear Phishing: A targeted attack aimed at a specific individual or group, often using personalized information to appear more convincing.

• Whaling: A type of spear phishing that targets high-level executives or individuals with access to sensitive information.

• Phishing via Fake Accounts: This involves creating fake social media or email accounts to trick individuals into revealing sensitive information.

• Smishing: Uses text messages to deceive victims into providing personal or financial information.

• Vishing: Involves voice calls to trick victims into revealing sensitive information.

Identifying and Avoiding Phishing Scams

To avoid falling victim to phishing scams, it’s essential to be cautious when receiving unsolicited messages. Here are some tips to help you identify and avoid phishing scams:

• Be wary of messages that ask for personal or financial information.

• Check the sender’s email address to ensure it is legitimate.

• Look for spelling and grammatical errors in the message.

• Be cautious of messages that create a sense of urgency or use threatening language.

• Never click on links or open attachments from unknown sources.

• Verify the authenticity of emails and websites before providing sensitive information.

Protecting Yourself from Phishing Attacks

To protect yourself from phishing attacks, it’s essential to take proactive steps to secure your personal and financial information. Here are some tips to help you protect yourself:

• Use strong passwords and keep them confidential.

• Enable two-factor authentication whenever possible.

• Keep your software and operating system up to date with the latest security patches.

• Use anti-virus software to protect your device from malware.

• Be cautious when using public Wi-Fi networks.

• Use reputable security software to scan your device for malware.

What to Do if You’re a Victim of a Phishing Scam

If you suspect you’ve fallen victim to a phishing scam, taking immediate action is essential to minimize the damage. Here are some steps to take:

• Report the phishing scam to the relevant authorities, such as the Government of Canada or your local police department.

• Change your passwords and enable two-factor authentication.

• Monitor your financial accounts for suspicious activity.

• Run a virus scan on your device to detect and remove any malware.

• Consider reporting the phishing scam to the Canadian Anti-Fraud Centre (CAFC) or the Royal Canadian Mounted Police (RCMP).

By staying informed and vigilant, you can protect yourself and your personal and financial information from the ever-evolving threat of phishing scams.

Phishing volumes will continue to soar, and administrators and security professionals will continue to deal with the fallout. By using Auto Remediation as a feature in AI-powered anti-phishing solutions, an organization can know it is using the best solution to this challenging problem. PhishTitan uses Auto Remediation as part of a powerful AI-driven solution to phishing and seamlessly integrates into M365, enhancing Microsoft’s built-in email security. By adding automated control to the management of phishing attacks, PhishTitan ensures administrators have the tools to handle the vast volume of phishing emails entering employees' inboxes. Instead of risking exposure to malicious emails - even with banners - an administrator can divert malicious emails directly to the Junk folder, providing an additional layer of risk mitigation.

The combination of Auto Remediation and AI-powered anti-phishing technologies of PhishTitan easily handles complex, multi-stage phishing campaigns. 

Talk to TitanHQs experts on how to keep you employees and your company safe from phishing attempts.