When an employee picks up the phone and hears what sounds like internal IT asking them to re-enrol a multifactor token, the firewall is already irrelevant. That is the quiet truth behind the latest wave of voice phishing attacks that Google’s Mandiant team documented in January 2026, and it is why every Canadian organisation relying […]
Why Behaviour Change Cybersecurity Beats SSO Vishing Read More »
Every second Tuesday of the month, Microsoft releases security updates, and IT teams across the country quietly begin a race against exploitation. This month, the stakes are higher than usual. Microsoft’s April 2026 Patch Tuesday addressed 167 vulnerabilities, including eight rated critical and two zero-days, one of which is already being actively exploited in the
The SharePoint Zero-Day and Employee Security Training Read More »
Booking.com confirmed on April 13, 2026 that unauthorized parties accessed customer reservation data through a third-party compromise. The stolen information included names, email addresses, phone numbers, postal addresses, and messages guests had exchanged with hotels through the platform. Financial data was not exposed, but the immediate weaponization of that booking data in follow-up attacks tells
Booking.com Breach Is a Social Engineering Defence Lesson Read More »
Last week, the FBI and Indonesia’s National Police dismantled the W3LL phishing network, arresting the alleged developer and seizing the platform’s infrastructure. It was a meaningful enforcement milestone: the first coordinated action between American and Indonesian authorities targeting a phishing kit developer. But the headline about the arrest misses the more important story. The W3LL
$500 Phishing Kits Demand a Cybersecurity Culture Shift Read More »
On April 9, 2026, Microsoft’s security researchers published their investigation into Storm-2755, a financially motivated threat actor running what they are calling “payroll pirate” attacks against Canadian employees. The campaign does not rely on malware, ransomware, or headline-grabbing intrusions. It relies on two things that are already inside your organization: a staff member who Googled
Payroll Pirates Reveal Canada’s Human Risk Gap Read More »
The attack unfolded through tools that would look routine to any working professional: a LinkedIn connection from a credible-seeming contact, an invitation to a Slack workspace that appeared genuinely company-branded, and then a Microsoft Teams video call that stalled with a familiar-looking technical error. The suggested fix was a software update. One developer clicked, and
When Teams Is the Trap: Rethinking Phishing Prevention Read More »
A new integration announced this week between Dashlane and KnowBe4 points to a fundamental shift in how effective contextual security awareness training actually works. Rather than delivering training on a quarterly schedule, the two companies have built a system that triggers learning the moment a credential risk is detected in the browser. The announcement offers
Why Contextual Security Awareness Training Works Better Read More »
Proofpoint researchers identified more than 100 malicious tax-themed phishing campaigns in early 2026, and Canadian organizations are among the primary targets. With April representing the peak filing period for most Canadians, attackers are exploiting the urgency, distraction, and financial stress that tax season reliably produces. Most organizations have not updated their security awareness training to
Tax Season Phishing: The Security Training Blind Spot Read More »
Picture this: your company’s CFO calls your finance manager to approve an urgent wire transfer before end of day. The voice is familiar, the cadence right, even the slight impatience is typical of how she sounds under deadline pressure. The call is also completely fake. AI voice cloning phishing attacks have matured to the point
AI Voice Cloning Phishing: What Security Training Misses Read More »
A social engineering technique called ClickFix is now the leading way cybercriminals break into organizations, and it asks nothing more from victims than pressing three keys on a keyboard. According to Microsoft’s 2025 Digital Defense Report, ClickFix has become the number one initial access method, responsible for 47% of all attacks observed by Microsoft Defender
ClickFix: The Fake CAPTCHA That’s Tricking Employees Read More »
