From phishing to deepfakes: Fraud prevention do’s and don'ts for businesses
March for Canadians means spring is just around the corner; it also marks Fraud Prevention Month. Over the past decade, digital innovations have reshaped the criminal landscape, enabling sophisticated fraudulent activities and leading to a rise in cybersecurity incidents. The Canadian Anti-Fraud Centre (CAFC) reported that Canadians lost a staggering $638 million to fraud in 2024, an 8.6% increase from the $578 million recorded in 2023.
Businesses are especially susceptible to significant financial losses from fraud and cybersecurity threats. A survey by KPMG, involving more than 500 Canadian small and medium sized organizations, revealed that three-quarters of respondents experienced fraud in 2023 (KPMG, 2023).
To help businesses stay vigilant, here are the most common tactics and scams to be aware of.
- Communication-based attacks
- Deceptive emails (phishing), text messages (smishing) or calls to extract sensitive information or solicit urgent transfers of money or information. Example: A message from the CEO directing an employee to purchase gift cards or to electronically transfer funds.
- Application to person fraud: Exploiting messaging channels to send deceptive messages. These can be in the form of fake project reports that prompt an employee to open a document, fake package delivery notifications with malicious links or fraudulent bank alerts that prompt account details.
- Emerging threats:
- Digital payment fraud: Exploiting vulnerabilities in new payment systems like mobile wallets, cryptocurrency, and peer-to-peer apps.
- Deepfakes: Using AI-generated video or audio to solicit confidential information.
- Synthetic identity fraud: Creating fictitious identities with a blend of real and fake data to apply for business loans.
- Business operations scams
- Infiltrating corporate networks to steal sensitive information or deploy ransomware.
- Soliciting payment for non-existent listings in directories.
- Using stolen login credentials to takeover accounts.
- Creating or altering invoices to collect payments.
- Sending unsolicited products and demanding payment.
- Issuing fake notices for trademark renewals.
Do’s and don’ts for businesses
To strengthen your organization's defense against fraud and cyber threats, consider these do's and don'ts:
| Do | Don’t |
Establish a robust company security policy. Create a clear, comprehensive security policy document outlining the company’s best practices and standards. This will serve as a reference point for all employees, ensuring consistent adherence to security protocols. | Assume employees understand security best practices. Don’t assume employees will react appropriately to security threats or know how to report incidents. |
Conduct ongoing security awareness training. Regularly train employees in fraud prevention and security detection techniques. As the front-line defense against cyber-attacks, their knowledge is crucial in mitigating potential security risks. Proactive strategies are key to staying ahead of potential threats. | Rely solely on reactive measures. Don’t wait for fraud to occur before acting. |
Promote a cyber-aware workplace culture Foster a cyber-aware workplace culture that encourages digital literacy, emphasizes shared responsibility for fraud prevention, and empowers all employees to report potential cybersecurity risks immediately. | Discourage a cyber-aware culture Don't create an environment where employees hesitate to report potential threats. |
Report fraudulent activities right way Avoid acting on urgent communications without verification. Report suspicious communication activities right away and maintain detailed records. | Overlook warning signs of fraudulent activities Don’t disregard warning signs of fraudulent activities such as unusual payment requests, suspicious emails or strange inquiries. |
Implement multi-factor authentication (MFA) and updated passwords. Use MFA for all systems. Enforce strong, unique and updated passwords for all employees, and emphasize that these credentials must never be shared with others. | Use weak passwords or share login credentials. Don’t promote credential sharing or storing passwords where they can be accessed. |
Fraud prevention is an ongoing process. Regular risk assessments, staying informed about emerging threats, and fostering a company-wide culture of cybersecurity awareness are crucial steps in staying ahead of fraudsters. As technology advances, so too must our defenses. Working together to combat fraud, we protect individual businesses and contribute to the overall integrity and stability of our digital economy.
Authors:
Melanie Slimming | Public Policy Coordinator | CMA
Florentina Stancu-Soare | Director, Public Affairs and Regulatory Standards | CMA
