Skip to main content
  • Cybersecurity

CIRA Canadian Shield Insights

Protecting Canadians against increased cyber threats

With more than 2.2 million users across the country, CIRA Canadian Shield is one of the top free trusted public services chosen by Canadians to stay safe online. Designed with security and privacy in mind, the servers are located in Canadian data centres ensuring that the data never leaves Canadian soil. This service protects users from botnets, phishing and ransomware threats by ensuring that requests to connect malicious websites are blocked.

In our most recent update to CIRA Canadian Shield, CIRA has partnered with industry leader in scam and fraud detection—ScamAdviser. ScamAdviser aggregates data from its global user base to determine if websites are legitimate or risky to connect to. By integrating this data with CIRA Canadian Shield, we are able to protect Canadians against a larger set of malicious actors.

In this second edition of our quarterly report, we have analyzed Canadian Shield block data generated in 2021 to provide insights into the security of internet for Canadians.

Discover our key findings in the report below.


2021: year in review

2021 was another year for the books punctuated by a spike in critical cyber incidents which impacted Canadians and their online safety.

CIRA Canadian Shield blocked more than 36 million DNS requests to malicious domains during the year. Malware-infected domains were the most common type of threat, with 17.3 million blocks, followed by phishing with 12.3 million and botnets with 5.7 million blocks.

From the 36 million DNS requests to malicious domains blocked by Canadian Shield, 506,974 unique malicious domains were associated with 638 top-level domains (TLDs) in 2021. 

More than
2.2 million users
across Canada

More than
36 million DNS requests 
to malicious domains blocked

Malware and phishing
accounted for 88% 
of all malicious domains

With a total of 12.9 million blocked DNS requests (35.63% of total blocked requests), .com was the most common top-level domain blocked in 2021, while .CA domains accounted for only 0.75% of blocks.

Scam protection by CIRA Canadian Shield

What is a ‘scam’?

Online scams are a form of fraud perpetrated over the internet. Examples of scams include websites that pretend to be another (for example, a fake bank or government site) and collect critical information (such as your social insurance number or your username and password for your actual bank). Other types of scams include fake shops that “sell” you an item that doesn’t exist.

As a public Domain Name System (DNS) resolver that verifies and blocks malicious websites, CIRA Canadian Shield protects users against malware, including scams.

Scam protection against fraudulent domains

In October 2021, CIRA partnered with ScamAdviser to add a new layer of protection to its service and strengthen its anti-fraud capabilities for thousands of users across the country. Every month, ScamAdviser scans one million new domains. Its data is used by anti-virus companies, browsers, and internet filters to protect more than one billion consumers worldwide.

Since scam protection was introduced in October 2021, Canadian Shield has blocked on average 13,000 daily requests to fraudulent domains to reach a total of nearly 900,000 blocks for the quarter ending in December.

CIRA data shows that 72% of scam blocks were noted for DNS requests originating from Ontario and Quebec. But every province and territory saw its unique pattern of scam blocks, centered primarily around isolated spikes in blocks related to individual incidents.

On average
13,000 requests
per day

Daily, Canadian Shield records the highest number of scam blocks between 6 p.m. and 9 p.m. ET, with an average of over 10 blocks recorded every minute. This correlates with peak evening online shopping hours.

Canadian Shield identified and blocked requests to fraudulent domains associated with 167 top-level domains. While a majority of these fraudulent domains were only seen in isolated incidents affecting users on a single ISP, or in a small regional area, 384 domains affected users across all Canadian provinces and territories. These 384 fraudulent sites accounted for 62.3% of all scam blocks recorded by Canadian Shield in Q4. The highest hourly spike in scam blocks was recorded on October 25th, when Canadian Shield blocked over 3,400 requests to gambling site,, between 10 a.m. and 11 a.m. ET.

Cryptocurrency and online streaming: the most common scam sites blocked  

As more people continue to show interest in the growing and fast-changing cryptocurrency market, scammers do too. According to new data from blockchain analytics firm Chainalysis, scammers around the world took home a record $14 billion in cryptocurrency in 2021 and Canadians were not spared.

Cryptocurrency and online streaming were the most common types of scam sites blocked by Canadian Shield. Cryptocurrency sites accounted for 21.1% of all blocks, followed by online streaming sites with 15.4%. This trend was not observed on popular commercial streaming services like Netflix or YouTube, but predominantly on illegal services.

6 pm and 9 pm ET
Peak evening online shopping hours
Highest number of scams blocked

10 blocks per minute
in the evening

In 2020, Canadians lost
+ $11 million
to digital currency scams

Canadian Shield data has demonstrated that the number of malicious DNS requests blocked by the service has increased in Q4 by 15% compared to Q3, with phishing as the most common threat in Q4.

A total of 13.3 million requests were blocked by Canadian Shield between October and December 2021. That is the highest quarterly total in 2021 and a significant increase over the previous quarter. Whereas malware was the primary driver of blocked DNS requests in the first three quarters of 2021, there was a significant spike in phishing blocks in Q4, making phishing the most common threat in the last quarter of 2021. 

Although the overall volume of blocked DNS requests has increased in Q4 2021, across all policies there were fewer unique malicious domains and TLDs. A total of 133,330 unique domains were blocked in Q4, compared to 183,411 in Q3.

In line with findings from previous quarters, a small number of domains account for a large share of all blocks. In Q4, 254 unique domains accounted for 77% of all malware blocks. Similarly, 579 unique domains accounted for 69% of all phishing blocks. When looking at the breakdown of blocked DNS requests in Q4 by top-level domain, the data shows that .com domains accounted for 36% of all blocks, followed by .net, .org and .cn.

Malicious incidents tend to center on individual users 

Out of the nearly 133,000 unique domains blocked by Canadian Shield in Q4, 127,443 (95.6%) were blocked only for users on a single ISP and were not seen across more than one province or territory. For instance, on October 15th a large spike in malware blocks was linked to Montreal users, which noted over 120,000 blocks of a single malicious domain ( At the same time, CIRA Canadian Shield blocked requests to 762 domains for users across Canada. Whereas for phishing and malware, domains with a Canada-wide reach accounted for only 11% of all blocks, and the scam protection policy saw 62.3% of all blocks were from domains that affected users across the country.

In Q4 of 2021, Canadian Shield blocked 445,728 DNS requests associated with 37 known botnets. The most common type of botnet blocked by Canadian Shield was Qsnatch, which is a backdoor malware. Other top botnets included Conficker B, used to attack previous versions of Microsoft Windows, as well as Tinba, a financial fraud malware and Simda, a well-known malware.

Major incidents blocked by Canadian Shield

Stopping financial threatsin Q4

Boxing Day and Black Friday are the most notorious days for sales in Canada. While many people get to enjoy amazing discounts during these periods, it is also an opportunity for cybercriminals to take advantage of online buyers.

For the first time between November 25th and November 30th, Canadian Shield blocked 20,799 requests associated with the botnet known as Fobber which aims to steal banking account information; attackers probably aiming to take advantage of the season of shopping. There were 76 domains linked with this block centering on one ISP in Quebec.

Cybercriminals exploited the Log4j vulnerability

Apache open-source software, Log4Shell, made the news in December 2021 when its Log4j piece which records events and communicates diagnostic messages to system administrators and users, became vulnerable to attackers. The Log4j internet vulnerability affects millions of computers as well as everything from the cloud to developer tools and security devices.

Our data shows there was a total of 91,120 blocked requests associated with 18 domains that cybersecurity researchers have identified as being linked to exploitation attempts of the Log4j vulnerability. The volume of blocks by CIRA Canadian Shield increased sharply after December 13th, peaking at over 7,500 blocked requests on December 26th.

The majority of the blocks were associated with a single ISP in Newfoundland (CANET-ASN-4), which saw 90,136 blocks. The remaining 984 blocked requests were distributed among 17 ISPs across Canada.

The most common domains associated with these attacks were:







About this report

This Canadian Shield Insights report is produced by CIRA to share information about the cyber threats facing Canadian households. Canadian Shield is a substantial way CIRA builds a trusted Canadian internet and gives back to Canada’s community of internet users through our Community Investment Program.

To help Canadians better understand cyber threats, we analyzed CIRA Canadian Shield block data generated between January 2021 and December 2021, with a special focus on October to December 2021 (Q4). 

Spread the word

Share this publication to your social networks!





You can learn more about CIRA Cybersecurity Services here.

CIRA Cybersecurity Services

CIRA has leveraged its experience managing a network of over 3 million .CA domains to develop a suite of enterprise-grade cybersecurity products — made by Canadians, for Canadians: 

  • CIRA DNS Firewall: a cloud-based cybersecurity solution that protects organizations from malware, ransomware, phishing, and other cyberattacks.   
  • CIRA Canadian Shield: a free cybersecurity service that improves privacy by anonymizing DNS queries. It helps Canadian households block viruses, ransomware, and other malware. 
  • CIRA Cybersecurity Awareness Training: an integrated courseware and phishing simulation platform that enables organizations to educate their staff to protect themselves from cyber risks like social engineering and ransomware.