In the fast-paced world of digital signage and custom installations, businesses are increasingly relying on electronic fund transfers (EFTs) and e-transfers to speed up transactions and streamline operations—especially during postal service disruptions. But as one Canadian signage company recently discovered, while EFTs offer efficiency, they also open the door to sophisticated cybercriminals who are always one step ahead.

What began as a routine payment process nearly turned into a financial disaster.

“We were dealing with postal strikes and delays, so like many others, we learned how to use EFTs for large payments,” said the company owner, who asked to remain unnamed for cybersecurity reasons. “What we didn’t know was that hackers had already found a way in.”

According to the company’s internal IT department, the breach occurred through a seemingly harmless email—using a phishing link, likely an “unsubscribe” click, that granted silent access to the owner’s inbox. The hackers didn’t strike immediately. Instead, they lurked in the background for weeks, quietly rerouting legitimate emails into obscure folders and monitoring the account’s patterns. Then, they made their move.

“They began emailing clients in my name—emails that looked similar to mine—asking for payment on real orders, but with fraudulent EFT forms,” she explained. “The only clue was that the account numbers kept changing.”

It was a sharp-eyed accountant at one of the company’s clients who noticed something was off. She picked up the phone and asked why multiple EFT forms were being sent from the same email address with different banking information, and which account was the right one. That phone call saved the company tens of thousands of dollars.

“When she sent me the emails, I was stunned,” the owner said. “They looked exactly like they came from me, but the account info was completely fake. That’s when I knew I’d been hacked.”  Nobody can help you then, not the police, not the banks, not the Canadian Anti-Fraud Centre.

Fortunately, the company’s IT team was able to compile a list of all the fraudulent emails sent during the breach. Thanks to fast action and some good fortune, no payments were lost.

The aftermath

In response, the company implemented a strict new protocol: All EFT instructions must now be confirmed on the phone with known contacts—and no sensitive banking data is sent without verbal verification. “We’re educating our team, our clients, and our sign industry to be extra vigilant. The bad guys are getting better by the day.”

But even that isn’t a silver bullet. What’s even more alarming is what came next. CTV News ran a news report by Pat Foran that highlighted a chilling new development: Artificial Intelligence (AI)-generated scams. Criminals are now using AI to clone voices—making it possible to receive a phone call that sounds exactly like your boss, colleague, or client, asking you to make a payment or change banking information. In other words, the “voice verification” method we all trusted isn’t a guarantee anymore.

And it’s not just EFTs. That same news report warned that e-transfers are equally vulnerable. Hackers can intercept them if the recipient doesn’t have auto-deposit enabled. The report by CTV states that using auto-deposit is recommended wherever possible, which skips the security question and sends the funds directly to a verified account. If you must use a verification question, make it nearly impossible to guess.¹

A wake-up call

This incident serves as a sobering reminder for everyone —especially small to mid-size shops without in-house cybersecurity teams. As we embrace digital payment systems, we must also adopt digital vigilance.
Here are five key takeaways for the sign industry:

• Verify every EFT transaction with a phone call—and make sure you know who you’re speaking to. Make sure the contact phone number is recognizable. Use context where possible that AI wouldn’t know. Switch e-transfers to “auto-deposit.”
• Educate staff and clients about phishing emails and unusual account changes. Don’t click on any links unless you are sure they are safe. Not even the “unsubscribe” link. Just delete, block, or create an email rule to send unwanted emails to the trash folder. Make sure your accountant/accounts payable/comptrollers, and others are aware of hacking and fraud.
• If the font looks different, the grammar seems a bit off, or the email doesn’t feel right, don’t send any money before verification.
• Monitor folders and email—unusual routing or filtering could indicate a hacker’s presence.
• Beef up your IT department. Make sure you secure all email accounts and financial systems and monitor their activity frequently. Use strong passwords and reset them often.

Final thoughts

As business owners, we’re all moving faster, doing more digitally, and trying to streamline operations. But speed comes at a cost if security is compromised. “If it could happen to us, it could happen to anyone,” the owner said. “We were lucky. A single phone call prevented a serious financial loss. However, with AI evolving and cybercrime becoming increasingly sophisticated every day, we all need to intensify our cybersecurity awareness. We hope our experience helps someone else avoid a financial nightmare.”

Stay sharp. Ask questions. Verify everything. Because the scammers aren’t slowing down—they’re getting smarter.

Author’s note: Due to the sensitive nature of the cybersecurity incident described above, the author has chosen to remain anonymous. The account is shared by a businessperson working within the industry, with identifying details withheld to protect the individuals and organizations involved.

 Note

¹ Read CTV’s news report titled ‘The money was gone’: Ontario woman says her $3,500 e-transfer was intercepted and stolen’: https://www.ctvnews.ca/toronto/consumer-alert/article/ontario-woman-says-her-3500-e-transfer-intercepted-and-stolen-2/