Someone is stealing Canadian workers' paycheques, and your payroll portal might be the door they walk through. Meanwhile, three Canadian businesses were hit by ransomware in a single day (different attackers, different sectors), Nova Scotia Power's massive breach is heading to Parliament, and Ottawa just dropped the biggest AI announcement in a decade. Let's get into it.
🗞️ STORY OF THE WEEK
Your Employee’s Paycheque Is the Target - And Your Login Page Is the Key
Here's a scenario that's been playing out at businesses across Canada: an employee Googles "Microsoft 365 login" and clicks on one of the top results. The page looks identical to the real thing. They type in their username and password. Nothing seems wrong.
But that page wasn't Microsoft's. It belonged to a criminal group that Microsoft researchers have named Storm-2755, and they've taken to calling them the "Payroll Pirate." The name fits. Within hours of stealing that employee's login, the attackers are inside your HR or payroll system, changing direct deposit details, and redirecting the next paycheque to a bank account they control.
This isn't a theoretical attack. Microsoft's security team documented Storm-2755 specifically targeting Canadian employees, noting that the group has developed a sophisticated playbook that bypasses standard multi-factor authentication. They use a technique called "adversary-in-the-middle", essentially standing invisibly between your employee and the real Microsoft site, capturing not just the password but the session token that proves someone has already logged in. That's what lets them bypass a regular text-message MFA code.
The financial damage is immediate and personal. Unlike a ransomware attack that might take days to discover, a redirected paycheque hits an employee's bank account on Friday, or doesn't. And once the money is transferred, it's very difficult to recover.
WHY THIS MATTERS TO YOU
If you use any cloud-based HR software, payroll provider, or Microsoft 365 for work, your staff are potential targets. Ask yourself: if someone called your HR department right now and asked to change a direct deposit number, what verification process is in place? For most small businesses, the honest answer is “not much”.
WHAT YOU CAN DO
Call your payroll provider today and ask two questions: “What MFA options do you support?” and “Is there a way to require verification before any banking information is changed?” Then brief your HR or office manager: any direct deposit change request, no matter how urgent it sounds, must be confirmed by a phone call to the employee’s known number. This one step could save your next payroll.
THE RIPPLE EFFECT - Three stories, and what they actually mean for your business
Three Canadian Businesses Hit by Ransomware - On the Same Day
Today (June 5), three separate Canadian organizations were confirmed as ransomware victims, each attacked by a different criminal group. Group Sécurité CLB, a security services company, was hit by AiLock. MLS Now, a real estate listing service, was targeted by Akira. Trican Well Service, an oilfield services firm, fell victim to Qilin. Three sectors. Three attackers. One day.
What this means for you: There’s no industry that’s too small or too boring to be a target. Criminals aren’t hand-picking victims based on who’s interesting, they’re running automated tools that scan for open doors. The question isn’t whether you’ll appear on a threat actor’s radar. It’s whether your defences make it too costly to bother with.
Nova Scotia Power’s Breach is Heading to Parliament
It’s been over a year since ransomware breach Nova Scotia Power’s systems, exposing the personal records of approximately 915,000 customers, current and former. The compromised data included names, social insurance numbers, bank account details, dates of birth, and driver’s licenses. The Office of the Privacy Commissioner opened an investigation, and NS Power committed to deleting all stored SINs by March 2026 and completing an independent security audit by October 2026. Now executives are being called before Parliament this month to explain what happened and what’s being done.
What this means for you: This is what accountability looks like when a breach affects nearly a million people. Your business may be smaller, but your obligations under PIPEDA are the same. If you’re storing sensitive customer data, and most businesses are, you need a plan for what happens if it gets out. A breach response plan doesn’t have to be complicated. It just has to exist.
AI Is Shrinking the Window Between a New Vulnerability and a Real Attack
According to the World Economic Forum’s 2026 Global Cybersecurity Outlook, and confirmed by IBM researchers, criminals are now using AI to weaponize newly discovered software flaws in hours, not days or weeks. Mandiant’s M-Trends 2026 report found that 28% of newly disclosed flaws are now being actively exploited within 24 hours of publication. The old standard of “patch once a month” was already borderline; now, it’s genuinely dangerous.
What this means for you: If you have someone managing IT for your business, ask them how quickly critical security updates get applied when a new flaw is announced. “Monthly” isn’t good enough anymore. “Automatically, within 24-48 hours” is where you want to be. If your IT provided can’t answer that question clearly, it’s worth pushing.
1 in 5
data breaches in 2026 involved AI tools employees were using without their employer’s knowledge, adding an average of $670,000 in costs per incident.
The term is “shadow AI”, ChatGPT, Copilot, or whatever AI tool an employee adopts on their own to get work done faster, often without telling anyone. When those tools handle sensitive data (client files, financial records, health information) without any oversight, the expose is real and growing. A striking 79% of organizations are now deploying AI agents of some kind, but only 6% have updated their governance frameworks to account for the new risks.
✅ ONE THING TO DO THIS WEEK
Lock Down Your Payroll Portal - Before Someone Else Does
You may not think of your payroll software as a security risk. But as we covered above, it’s exactly what criminals are targeting right now, because when they win, they win immediately, in cash from your employee’s bank accounts.
Here’s what to do this week, even if you only have 20 minutes.
First, log into your payroll software and look at the security settings. Is multi-factor authentication turned on for all users, not just you, but your bookkeeper, your office manager, anyone who touches your payroll? If not, turn it on today. A text message code is better than nothing, but an authenticator app (Google Authenticator, Microsoft Authenticator, or similar) is significantly stronger and specifically harder for this type of attack to defeat.
Second, ask your payroll provider whether they support “passkey” or hardware key authentication. These are the strongest options available and are purpose-built to resist the kind of attack Storm-2755 uses. Many payroll providers now offer it, but you have to ask, or find the setting yourself.
Third, and most importantly: create a simple rule. Any change to an employee’s direct deposit information must be confirmed by a phone call. Not an email. Not a Teams message. A phone call to a number already on file. Write it down. Tell your HR staff or whoever handles payroll. This takes five minutes and could prevent a very bad Friday.
📌 QUICK BITES
Ottawa dropped the biggest AI announcement in years. Prime Minister Carney unveiled “AI for All” on June 4, a five-plan targeting $200 billion in economic growth, 250,000 new AI-related jobs, and a pledge to treat AI as critical national infrastructure alongside energy and defence. The plan includes new legislation to protect Canadians from deepfakes. For small business owners, the headline is: new AI laws are coming. Now is a good time to start thinking about which AI tools your team is using and whether you have policies around them, because regulators will eventually start asking.
Canada’s federal cybersecurity law is back on the table. Bill C-8 was re-introduced this week, requiring businesses in energy, finance, telecommunications, and transportation to have formal cybersecurity programs and report cyber incidents to government. If your business is in one of these sectors, or if you’re a supplier or vendor to one, compliance obligations are coming. Getting a head start now is much easier than scrambling when a deadline arrives.
A new ransomware group went from 35 victims to 182 in a single quarter. The “Gentlemen” ransomware group is the fastest-growing criminal operation tracked in 2026, using AI-powered tools to move through a victim’s network automatically, completing in under 30 seconds what used to take attackers days. They’re increasingly targeting small organizations, and they often skip the encryption step entirely, focusing on stealing your data and threatening to publish it.
Windows users: make sure your computer has been updated this week. Two serious flaws in Microsoft Defender, Windows’ built-in security tool, were confirmed as actively exploited by attackers. If you have automatic updates turned on, you’re likely already protected. If you’re sure: click Start, search “Windows Update”, and run a check. It takes two minutes.
A cyberattack on popular developer tools may have quietly affected software your business uses. A group called TeamPCP compromised widely-used GitHub automation tools this week, potentially inserting malicious code into software projects built by thousands of developers. If your business relies on custom-built apps or internal software, it’s worth asking your developer: “Have you checked whether your built tools were affected by the TeamPCP supply chain attack?”
💬 PARTING THOUGHT
This week felt like two stories unfolding at the same time.
In one story: three Canadian businesses were hit by ransomware in a single day, from three different criminal groups across three different industries. A threat actor specifically built to target Canadians has been quietly stealing worker’s paycheques. And AI is putting tools in attackers’ hands that make yesterday’s defences feel slow.
In the other story: Canada’s PM stood up and said we’re going to build a digital future that works for Canadians. “AI for All” isn’t a perfect plan, no five-year policy ever is, but it signals something real. Cybersecurity and digital resilience has moved from footnote to front page in Canadian policy.
The gap between those two stories, between threats moving faster and protections catching up slowly, is exactly where small business live. You can’t wait for legislation to protect you. But you don’t need to. One new MFA setting. One policy about verifying payroll changes. One conversation with your IT provider about patching. Each of those closes a door that a criminal group is counting on being open.
Small steps, consistently taken, are what resilience actually looks like.
See you next friday and stay
TryberResilient