Technology is transforming how we live and work, making everyday tasks faster and more convenient. But with innovation comes risk - and cyber criminals are keeping pace. 

Tools like generative AI can create lifelike content, video and audio in seconds. While these advancements offer powerful efficiencies, they also open the door to increasingly sophisticated cyber threats. 

In fact, cyber-related fraud in Canada nearly doubled between 2019 and 2024 - rising from 22,746 to 46,301 incidents, according to Statistics Canada. 

And it’s not just the tools that are evolving - so are the tactics. Threat actors are using cutting-edge technology to steal sensitive data, impersonate trusted individuals and exploit vulnerabilities for financial gain. 

“Threat actors today are pretty well funded,” says Johan Fick, Director of Digital Solutions at CSS.  

He notes that ransomware attacks are on the rise, with one company reportedly paying approximately $75 million in 2024 to recover its data – a record-breaking figure. 

With deep pockets and access to advanced AI tools, cyber criminals no longer need technical expertise. They can buy pre-packaged solutions to identify vulnerabilities and launch attacks.  

Some even apply for jobs at reputable companies under false pretenses or offer employees large incentives – sometimes in the millions – to hand over credentials. 

AI and cybersecurity  

AI-driven threats are also becoming harder to detect. 

According to the Get Cyber Safe Awareness Tracking Survey, 65% of Canadians are worried about AI-related cybercrime. 

“I think we don't even really know all the different ways that AI could potentially be used maliciously,” says Fick. 

Recent incidents involve deep fakes impersonating company executives using synthetic video and audio to convince their teams to transfer large sums of money or hand over passwords. 

In China, an employee was tricked into transferring $25 million to a fraudulent account after having a video call with his company’s Chief Financial Officer (CFO) – except it was not the company CFO. It was a deep fake impersonating the executive. 

“AI can imitate somebody's voice so accurately, you might think you’re speaking to the real person,” says Fick. “And the only way to tell is if something seems off in the way that they maybe answer questions." 

However, threat actors are becoming increasingly sophisticated and may have done enough research on the person and pre-programmed the AI to be able to answer those questions. 

So how do organizations mitigate the risk of an encounter with a deep fake? 

The CSS Digital Solutions team says that penetration testing tools exist to simulate threat actors and try to break into systems. The tool then provides a report of any vulnerabilities it finds, which can help organizations strengthen their defenses. 

But as Fick points out, threat actors are using similar tools to do the same. 

Humans and cybersecurity 

While AI presents new risks, human error remains one of the biggest vulnerabilities in cybersecurity. 

“Social engineering, people accidentally clicking on a phishing link or not having a strong password or using the same password in multiple different locations for the same thing,” Fick explains. “So that if one password gets breached, suddenly the threat actor has access to multiple different accounts.” 

Fick adds that that is where cybersecurity awareness training comes in. For example, CSS staff must complete an annual training module, along with micro-trainings throughout the year to stay in-the-know on the latest threats on the horizon.  

Organizations can also run simulations – such as sending fake phishing emails to staff – to test methods like the SLAM method (Sender, Links, Attachments and Message) to spot suspicious emails. 

Fick also stresses how important it is for organizations to carefully screen candidates during the hiring process by conducting comprehensive background checks, for example. 

“Making sure that the people we hire are who they say they are, that they are trustworthy, and that their background is what we expected it to be and that it actually meets our expectations,” he says. 

Beyond human factors, technical safeguards play a key role. CSS uses tools like password vaults, data backups and firewalls to monitor network traffic and detect malicious activity. If a threat is identified, the system can isolate the affected machine to prevent further damage. 

A comprehensive incident response plan rounds out the organization’s cybersecurity strategy, ensuring swift action when threats arise. 

Keeping your information secure 

In addition to CSS’ robust internal cybersecurity program, new features have been added to the myCSSPEN portal to help members protect their personal information. 

Multi-factor authentication (MFA) is now available and can be enabled by logging into myCSSPEN and navigating to: Account menu > Account settings and security > Setup multi-factor authentication. 

While currently optional, MFA adds an extra layer of protection to your account. 

CSS has also introduced a secure file drop area, allowing members to safely submit forms and documents without relying on email, which can be vulnerable to interception. 

While CSS works hard to safeguard member data, individuals also play a key role in protecting their own information. 

“Creating a new password for every account is a good idea,” says Whitney Bueckert, CSS’ Technical Manager, Software Development. “I know for myself I appreciate our password vault. Whatever application you use for your password vault, you get to have nice, secure, unique passwords and you don't have to remember them. You just have to remember the one to get into your vault.” 

Tips to protect your information and devices:

• Create a new password for every account – or even better – use a password vault to auto-create secure and unique passwords. 

• Enable MFA on your accounts and aim to use an authenticator app to maximize security. Sending verification codes to email works too, but email can be breached. 

• Educate yourself by reviewing cyber tips from reputable sources or engage in cyber conversations through platforms such as LinkedIn. 
  

The best thing members can do if they notice suspicious activity with their CSS account or are unsure of what to do? Contact the CSS office directly. 

“Just reach out and we can get the right answers for you,” says Fick.