April 1 comes and goes. The pranks and fake announcements that have you second-guessing everything on April Fools Day disappear.
Spring is one of the most productive seasons for hackers. Not because teams are careless, but because everyone’s busy, a little distracted and moving fast. That’s when the almost-believable stuff slips through, the kind that blends into a normal workday and doesn’t feel dangerous until it’s too late.
Here are three scams working right now. Not on gullible people, but on sharp, well-meaning employees who are just trying to get through their day.
As you read through these, ask yourself one honest question: Would everyone on my team pause long enough to catch each one?
Scam #1: The Toll Road (or Parking Fee) Text
An employee receives a text message:
“You have an unpaid 407 ETR toll balance of $8.25. Pay within 24 hours to avoid license suspension.”
The message references a real Canadian toll system, like 407 ETR in Ontario, or even mentions a local municipal parking authority. The amount is small enough to avoid suspicion, and the threat of license suspension or additional fines makes it feel urgent. In the rush of a busy day, the recipient clicks the link and pays without thinking twice.
Except the link is a fake, designed to steal credit card information or install malware.
Canadian authorities, including the Canadian Anti-Fraud Centre, have warned about a surge in fake toll and parking text scams. In recent years, thousands of Canadians have reported receiving texts impersonating 407 ETR or local parking enforcement, with threats ranging from late fees to license suspension. Scammers register lookalike domains and even target people living in provinces without toll highways.
The scam works because small amounts and familiar names make the message believable. Most Canadians have either used a toll road or parked in a municipal lot, so the message feels plausible enough to act on quickly.
Convenience is the bait. Process is the defense.
Scam #2: ‘Your File Is Ready’
This one blends perfectly into everyday work.
An employee receives an email stating that a document was shared with them. It’s usually something ordinary like a contract in DocuSign, a spreadsheet in OneDrive or a file in Google Drive.
The sender’s name looks right. The formatting looks exactly like every other file-share notification they see.
They click. They’re prompted to log in. They enter their work credentials.
Now someone else has them, and if they used their work login, the attacker is inside your company’s cloud environment.
This type of attack has exploded. Phishing campaigns abusing trusted platforms like Google Drive, DocuSign, Microsoft and Salesforce increased 67% in 2025, according to KnowBe4’s Threat Labs. Google Slides-based phishing links alone spiked over 200% in a recent 6-month period.
Even more alarming, employees are seven times more likely to click a malicious link from OneDrive or SharePoint than from a random email because the notification looks identical to the real thing.
The newer versions are even harder to catch. Attackers create files inside compromised accounts and use the platform’s own sharing feature to send the notification. That means the email actually comes from Google’s or Microsoft’s real servers. Your spam filter doesn’t flag it because, technically, it’s a legitimate notification.
Boring habit. Very effective result.
Scam #3: The Email That’s Written Too Well
Remember when phishing emails were easy to spot? We were trained to look out for broken grammar, strange formatting and obvious nonsense.
Those days are over.
A 2025 academic study found that AI-generated phishing emails achieved a 54% click rate, compared to just 12% for human-written ones. That’s more than four times as effective. The reason is straightforward: These emails don’t look like scams anymore. They reference real company names, real job titles and real workflows, all scraped from LinkedIn and company websites in seconds.
The newest twist is departmental targeting. Your HR and payroll team gets fake employee verification requests. Your finance person gets vendor payment redirects. In one recent test, 72% of employees engaged with a vendor impersonation email — 90% higher than other types of phishing. The messages are calm, professional and urgent without being dramatic. They look like a normal Tuesday in your team’s inbox.
Real security doesn’t need to panic people into clicking.
What This Really Comes Down To
All of these scams rely on familiarity, authority, timing and the assumption that “this will only take a second.”
That’s why the real risk isn’t a careless employee. It’s systems that assume everyone will always slow down, double-check and make the perfect call under pressure.
If one rushed click could derail your day, that’s not a people problem, it’s a process problem.
And process problems are fixable.
That’s Where We Can Help
Most business owners don’t want to turn this into another project or become the person responsible for teaching everyone what not to click.
They just want to know their business isn’t quietly exposed.
If you’re concerned about what your team might be dealing with — or you know another business owner who probably should be — we’re happy to have a conversation.
Schedule a straightforward discovery call where we’ll talk through:
- The kinds of risks businesses like yours are seeing right now
- Where issues tend to sneak in through normal, everyday work
- Practical ways to reduce exposure without slowing people down
No pressure. No scare tactics. Just a chance to surface concerns and talk through options for eliminating them.
Call us at 416-410-7268 or book a quick consultation call.
If this isn’t for you, feel free to forward it to someone who’d appreciate the heads-up. Sometimes knowing what to look for is all it takes to turn a “would have clicked” into a “nice try.”
