It has been a busy week for Canadian cybersecurity news, and not the good kind. A major breach at a national financial regulator is still sending shockwaves through the investor community, AI-powered scams are now officially eating into Canadian company profits, and with tax season at its peak, criminals are using artificial intelligence to make fake CRA messages harder than ever to spot. Let's get into it.
STORY OF THE WEEK
One Employee Clicked a Pop-Up. Nova Scotia Power Paid for It. For a Year.
In March 2025, a Nova Scotia Power employee visited a website that had been quietly infected with malware. A pop-up appeared (probably looked like a routine browser update notice) and they clicked it. That single click handed criminals the credentials they needed to get inside NS Power's systems.
Six weeks later, the attackers made their move. On April 25, 2025, they destroyed the company's backups and deployed ransomware across NS Power's internal network. Billing systems went dark. Smart meters across the province lost their connection to head office. The utility that powers nearly a million Nova Scotians was scrambling.
NS Power chose not to pay the ransom. But the fallout lasted far longer than the attack itself. For nearly a year, the company couldn't get accurate meter readings. More than half of all customer bills (over 1.3 million of them) had to be estimated. Customers were getting inflated bills they didn't trust and refusing to pay. Payment arrears across the province doubled, from about 4% of customers to 8%. The new CEO stepped in earlier this year and has spent his first months trying to rebuild public trust. Smart meters only came fully back online in early 2026, and NS Power committed to deleting every customer SIN from its systems by March 31, a condition imposed by Canada's Privacy Commissioner.
In the end, the breach exposed the personal data of more than 900,000 current and former customers: names, SINs, bank account numbers, billing history, and more. All because of one pop-up.
WHY IT MATTERS TO YOU
NS Power had dedicated IT staff, regulatory oversight, and real cybersecurity infrastructure. And one employee's instinctive click bypassed all of it. The question for your business isn't whether you have good systems. It's whether your team knows what to do when a convincing-looking pop-up, login page, or software update appears on screen. Do they know to pause? Do they know who to call?
WHAT CAN YOU DO RIGHT NOW
Tell your team this week: if your computer ever shows an unexpected pop-up asking you to update software, install something, or click a link, close the window and let someone know before doing anything else. A 30-second pause is free. A ransomware recovery takes a lot longer and costs a lot more.
THE RIPPLE EFFECT
Three stories, and what they actually mean for your business
AI-Powered Fraud Is Now Costing Canadian Companies Real Money
KPMG Canada released a major survey in March 2026 that should be required reading for any business owner. Of 251 Canadian C-suite leaders surveyed, 72% reported losing up to 5% of annual profits to AI-driven fraud in the past year. The most common attacks were AI-generated phishing emails (reported by 60% of respondents), followed by deepfake documents (39%) and voice-clone calls impersonating executives (24%). Perhaps most alarming: only 26% of organizations have a tested plan to respond to these attacks.
What it means for you:
The companies in this survey are larger enterprises with dedicated security staff, and they're still getting hit. If your team receives a convincing email from your "bank," "accountant," or "CEO," the AI that wrote it may have done a better job than a human scammer ever could. Trust your instincts when something feels rushed or unusual, even if the email looks perfect.
A BC TV Newsroom Got Hit by Ransomware. Nobody Is Immune.
CHEK News, Victoria's independent employee-owned television station, was struck by a ransomware attack in early April 2026. The attack was attributed to a criminal group called Qilin, a ransomware-as-a-service operation that has been steadily targeting organizations across North America and Europe. Details on the full impact are still emerging, but the incident is a reminder that ransomware groups don't discriminate by industry, size, or profile. A scrappy, community-owned newsroom is just as attractive a target as a bank. Sometimes more so, because attackers assume smaller organizations have fewer defences and more pressure to get back online quickly.
What it means for you:
If a newsroom full of journalists (people trained to question everything) can get hit by ransomware, so can any business. The most important question to ask yourself right now: if ransomware locked up every file and system in your business tomorrow morning, do you have a recent backup stored somewhere separate from your main network? If the answer is no or "I'm not sure," that's the thing to fix this week.
Canada Has No AI Law. And That Affects Your Business Today.
Canada's Artificial Intelligence and Data Act (known as AIDA) died when Parliament dissolved in 2025. As of this week, the Canadian Centre for Policy Alternatives notes that Canada remains one of the few G7 nations without binding AI regulation. The federal government's renewed national AI strategy, led by Minister Evan Solomon, Canada's first-ever Minister of Artificial Intelligence, is still in development, with a full release expected later in 2026. In the meantime, $200 million in federal funding is flowing through the Regional Artificial Intelligence Initiative to help Canadian businesses adopt AI tools.
What it means for you:
There's no legal rulebook for AI use in Canadian businesses right now. That means no one is telling you what you have to do, but also no one is protecting you if something goes wrong. If you're starting to use AI tools (like chatbots, automated emails, or AI-assisted decision-making), it's smart to start keeping simple notes on what tools you're using and what data you're putting into them. That habit will matter when regulation does arrive.
STAT OF THE WEEK
72%
of Canadian companies lost up to 5% of their annual profits to AI-driven fraud in 2025.
That’s not a future threat. It already happened. And AI-generated phishing emails were the most common attack method, reported by 60% of affected organizations.
Source: KPMG Canada, “Fraud in the Age of AI”, March 2026
ONE THING YOU CAN DO THIS WEEK
Set Up a “Call-Back Rule” for Any Money Request
This week's most important action has nothing to do with software or IT. It's a simple conversation with your team, and it could save you thousands of dollars.
Here's the rule: any request to transfer money, change banking information, approve a wire, or pay an invoice that arrives by email, text, or phone must be verified by calling the person back on a known number before anything is done. Not by replying to the email. Not by calling the number in the message. By calling a number you already have: from your contacts, your website, or your filing cabinet.
This one habit stops the vast majority of business email compromise scams and voice-clone fraud cold. It sounds almost too simple. But in the KPMG survey, voice-clone executive impersonation calls fooled businesses at 24% of affected companies. Those callers sounded exactly like the CFO. The only thing that would have stopped them was a callback.
“A two-minute phone call is the cheapest fraud prevention tool you have.”
Tell your team today: if anyone (your bank, your accountant, a supplier, or even your own boss) contacts you unexpectedly to ask for money or to change payment details, the answer is always the same: "Let me call you right back." Then call the number you know.
QUICK BITES
Supply chain attacks on Canadian businesses are on the rise.
Canada was flagged as one of the highest-risk countries for supply chain compromise in Group-IB's 2026 threat report. Attackers are increasingly compromising a trusted vendor's email or systems to get to their clients downstream. If you get an unusual request from a familiar supplier, especially around payment changes, verify it directly before acting.
The Canadian Centre for Cyber Security issued urgent warnings this week.
The CCCS flagged critical vulnerabilities in widely used network security tools from Fortinet, Citrix, SonicWall, and Palo Alto Networks on April 7–8. These are the kinds of tools that sit at the edge of your network and protect your internet connection. If your IT provider hasn't mentioned these updates, it's worth a quick check-in to confirm your systems are patched.
Ransomware incidents in Canada jumped 46% last year.
The CCCS counted 352 ransomware incidents in Canada in 2025, up from roughly 240 the year prior. Small businesses remain a primary target because they're perceived as having weaker defences and a higher likelihood of paying a ransom to get their files back. Regular, tested backups remain your best insurance policy.
Ottawa is investing in AI adoption for small businesses.
Minister Evan Solomon announced $8.5 million for 40 AI projects across Atlantic Canada in March 2026, part of a broader $200M federal initiative to help Canadian businesses put AI to work. If you're a small business curious about AI tools and where to start, your regional development agency (ACOA, FedDev Ontario, PrairiesCan, etc.) may have funded programs available.
PARTING THOUGHT
There's a pattern in this week's stories that's worth sitting with for a moment. Whether it's the Nova Scotia Power breach, the AI-generated phishing emails, or the ransomware attack on CHEK News, almost every threat starts the same way: someone trusted something they shouldn't have.
That's not a criticism. Trust is how organizations function. You trust your team. You trust your bank. You trust a pop-up that looks like it came from your browser. The problem is that criminals understand this, and they've gotten very good at manufacturing trustworthiness. A phishing email in 2026 doesn't look like a Nigerian prince asking for your help. It looks like an invoice from your accountant.
So the skill that matters most right now isn't technical. It's the willingness to pause for thirty seconds before acting on an unexpected request, especially one involving money, personal information, or a login. That pause is your best defence. It costs nothing. And it works.
see you next Friday and stay
TryberResilent