The 10 most common cyberattacks in Quebec

Quebec is not immune to cyber threats. In fact, the Canadian Centre for Cyber Security reports a steady increase in incidents targeting Canadian businesses, and Quebec SMBs are among the most vulnerable targets. Knowing the most common types of attacks is the first step to protecting yourself. Here are the 10 most common cyberattacks in Quebec, along with practical tips to guard against them.

1. Phishing

Phishing remains the most widespread cyberattack in Canada. It involves sending fraudulent emails that mimic legitimate communications (bank, vendor, colleague) to trick the victim into clicking a malicious link or disclosing their credentials. According to the 2025 Canadian Anti-Fraud Centre report, losses related to online fraud exceeded $600 million across the country.

How to protect yourself: Deploy an advanced email filtering solution, enable multi-factor authentication (MFA) on all accounts, and regularly train your employees to recognize phishing attempts through realistic simulations.

2. Ransomware

Ransomware encrypts company data and demands a ransom to decrypt it. Ransomware attacks have exploded in recent years. In 2024, a manufacturing company in the Montérégie region had its entire operations paralyzed for two weeks after an attack by the LockBit group, resulting in estimated losses of over $500,000.

How to protect yourself: Maintain backups following the 3-2-1 rule (3 copies, 2 different media, 1 offsite), deploy an EDR solution, segment your network, and have a documented and tested incident response plan.

3. Business Email Compromise (BEC) Fraud

BEC (Business Email Compromise) is a targeted attack where the cybercriminal impersonates an executive or vendor to request a fraudulent wire transfer or a change in payment details. It’s one of the most costly attacks: the FBI estimates global losses at over $50 billion USD between 2013 and 2024.

How to protect yourself: Implement dual-approval validation procedures for any change in banking details, configure email authentication protocols (SPF, DKIM, DMARC), and raise awareness among accounting and management employees about this type of fraud.

4. Credential Stuffing

Cybercriminals use lists of credentials stolen from previous breaches to attempt to log into other services. Since many people reuse the same passwords, this technique is extremely effective. Quebec businesses in the e-commerce and professional services sectors are regularly victims of this.

How to protect yourself: Require the use of unique and complex passwords via an enterprise password manager, enable MFA on all services, and monitor unusual login attempts.

5. Supply Chain Attack

Rather than attacking their target directly, cybercriminals compromise a vendor or third-party software used by the company. The SolarWinds attack in 2020 is the most well-known example: a single compromised vendor affected more than 18,000 organizations worldwide, including Canadian businesses.

How to protect yourself: Assess the security posture of your critical vendors, limit access granted to third-party software, maintain an up-to-date inventory of all your tools, and monitor abnormal behavior in your environment.

6. Insider Threat

The insider threat comes from employees, contractors, or partners who, intentionally or accidentally, compromise the company’s security. According to the Verizon DBIR 2025 report, approximately 20% of data breaches involve an internal actor. A disgruntled employee copying client data before leaving the company or an accountant accidentally clicking on a malicious link — the scenarios are numerous.

How to protect yourself: Apply the principle of least privilege (each employee only has access to the data necessary for their work), conduct regular access reviews, monitor unusual activities, and implement secure offboarding procedures.

7. Distributed Denial of Service (DDoS) Attack

A DDoS attack overwhelms a server or website with a massive volume of requests, making it inaccessible to legitimate users. In 2025, DDoS attacks targeted several Canadian government and commercial websites, causing hours of downtime. For a business that depends on its website for sales or services, every minute of downtime represents a direct loss of revenue.

How to protect yourself: Use a DDoS protection service (such as Cloudflare or AWS Shield), configure rate limiting on your web servers, and have a failover plan to a backup infrastructure.

8. Zero-Day Vulnerability Exploitation

Zero-day vulnerabilities are security flaws unknown to the software manufacturer for which no patch yet exists. In 2024, Google documented 97 actively exploited zero-day vulnerabilities. These flaws are particularly dangerous because they can be exploited before companies even know they exist.

How to protect yourself: Keep all your software up to date with the latest patches, deploy an EDR solution capable of detecting suspicious behavior even without a known signature, and segment your network to limit the spread in the event of a compromise.

9. Man-in-the-Middle (MitM) Attack

In a MitM attack, the cybercriminal positions themselves between two communicating parties (for example, an employee and a banking website) to intercept or modify data in transit. This attack is particularly common on unsecured public Wi-Fi networks — a concrete risk for remote employees or those traveling who connect from a café or hotel.

How to protect yourself: Require the use of a corporate VPN for any remote connection, ensure all your sites and services use HTTPS/TLS encryption, and educate your employees about the risks of public Wi-Fi networks.

10. Social Engineering

Social engineering encompasses all psychological manipulation techniques used to get a person to disclose confidential information or take a compromising action. Fraudulent phone calls (vishing), text messages (smishing), fake LinkedIn profiles — the methods are increasingly sophisticated, especially with artificial intelligence enabling the creation of hyper-realistic audio and video content (deepfakes).

How to protect yourself: Ongoing employee training is the best defense against social engineering. Implement verification protocols for sensitive requests (call the person back on a known number, confirm through a second channel) and foster a culture where employees feel comfortable reporting suspicious attempts.

The Cyber Threat Landscape in Quebec by the Numbers

• Over 70,000 online fraud reports in Canada in 2024 (Canadian Anti-Fraud Centre)
• 60% of Canadian SMBs that fall victim to a cyberattack cease operations within 6 months (Canadian Chamber of Commerce)
• The average cost of a data breach in Canada reaches $6.9 million CAD in 2025 (IBM Cost of a Data Breach)
• Fewer than 40% of Quebec SMBs have a documented incident response plan

Frequently Asked Questions

What is the most dangerous cyberattack for an SMB?

Ransomware is generally considered the most destructive threat for SMBs, as it can completely paralyze operations for days or weeks. However, Business Email Compromise (BEC) fraud is often the most financially costly, as it results in direct monetary losses.

My business is small, am I really a target?

Absolutely. Cybercriminals increasingly target SMBs precisely because they are often less well protected. Automated attacks make no distinction between a company with 10 or 10,000 employees — they exploit vulnerabilities wherever they find them.

What should I do if my business is the victim of a cyberattack?

Immediately isolate the affected systems to limit the spread, contact your IT provider or your MSP, do not pay a ransom without consulting experts, and report the incident to the Canadian Centre for Cyber Security. If personal information is compromised, you have a legal obligation to notify the Commission d’accès à l’information du Québec under Law 25.

Does cyber risk insurance cover all cyberattacks?

Cyber risk insurance generally covers incident response costs, data restoration, business interruption losses, and civil liability. However, insurers increasingly require that businesses have basic security measures in place (MFA, backups, EDR) to maintain their coverage. Carefully review the exclusions of your policy.

How often should I train my employees on cybersecurity?

At a minimum, annual training with quarterly refreshers and monthly phishing simulations. Cybersecurity evolves rapidly, and employees must be regularly exposed to new techniques used by cybercriminals to remain vigilant.