Cybersecurity Awareness in 2026: How Attackers Target People, Not Just Technology
How social engineering works, why it is now behind most breaches, and the free and paid steps that keep a BC business protected.
What you'll take away
- Social engineering is now the most common way attackers get in. They target people and trusted relationships, and AI has made the messages far more convincing.
- Learn to recognize the four patterns: phishing, baiting, honey trapping, and watering-hole attacks, each shown with a real example.
- A legitimate-looking DocuSign or file link can capture your password and your MFA code, so multi-factor on its own is not enough.
- Most breaches are preventable. Roughly two-thirds of 2024 attacks involved insider negligence, and smaller businesses are targeted more often than large ones.
- Five protections you can put in place for free, and five worth paying for, including MFA, device whitelisting, tested 3-2-1 backups, and staff phishing training.
This is a recording of a short seminar Jake ran for Umbrella IT clients at the start of 2026. It covers the threat now behind most breaches, social engineering, and the practical steps a business can take to stay protected. It is written for owners and staff, not for IT specialists, so there is no jargon to wade through.
You can watch the full session above, or read the summary and complete transcript below.
What the session covers
The heart of the talk is a simple shift: attackers now go after your people and the trust between them, not just your firewall or antivirus. AI has made that far easier and far cheaper, so the volume and quality of these attacks has climbed sharply.
Jake walks through four patterns, each with a real example, then covers what a breach costs, how an attack actually unfolds, and the specific protections that stop it.
The four patterns to recognize
- Phishing. A message that impersonates a source you trust and asks you to sign in or hand over information. The modern version hides a malicious link inside a genuine DocuSign or file share, and the fake sign-in page captures your password and your MFA code at the same time.
- Baiting. An offer that is too good to be true. A gift card, a refund you never claimed, a prize for a draw you never entered. The goal is to get you to click and enter information.
- Honey trapping. Someone builds a relationship with you over social media, a dating app, or LinkedIn, then uses that trust for blackmail or a fraudulent payment.
- Watering-hole attacks. A site or database you use often is compromised, so a page you trust starts collecting your sign-in details or serving malicious files.
What a breach costs, and who gets hit
The consequences reach well past the initial loss: regulatory fines, lost client trust, corrupted or ransomed data, and downtime that commonly runs four to twelve weeks. Around 60% of affected small businesses close within six months.
Two numbers stand out. About two-thirds of social engineering attacks in 2024 traced back to insider negligence, meaning they were preventable. And smaller organizations are targeted far more often than large enterprises, because they are easier to reach and there are many more of them.
How to protect a business
Jake closes with a checklist split into free and paid measures.
Five you can do for free: custom-branded sign-in pages, multi-factor authentication, device whitelisting, correct email authentication records (SPF, DKIM, and DMARC), and written IT and operational policies.
Five worth paying for: email filtering, tested backups on the 3-2-1 rule, alerting and response, dark web monitoring, and regular phishing training for staff.
Full transcript
Lightly edited for readability. The recording above is the source of record.
Read the full transcript
Welcome and format
Hello everybody, and I hope you are having a great new year. My name is Jake from Umbrella IT Services, and I appreciate everybody taking the time to join me for a brief seminar on cybersecurity awareness in 2026.
A few things to get out of the way. This recording will be available in an evergreen fashion, so you can come back and reference it any time. If you have questions during the presentation, put them into the live chat and I will address them where I can. There is also a Q&A at the end, so if you have to step away you can still ask your question and reference the answer later.
The number one threat: social engineering
The first thing I want to talk about is the number one threat I have seen across our clients, across the industry, and in conversations with other security experts, managed service providers, and web developers. There is a very consistent threat across all industries that has been kicked into overdrive by AI over the last couple of years, and that threat is social engineering.
Social engineering is where malicious actors hack people instead of hacking technology. The hard part is that it does not matter how much you spend on security tools, how good your antivirus is, or how expensive your firewall was. These people target the people inside your organization, and they leverage trusted relationships to gather sensitive information or install malicious software. I am going to cover four main types, then some solutions.
Pattern one: phishing
A phishing scam is when a malicious actor impersonates a trusted source to gather sensitive information or install malicious software. Only about half of staff can correctly define one. It is a fraudulent communication over email, text, phone, or the web that impersonates a trusted source, sparks an emotional response with a call to action, and then collects information or installs software.
Here is how sophisticated these have become. In the past you would get a message with broken English and spelling mistakes. That was often intentional, a filter to find people who were not paying attention. Those days are largely behind us. Now the attacker impersonates a trusted source and buries a malicious resource inside an expected one.
Say someone sends you a real DocuSign, from a person you trust, at a time you were expecting it. The context makes sense. Inside the DocuSign there is a link to a OneDrive, Google Workspace, or Dropbox document. You open it and land on a Cloudflare human-verification page, which tells you these actors are now spending money to add a layer of authenticity. After the verification you reach what looks like a normal Microsoft or Google sign-in page. You sign in, the page refreshes, you sign in again, and then it tells you the resource cannot be found, or that an app is asking for permission to your organization.
What they are doing is capturing your email, your password, and your two-factor code, then connecting your account to one of their devices. The point is to capture your two-factor token and get into your system. So even if you have two-factor, this does not keep you safe on its own, and an email filter does not either, because the link they send is legitimate and the document it points to is legitimate. It is the link inside the link that is malicious, and the human-verification step stops automated tools from detecting the fake page.
Pattern two: baiting
Baiting is the too-good-to-be-true situation. They offer you an Amazon gift card, some crypto, or a refund from the government. That is how you can tell it is not real. It is mostly common sense: do not sign in to your bank for an e-transfer you were not expecting, do not give up a two-factor token, and do not hand over personal information to collect a prize for a draw you never entered. There are tools that filter these out, but if one reaches you by text or phone, stay suspicious. If it seems too good to be true, it usually is.
Pattern three: honey trapping
Honey trapping is where someone builds a relationship with you to gain your trust, then uses it against you. I want to give an example that covers a common assumption, that this only catches naive people. In the UK, a member of parliament met someone on a dating app, exchanged photos, and was then told the photos would be released to his constituents unless he handed over names and phone numbers of others in his party. He passed that information along, and around a dozen of those people received a range of phishing attacks. It became a scandal and he resigned.
I have seen versions of this personally. A client's daughter met someone on a dating app, exchanged photos, and the client was then blackmailed directly. This causes real emotional distress. The point is that these people will target your loved ones, your coworkers, and your friends to get to you or to someone you know. They have no barriers. Anyone you meet online, without meeting them in person, you cannot be sure is real. It is projected that by 2028, one in four job applicants could be fraudulent. The current figure is closer to one in twelve.
Pattern four: watering holes
A watering-hole attack is where someone compromises a trusted resource you use often, such as a database or a site you buy from. We occasionally use Best Buy for Business. One of our tools caught that the "forgot password" page had apparently been compromised. When I clicked the link it warned me, so I did not sign in. If I had, we could have been defrauded. It could just as easily be a fake Facebook page, a health record system, or any application you rely on, with a fake landing page put in place to capture your sign-in details.
What a breach can cost
People tend to think of a breach as sending some money out and resetting passwords. The longer-term impact is bigger. There are legal and regulatory fines if you are responsible for client data and you are the reason it leaks. There is loss of trust, which leads to lost business, downtime, staff leaving, and higher insurance. There is data loss, including ransomware and tampering with the integrity of your records. The cost of downtime is a large one: it contributes to around 60% of affected businesses shutting down entirely, with average downtime of four to twelve weeks. On top of that come restoration costs and higher insurance renewals.
The numbers
Almost two-thirds of social engineering attacks in 2024 were the result of insider negligence. Negligence is different from an accident. An accident is out of your control. Negligence is when you knew what could have prevented the situation and did not do it. So two-thirds of these attacks are preventable by not being negligent, and we will go over the checklist for that.
About 60% of affected organizations shut down permanently within six months. About 60% of organizations also believe they are unlikely to be attacked, and that group is statistically the most likely to be hit, especially in an age where most attacks are automated and scanning for holes. Smaller organizations are subject to roughly four times as many attacks as enterprises. You hear about the large breaches, but not the electrical company on the North Shore or the accounting firm in Burnaby, and those happen every week. From an attacker's point of view it is simple: go after a hundred small companies with an automated platform, rather than a company like Microsoft with thousands of engineers defending it.
The trend is clear. Most attacks in 2024 and 2025 used social engineering, with phishing at nearly 40%, and much of the rest being other forms of phishing and stolen credentials. Malware and ransomware are a smaller share than they once were. The number of successful attacks on Canadian small businesses has risen sharply, and early reports suggest attacks tripled from 2024 to 2025, driven by AI. These are effective attacks that actually work, not the old spam you would ignore.
Who gets targeted
Unfortunately, it is essentially everyone. One client did not implement two-factor for over a year. One of their caterers was breached and sent an invoice with a watering-hole link. Information was stolen and credit card fraud was committed. They were able to roll most of it back, but the attackers used what they gathered to target another person in the network. These people do not just shut your business down, they use you to reach the next round of people.
It does not matter what field you are in. If any of your technical layers are public, your website, email, social media, or firewall, and they show signs of negligence, such as missing domain records, missing email filters, or open ports, you go on the radar and get bombarded with automated attacks. Some of our clients see over a hundred sign-in attempts every fifteen minutes, from all over the world.
What attackers go after
Once inside, they want the systems that hold value: your practice-management or accounting database, your users so they know who to impersonate, your devices so they can watch what you type, your servers, and your networks. A passive attack, where they quietly monitor traffic and behaviour, is now more common than an active one. They want your cloud accounts, because an AI can summarize your email, contacts, and calendar in seconds. They want your communication platforms, your website and its contact form, your backups, and even your physical access-control systems. I have seen clients physically broken into after their network and access codes were cracked from a compromised email account.
The information they are after is login credentials, financial details, backup and recovery details, intellectual property, and confidential records. They use it for blackmail, for ransomware, or to make you part of the next scam against people who trust you.
How an attack unfolds
First they research you with AI across anything public: your technical records and your social media. I have seen a fake LinkedIn profile reference a real lunch that a target's family had, taken from a public Instagram post, to build instant credibility before sending a meeting link that turned out to be a phishing link.
Once you engage, you are usually breached. They stay quiet for four to six months, collecting what they want with as little disruption as possible, clean up after themselves, then spread out to your network using you as the lever. In the account, they connect an unknown device, change recovery details, and often set mailbox rules so that messages to and from a target are hidden from you and rerouted to them. I have also seen them install a universal backup tool across an organization, so every contact, meeting, and internal chat flows to the attacker.
From there they impersonate you at exactly the right moment. They wait until you finish a real meeting, then email that person: "Great meeting just now, I forgot to mention I need you to sign this document." The person signs in, the page resets, and the attacker smooths it over with a benign follow-up. The person never realizes their account is now compromised, and the cycle repeats months later. They also use HR information for identity theft, and impersonate staff to redirect payroll or request payments from your clients and vendors.
Protecting yourself: five free steps
The top five here are free. Custom sign-in pages: brand your Microsoft or Google sign-in so staff are trained never to enter credentials unless they see your custom page. That alone sharply reduces phishing success. Multi-factor authentication: every client of ours who was breached by these attacks did not have it in place. Device whitelisting: even if a password and token are stolen, an unregistered device cannot connect, which solves the majority of these problems and takes a couple of hours to set up. Email authentication records, meaning SPF, DKIM, and DMARC, so people cannot impersonate you and automated tools do not flag you as negligent. And written IT and operational policies, such as acceptable use and a rule that any payment over a set amount requires more than one check before it goes out.
The paid tools I recommend are email filters, active and tested backups, alerting and response software, dark web monitoring for you and your partners and vendors, and regular phishing training for staff, ideally on a repeating schedule with reporting on who needs coaching.
Backups: the 3-2-1 rule
We use the 3-2-1 backup system. Keep backups in three locations, with two on completely separate providers, and one in cold storage so a live breach or corruption cannot reach it. Consider your downtime tolerance, how much space you actually need, how often backups run, and how long you keep them, because if attackers sit in your system for a year, a year of backups can be infected. Decide whether you want file-only backups or a full system image, and use a vendor that regularly tests and restores your backups.
Endpoints, email, and policies
For endpoints: use antivirus, and use a non-admin account day to day so that installing software requires an administrator password. Stay current, and do not run Windows 10 unless you are on the extended security update. For email: use multi-factor, back up your data, use filters, and set access restrictions. A business owner's everyday email account should not have admin access; use a separate dedicated admin account. Restrict access to approved devices, and make sure you can remotely wipe a lost or stolen device. On policies, the important ones are acceptable use, password policy, permission sets, a disaster recovery plan, an incident response plan, and a bring-your-own-device plan. Work email and work devices are for work only.
What we already have in place, and a free penetration test
For most people on this call, we already have antivirus, malicious-site filtering, device management, backups, security updates, and network security in place. Most clients are now on our cloud security bundle, which adds dark web monitoring, email filtering, AI-driven email threat prevention that follows links through to the real destination, bimonthly phishing training, live backups, and alerting on your Microsoft and Google accounts so unusual sign-ins, new app permissions, mailbox-rule changes, and data exfiltration can be flagged or blocked. For clients who want it, a managed security operations center is available as a complementary 24/7 option.
We are also offering a free penetration test to clients on the cloud security bundle. It normally runs ten to fifteen thousand dollars. We look at your devices, network, servers, and cloud services, then give you a full executive summary. It is effectively a check on us: is your system up to date, are there holes, is it easy to break in. It also helps you pursue higher-level clients and better cyber insurance rates. File a ticket if you would like it.
Closing
That is about it, and we are right on the hour. The single most important thing to keep in mind is that your trusted relationships can and will be leveraged against you. When you receive expected communications from trusted sources, stay diligent and check things out before you enter a password or send money. Do not be part of the two-thirds who are compromised through negligence. Thank you all for your time, and I hope you have a fantastic 2026.
Want this checked against your own setup?
Book a free IT assessment and a senior tech will review where your business stands, with no obligation.