I track phishing campaigns specifically against Western Canadian small businesses as part of regular threat intelligence work. Here are five patterns we're seeing in 2026 — each one a real, observed campaign that has hit businesses in Alberta, Saskatchewan, or BC in the last six months. Knowing what to look for is half the defence.
1. The "supplier banking change" invoice fraud
This is by a wide margin the most expensive phishing pattern for Canadian SMBs in 2026. The scenario:
You receive an email, apparently from a long-time supplier, saying they've changed banks and you should update their banking information for the next invoice payment. The email is well-written. It uses your contact's actual signature block. The reply-to address looks plausible (often a one-character-different domain). When you reply with questions, you get convincing answers.
You update the banking info in your accounting system. You wire the next invoice payment. The supplier never receives it, because the wire went to an attacker-controlled account in another country, and the original supplier's email account was compromised weeks ago — the attacker has been reading your correspondence patterns to make the impersonation flawless.
Average loss per incident in Western Canada in 2025: $47,000. Recovery rate: almost zero. The bank cannot reverse a properly-authorized wire transfer.
Defence: Establish a verbal verification policy. For any banking change from any supplier, regardless of how plausible the email seems, you call them at a phone number you already have on file (not one provided in the email) and confirm. This single policy eliminates the entire attack class. Document the policy and put it in your standard operating procedures.
2. MFA-bombing
A newer pattern, exploding in 2025–2026. Here's how it works:
The attacker has already stolen a user's password (typically from a previous data breach published to the dark web). They try to log in. MFA prompts the user's phone for approval. The user denies it. The attacker tries again, immediately. Denied. Again. Denied.
Eventually, the user — usually after the third or fourth notification at 11:00 PM — taps "Approve" just to make the notifications stop. They figure it's a glitch. The attacker is now logged in.
Microsoft Authenticator and most major MFA providers added "number matching" in 2023 specifically to defeat this — instead of just tapping Approve, the user has to type the number shown on the laptop screen into the phone. Many small business tenants haven't enabled this feature.
Defence: In your Microsoft 365 admin centre, ensure number matching is enabled for Authenticator. If you use a different MFA solution, find its equivalent setting and enable it. Train staff that an unexpected MFA prompt at any hour is a security incident worth reporting, not an inconvenience to silence.
3. The Calgary or Edmonton "head office" pretext
Specifically targeting rural and remote SMBs. The attacker calls or emails posing as someone from a Calgary or Edmonton head office, regional bank branch, or government department. The pretext is something like:
- "This is RBC's commercial fraud department. We're seeing suspicious activity on your account…"
- "This is Service Alberta calling about your business registration renewal…"
- "This is from the office of [real local MLA's name]. We're conducting a security review…"
The attacker leans on the cultural pattern of rural businesses deferring to city-based authority. They ask for verification of business details, banking information, employee personal info, or — most commonly — they request that the recipient install "verification software" on their computer (which is actually remote-access malware).
Defence: Hard rule for all staff: nobody from a bank, government department, or head office ever asks for credentials, banking info, or software installation over the phone or via email. Ever. The legitimate organizations do not do this. If a request like this arrives, the answer is always "I'll call you back at the official number" — and then look up the official number independently. Train this until it's reflex.
4. Microsoft Teams external phishing
Microsoft Teams is increasingly used as a phishing vector because most businesses don't think of it as one. The attacker creates a Microsoft tenant (free in many cases) with a plausible-looking domain (e.g. microsoft-support.com, office365-billing.com), then sends a Teams chat message to one of your employees with an "important security alert" link.
Because the message arrives in Teams — a tool the employee uses constantly for legitimate work — and not in email, it bypasses much of the user's mental defence. The link goes to a credential-harvesting page that looks identical to a Microsoft sign-in page.
Defence: In your Microsoft 365 admin centre, restrict external Teams communications. The default setting allows any Teams user worldwide to message your users. Tighten this to "only specific external organizations" — a short whitelist of organizations you actually collaborate with. Most small businesses can leave this completely blocked.
5. The "urgent invoice approval" CEO fraud
Variant of business email compromise that doesn't even require breaching your email — it relies entirely on a plausible-looking spoofed sender.
The bookkeeper receives an email apparently from the owner (whose schedule the attacker has researched on LinkedIn), saying: "Tied up in meetings all day, but need this invoice paid today before EOD. $X to [account number]. Confirm when done."
The bookkeeper, conditioned to respond promptly to the owner, processes the payment. The owner is unreachable because they're on a flight or in meetings, exactly as the attacker stated. By the time the truth comes out, the money is gone.
Defence: Same as #1 — verbal verification for any out-of-band financial request. Establish a policy: any unscheduled payment over a defined threshold (say $5,000) requires verbal confirmation with the requester, by phone, regardless of how urgent the email claims to be. The policy itself is the defence. Document it; train it.
What ties all of these together
Notice the pattern: every one of these attacks is a social engineering attack. Technology can reduce the surface (number matching, restricted Teams external messaging, blocked legacy authentication) but cannot eliminate the human element entirely. A bookkeeper who has been trained to verify and given explicit policy permission to take an extra two minutes will catch nearly all of these. A bookkeeper who hasn't been trained will catch almost none.
The 2026 standard for SMB security awareness training is monthly phishing simulation with measured improvement. Annual training is no longer enough — the threat patterns evolve faster than that.
What to do this week
Three actions:
- Verify number matching is enabled in your Microsoft Authenticator configuration. Five-minute check.
- Write and circulate a verbal-verification policy for any supplier banking change, large unexpected payment, or unusual request from an outside organization. Twenty-minute draft.
- Test your staff with a phishing simulation if you don't already run them. Free tools like KnowBe4's free phishing test or Hoxhunt's trial are sufficient for a one-time baseline.
How we help
Peace Country Cyber's Cyber Essentials tier includes monthly phishing simulation, annual security awareness training, and the Microsoft 365 baseline configuration that prevents the technical components of these attacks. Starting at $95 per user per month.
If you've been on the receiving end of one of these attacks and aren't sure what to do next, our incident response service can help — but the better outcome is to be one of the businesses we never had to do incident response for in the first place.
Peace Country Cyber is northern Alberta's local cybersecurity partner. Take the free Security Risk Report →