This article was originally published in Le Monde Juridique magazine and has been reproduced with permission.
All industries are facing increased cyber security risks from threat actors who may be motivated to misappropriate both financial and personal information. Phishing scams are one of the most common ways that organizations (or individuals) fall prey to potential fraudsters. According to the most recent Annual Report from the Canadian Anti-Fraud Centre, phishing was the second most reported fraud type.
The Canadian Anti-Fraud Centre defines phishing as an online crime in which a perpetrator attempts to acquire sensitive information such as usernames, passwords, personal information, and credit card and/or banking details. The perpetrator masquerades as a legitimate or trustworthy entity or impersonates a victim to gain access to this information.
As organizations change and technology evolves, so do would-be fraudsters and their potential scams. New scams are emerging all the time, and this article will cover some recent and common phishing scams that you should be aware of to protect yourself, your company, and your clients.
Recent phishing scams
False Canada Revenue Agency (CRA)-related scams
- Individuals or businesses may receive an email informing them that they have a tax return or other document to review. When the user clicks the link to review the fake CRA document, this opens the gateway to providing sensitive and/or confidential information directly to the scammer.
- Individuals or businesses can be targeted during difficult times and may receive an email (or other communication) prompting them to click on a false CRA link that will enable them to receive emergency benefits. Instead, they will once again be required to enter sensitive and/or confidential information to receive the alleged benefits.
- With tax season rapidly approaching, individuals or businesses may also receive communications from fake CRA email addresses indicating that the user is entitled to a refund. When the user clicks on the link to retrieve the refund, they will be prompted to enter online banking details/and or personal information (such as a social insurance number) to receive the alleged refund payment.
- It is important to note that these fake CRA emails can be received any time throughout the year and are often labelled as phishing emails in your email system such as Outlook.
Extortion
- According to the Canadian Anti-Fraud Centre, there have been recent reports of businesses and individuals receiving extortion letters by email.
- The email can include the targeted individual’s full name and other personal information and may imply that they have visited explicit websites. There may be threats to expose the individual or business unless a cryptocurrency payment is received. The email may include a link or a QR Code prompting the user to provide payment.
Urgent requests for payment or other information
- Scammers may target employees, especially in cases where the scammer is aware that the president or other management-level employees are out of town. They may send an urgent email to an employee asking them to pay a supplier or other party. However, the scammer is actually providing their own false banking information to receive the payment.
- These requests often come from an email address that is very similar to the legitimate one. Unsuspecting employees may not question a request from a senior executive or the president of the company, for example, and will execute the transfer of funds.
- In other cases, the scammer may send an email to the payroll department impersonating an existing employee. The email will direct the payroll department to make changes to the employee’s banking information but instead, the banking information belongs to the scammer.
- Similarly, a business may receive what appears to be a legitimate email from an existing supplier asking for a change to the banking information on file. However, the email is from a scammer who will go on to receive future payments intended for the existing supplier.
Why should you care about phishing scams?
You may feel that you, your company, and your clients and their organizations are aware of phishing scams, some of which have been around for years. However, not everyone is as immune to scams as they think they are. It can take only one click to release confidential information that is critical to a company’s reputation or an organization’s success, such as confidential client files, trade secrets, and other proprietary information. Additionally, releasing sensitive personal information can put an organization at risk of identity theft or financial difficulty.
According to Proofpoint’s 2024 State of the Phish report, 68 percent of surveyed working adults in Canada admitted to taking risky actions, such as reusing or sharing a password, clicking on links from unknown senders, or providing their credentials to an untrustworthy source. Ninety-nine percent of them did so knowing the inherent risks involved, meaning that 67 percent of employees willingly undermined their organization’s security.
The motivations behind these actions are varied, with most employees citing convenience (53%), the desire to save time (34%), and a sense of urgency (20%) as their main reasons. In other words, there is clearly still more work to do in terms of fraud education and awareness for both the management and employees of Canadian companies.
What steps can you take to protect against phishing scams?
- Consider what kind of data you store and where,
- Consider data protections already in place and those that may be easily compromised,
- Consider who has access to information and ensure information is shared on a need-to-know basis only,
- Consider anti-fraud training, and
- Think before you click.
If you suspect that your company or clients are victims of a phishing scam, or if you want to reduce the risk of your company or clients falling victim to a phishing scam, it is important to:
- Develop, maintain, and practice a response plan,
- React in a timely manner,
- Alert others within the organization to try and prevent them from also falling victim to the same scam,
- Raise awareness through frequent and recurring anti-fraud training at all levels of the organization, and
- Reach out to external advisors for assistance with cyber security issues, anti-fraud plans, fraud risk assessments, and other services.