Email phishing tactics targeting Canadian SMBs.
Phishing is no longer the badly-spelled "Nigerian prince" email. Modern attacks are AI-written, business-context-aware, and designed for one outcome: getting your CFO to wire money to a fraudulent account.
The phishing emails that hit Canadian SMBs in 2025 do not look like the phishing emails of 2015. The old grammatical tells are gone. The lures are business-context-aware. And the goal has shifted — credential theft is the means; payment redirection is increasingly the end.
The most common patterns
1. Microsoft 365 credential harvest
An email that looks like a M365 notification — "Your password expires today," "You have 3 quarantined messages." Click the link, land on a perfect replica of the M365 login page hosted on a legitimate-looking but compromised domain. Type your password. Within minutes the attacker is logged into your real account.
What they do next varies. Often they set up forwarding rules to siphon a copy of every email you receive, then watch quietly for an opportunity — a vendor invoice, an HR query, a payroll question. Then they strike.
2. Invoice redirection
The economic centre of gravity. Attacker compromises a vendor's email (or convincingly impersonates it), sends a real-looking invoice to the customer with "updated banking details," times it near a real payment cycle. Customer pays the new account. Real vendor follows up weeks later. Money is gone.
3. Executive impersonation (CEO fraud)
"Hi, I am stuck in a meeting, can you wire $X to this account today? It is urgent." Same attack, smaller blast radius — the attacker only needs the CFO to bypass normal controls once.
4. HR-themed lures
"Updated payroll information," "tax form correction," "benefits enrollment closing today." Targets the finance/HR cluster, where the attacker knows credentials lead to payroll redirection.
5. AI-generated context
Attackers using LLMs to write copy that matches your industry, references current events, and reads naturally. The Sophos 2025 Active Adversary Report flags this as an emerging trend — though phishing still represents only ~6% of confirmed root causes, the quality of the lures is rising.
What defends against this
Email gateway
A dedicated email security product in front of M365 — Mimecast, Proofpoint, Sophos Email, Defender for Office 365. They catch what default Exchange Online Protection misses: AI-generated lures, BEC patterns, payload-less impersonation, brand spoofing.
DMARC at p=reject
The DMARC standard lets you tell receiving mail servers what to do with messages that fail authentication checks. At p=reject, the receiving server bins them. Without it, attackers can send mail that appears to come from your domain — to your customers, to your suppliers, to your bank. We deploy DMARC enforcement on every managed customer.
MFA, especially on finance
Stops the credential harvest from becoming the BEC. Microsoft's public telemetry shows MFA blocks over 99% of automated credential attacks. The 41% of root causes that are compromised credentials? MFA breaks the chain.
Out-of-band payment verification
Process control, not technology. Any change to a vendor's banking details requires verbal verification through a known phone number — not a number from the email asking for the change. Documented, trained, enforced. This is what stops the invoice-redirection attack technology cannot fully see.
Conditional Access
Entra ID Conditional Access policies that flag impossible-travel sign-ins, block legacy authentication, and require a compliant device. Many BEC campaigns die here when an attacker tries to log in from an unknown location with the harvested credentials.
What 4UIT deploys
For managed customers: Sophos Email or Defender for Office 365 in front of M365, DMARC enforcement at p=reject, MFA on every account with phishing-resistant MFA for finance and admin roles, Conditional Access policies, monthly phishing simulations with coaching, and a written payment-verification policy.
More on our email-gateway service or take a brief.
Sources: FBI IC3 Annual Reports · Sophos 2025 Active Adversary Report.
// Frequently asked questions
What is BEC?
Business Email Compromise — fraud where attackers either compromise a legitimate business email account or impersonate one, then use it to redirect payments. The FBI's IC3 has consistently ranked BEC among the most financially damaging cybercrimes — see the IC3 annual report at ic3.gov for current figures.
How does invoice redirection fraud work?
Attacker compromises (or spoofs) a vendor's email. They send a real-looking invoice to the customer, with new banking details — often timed near a real payment cycle. The customer pays the new account. The fraud is discovered when the real vendor follows up weeks later. Recovery rates are low.
What is DMARC and why does it matter?
DMARC is an email authentication standard that tells receiving mail servers what to do with messages that fail SPF and DKIM checks (allow, quarantine, reject). Without DMARC at "p=reject," attackers can send mail that appears to come from your domain. Most well-managed Canadian SMBs are now at p=quarantine or p=reject.
How is AI changing phishing?
AI-generated phishing copy no longer has the grammatical tells of older campaigns. The Sophos 2025 Active Adversary Report flags AI-generated lures as an emerging trend. The defensive implication: training that focuses on "watch for bad grammar" is increasingly obsolete. Train on context, request, and verification.
What stops BEC technically?
Layered controls: a real email gateway (Mimecast, Proofpoint, Sophos Email) in front of M365, DMARC enforcement, MFA on every account (especially finance), Conditional Access flagging anomalous sign-ins, and a documented out-of-band verification process for any payment-instruction change.