Phishing is a social engineering attack where criminals send fraudulent emails, text messages, or phone calls designed to trick your staff into handing over credentials, clicking malicious links, or transferring money. It is the single most common entry point for data breaches and ransomware attacks in Canada. Understanding how phishing works is the first step to defending against it.
A typical phishing attack:
Modern phishing pages are often indistinguishable from legitimate ones, they use the target company's actual logos, copy the real site's HTML, and use convincing domain names.
Spear phishing and BEC have dramatically higher success rates than mass phishing because they are personalised. BEC attacks cause significant financial losses in Canadian SMBs every year, often more per incident than ransomware.
Warning signs:
Important: modern phishing emails often have no typos, no broken images, and no obvious tells. Do not rely on poor grammar to identify phishing.
Standard MFA (authenticator app codes) stops most credential-phishing attacks, even if the attacker captures your username and password, they cannot complete the login without your second factor.
However, real-time phishing proxy tools (such as Evilginx) can relay both credentials and MFA codes in real time, stealing the session token. Phishing-resistant MFA, hardware keys or passkeys, stops even this attack because the authentication is site-bound and cannot be relayed.
The most effective approach combines simulated attacks with training:
Tools like KnowBe4, Proofpoint Security Awareness, and Microsoft Attack Simulator automate this. Combined with MFA, regular training reduces successful phishing incidents dramatically.
Act immediately, speed is critical:
Is phishing only via email? No. Phishing happens via SMS (smishing), phone calls (vishing), social media messages, and even QR codes. The technique, deception to steal credentials or money, works across every communication channel.
Can email filtering block phishing? Good email security (Microsoft Defender for Office 365, Proofpoint, etc.) blocks a significant percentage of phishing emails before they reach the inbox. It does not catch everything, well-crafted spear phishing often gets through.
What is CEO fraud? CEO fraud is a BEC attack where the attacker impersonates the CEO via email, typically asking a finance employee to urgently transfer funds or pay a vendor invoice. Always verify payment instructions through a separate communication channel, not just email.
Does my business need phishing simulation software? Any business with five or more staff who handle sensitive data or financial transactions benefits from regular phishing simulation. It is inexpensive, roughly $2 - $5/user/month.
Can North Star IT run phishing awareness training? Yes. North Star runs phishing simulation campaigns and security awareness training programmes for Canadian SMBs across Northern BC, Alberta, and Yukon.
Concerned about your team's phishing awareness? Call 672-983-1174 or book a free security awareness consultation at northstarit.ca.
Quick answers.
What is phishing?
Phishing is an attack where criminals send fake emails, texts, or calls that look legitimate, tricking your staff into clicking malicious links, entering credentials, or transferring money.
What is the difference between phishing and spear phishing?
Phishing is mass-targeted. Spear phishing targets a specific person, usually with information gathered from social media. Spear phishing has much higher success rates.
How do I train my team against phishing?
Run monthly simulated phishing campaigns combined with short training videos. Tools like KnowBe4 and Hoxhunt automate this. Combined with MFA, training reduces click-through rates dramatically.
Does MFA stop phishing?
MFA stops most credential phishing. Phishing-resistant MFA, like security keys or passkeys, also stops modern session token theft attacks. Standard SMS MFA is now considered weak.
What do I do if someone fell for a phishing email?
Immediately reset that user's password, revoke active sessions in Microsoft 365 or Google Workspace, check for inbox rules or forwarding, and review recent transactions. Then notify your team and use the event as training material.
Have a specific situation in mind?
Book a free 30-minute scoping call with a Northstar IT engineer. We will walk through your environment, your questions, and what good looks like for your team.
Get a Free Assessment More guides