Cybersecurity is probably not at the top of the to-do list for most business owners. Unfortunately, defrauding businesses is a priority for fraudsters.

About 60% of Canadian businesses believe they are too small to be victims of cybercrime¹. But 46% of cyber breaches impact businesses with fewer than 1,000 employees²—and a cyber breach can cost a business more than $3 million³.

Knowledge is always the best defence against fraud. As part of Fraud Prevention Month 2025, let’s look at three of the most popular tools fraudsters use right now. Then we’ll go over how businesses can disrupt these scams and protect themselves. Finally, we’ll answer some common questions about cybersecurity.

Three popular tools for fraudsters

First consider a business email compromise attack. Fraudsters take over or impersonate an email account from a legitimate organization, and they use this to trick a business into sharing valuable information or money.

This attack is usually targeted. Fraudsters will do extensive research to figure out how the target business works and who they should impersonate. Common impersonated personas are executives, leaders and trusted vendors.

Another popular tactic right now is the SIM swap. It’s a bit like an email compromise attack except it targets phones. SIM swapping is a legitimate process used for mobile account transfers, but it is also a vulnerability exploited by fraudsters for identity theft and financial crimes. After the takeover, all SMS text messages and phone calls go to the fraudster’s device. From there, a wide number of different frauds can be perpetrated.

One of the most insidious things about a SIM swap is that it can be hard to realize that it’s happened. Warning signs can include your phone going into SOS mode, activity on your social media accounts that you don’t recognize, and unexpected password reset notices. Clients need to know what red flags to look out for elsewhere, like inquiries on their credit reports that they didn't apply for or initiate.

Finally, we’re starting to see the use of generative AI in cybercrime. This includes using gen AI to make phishing attempts more personalized and convincing, creating ‟deepfake” audio and video content or a key executive, and using AI to scan a company’s network for weaknesses or even determine the maximum ransom they could pay.

So how can a business guard itself against tactics like these? 

Best cybersecurity practices for 2025

While the tools fraudsters use vary, following a few best practices can make any business a much harder target for fraud.

Robust password management and use of multi-factor authentication (MFA) can cut off fraud tactics than hinge on getting access to accounts within your organization. Using two-factor authentication (2FA) to protect email accounts is a first step that every business should take, but the gold standard here is using passkeys.

Passkeys are digital credentials tied to both a user account and a website or application. They provide a single-step, secure login method that is both faster and more secure than 2FA or MFA. They can also be coupled with biometrics for even more security. If passkeys are not available, use a password generator and password vault if available to ensure you have protected, complex passwords.

Another important best practice is to maintain network and device security.

For devices, that means maintaining a list of all the assets that your business uses that create cybersecurity risk exposure, including all computers, routers, and mobile devices, network devices like printers and servers, and connected or smart devices like point-of-sale machines. Each device needs to be secured, with consideration for your financial data and customer data, and that security maintained.

For networks, you protect every network your business uses (including public ones) with anti-virus software and firewalls. You should also avoid open connections and develop network backups stored on the cloud or external storage. Consider segmenting your wi-fi network, so that guests are not using the same connection that the rest of the organization is using. (Setting up a password protected guest wi-fi if it's applicable to your business).

Finally, you should develop and maintain an incident response plan that will guide your business in the event of a cyberattack. The plan should include steps to detect, respond to, and recover from an attack, as well as a system to test your defences for vulnerability. You should also establish business-wide policies for internet and social media use, email, and “bring your own device” standards. The Canadian Anti-Fraud Centre offers many free templates that businesses can use to start these policies. If you already have these policies in place, you can use these templates to ensure you've covered the essentials of the policies.

Answers to common questions about cybersecurity for businesses

Is it safe to use my smartphone’s personal hotspot data for banking while staying in a hotel?

This is more secure than the hotel’s wi-fi, but could still compromise your data. You should use a VPN when connecting to any public network—even those protected by passwords, since you have no way to know who else knows the password.

How can you tell if your email has been compromised?

You can look out for:

• A changed password
• Emails in your sent folder that you did not send
• Unexpected password reset emails
• Complaints from people you work with, or contacts

Many email services can also provide details on login activity, allowing you to track IP addresses, devices and browsers that access your email. Check this audit trail on a regular basis to ensure there is no suspicious activity.

Daily reconciliations of all of your business accounts can help you notice any unauthorized transactions are caught as soon as possible.

If you think your email inbox has been compromised:

• Get a comprehensive device scan by a third party IT company or professional for all devices with access to your email. Confirmation of the scan should include what tools were used to complete the scan, the scan logs, any findings, and confirmation of what was employed to remove any unauthorized access or software. Special attention should be paid to email rules and any software that allows remote access to devices.
• If any account information is available in your email, transition to a new account and close the compromised account. Account information can be sold on the dark web, used to create counterfeit cheques or set up pre-authorized debits.
• Reset all online banking usernames and passwords once the device scan has been completed.

How can you stop your information from being sold on the dark web if it’s already there? How do you know if it’s there?

Sign up for products like Credit Alert through Equifax and other similar products with credit reporting agencies.

There are several companies that offer dark web monitoring, both as an ongoing service and as a one-time service. They also assist in remediation and removal of the information. 

Does ATB use IT tools on behalf of client accounts to detect and prevent potential fraud transactions above and beyond user authentication?

We take security seriously at ATB Financial. We’re committed to protecting your financial information and your privacy. To help make banking with us safe and private, we’ve built security features into our online and mobile personal and business banking platforms, including ATB Personal and ATB Business.

For more information visit our Online Banking Security Agreement.

More resources from the presentation:

Protecting your organization from cybercrime

Account Takeover Fraud

ATB’s Cybersecurity Toolkit

Online Banking Security Agreement

Baseline Cybersecurity Controls for Medium Sized Organizations

Developing an Incident Response Plan

Bring your Own Device Programs for Organizations

Get Cyber Safe Guide for Small Businesses