Skip to main content Skip to chat

How identity theft happens — and how to keep your accounts safe

Here are a few of the most common methods identity thieves use to pry your personal information and access your accounts.

Written by Nick Patch

October 4, 2023

Key takeaways

  • Think carefully about what you share on social media and accept friend requests only from people you actually know.

  • Be cautious opening any links in text messages or emails.

  • If you get a call from someone claiming to be from your bank, call back using the number on the back of your card.

  • Stay educated on the latest scams because they're getting more and more sophisticated.

How identity theft happens — and how to keep your accounts safe

With fraud losses and identity theft in Canada at an all-time high and internet scammers arming themselves with an increasingly sophisticated array of tricks and techniques, Canadians need to be vigilant and avoid becoming fraud victims.

The methods these fraudsters and scammers use have become more insidious and invasive over time. However, their goal is still largely the same: they want to know more about you so they can steal your identity, access your accounts and, eventually, take your money.

What is the best way to safeguard yourself against this rising identity theft? Stay informed.

“Client education is really the most important thing,” said Rachel Topalov, Tangerine’s Director of Fraud Strategy and Governance. “If you have an awareness of the scams that exist, you will be in a far stronger position than someone who doesn’t know.” 

With that in mind, here are a few of the most common methods identity thieves use to pry your personal information and access your accounts.

Social media

Your social media accounts are a buffet for a scammer hungry for information about you.

“Social media is the perfect spot for a collection of information,” Topalov said. 

Think about all the identifying info you might have unwittingly offered up on your social media feed. Right off the top, many Facebook profiles feature our real names, birthdays and geolocation. Digging deeper into your posts, photos and comments could likely reveal names of family members, details about your employment and educational history, and insights into your interests.

All of that information could be used to bypass your security questions, crack your passwords, or create convincing phone scams relating to your family or work.

“People say to never accept a friend request unless you really know the person, and that really is important,” Topalov said. “Be cautious about what you’re posting and what information you’re providing in terms of who you are.”

Phishing, vishing and smishing 

For many of us these days, it can feel like we’re wading through a never-ending swamp of scam texts, calls and emails.

Phishing is when cybercriminals pose as legitimate businesses in order to get your personal information. We need to be wary of legitimate-looking emails and texts with links to fraudulent facsimiles of the real websites of banks, government institutions and other trusted organizations. When you enter your account information and password on the phony sites, you hand them directly to scammers.

Vishing refers to the same process of fraudulently impersonating reputable institutions and companies but doing so over the phone. And smishing is when the impersonation happens over a text message.

In all cases, fraudsters are getting more crafty, clever and convincing with their approaches. 

“There are very strong capabilities from a fraudster perspective to spoof that never existed before,” Topalov said.

“They can spoof the number that’s calling the client so that it looks very much legitimate, or they can perfectly spoof or emulate a real website for its look and feel.” 

Apart from a web address that might be slightly different than the legitimate one – perhaps with an extra letter or with the letter I substituted with an L – it can be hard to tell them apart.

Although these types of scams can affect anyone, the rise of senior spear phishing — targeted attacks on older Canadians — means older people may need to exercise a higher degree of caution. 

Bank impersonations

A particularly prevalent type of vishing, bank impersonations are “fairly widespread and transcend age demographics,” Topalov said.

Often fraudsters trick their victims into thinking they are real representatives of the bank by supplying personal information that might be available online. They might even share the first four or eight digits of your debit or credit card number. This is known as a Bank Identification Number or BIN, and it connects your card with the financial institution that issued it. Anyone can look up a BIN online, but to someone receiving what seems like a legitimate call from their bank, that piece of information could seem like enough to establish trust.

These scammers even have strategies to evade two-step authentication. 

Once they have you on the phone, having already used spoofing or other trickery to gain access to your account, getting past two-step authentication is the final hurdle. So the scammer might say that they need to confirm your identity by emailing you a code and then asking you to read it back to them. Of course, what's happening is they are trying to log into your account, which triggers an email from your bank with a temporary, one-time passcode. Once you share that passcode, they can use it to change the email address associated with your account and gain full access.

How to stay safe and secure

There are plenty of practical steps you can take to try to protect yourself against identity theft.

When you get a call purporting to be from your bank or another trusted institution, look up the number on the back of your bank card and call back. Never disclose your PIN to anyone for any reason (real banks will not call and ask for this information). Topalov also recommends using biometrics whenever possible — using your face, fingerprint, or voice print to verify your identity — for an added layer of security. 

And most importantly, stay continuously informed and aware.

“Try to access your accounts regularly, and check and read any notifications from your bank — we send them out when certain changes are made to your online accounts,” Topalov said. “If you see any activity that you feel might not be your own, that’s certainly a trigger to call us.

“And the No. 1 key here is still client education.”

This article or video (the “Content”), as applicable, is provided for information purposes only. It is not to be relied upon as financial, tax or investment advice or guarantees about the future, nor should it be considered a recommendation to buy or sell. Information contained in this content, including information relating to interest rates, market conditions, tax rules, and other investment factors are subject to change without notice and Tangerine Bank is not responsible to update this information. References to any third party product or service, opinion or statement, or the use of any trade, firm or corporation name does not constitute endorsement, recommendation, or approval by Tangerine Bank of any of the products, services or opinions of the third party. All third party sources are believed to be accurate and reliable as of the date of publication and Tangerine Bank does not guarantee its accuracy or reliability. Readers should consult their own professional advisor for specific financial, investment and/or tax advice tailored to their needs to ensure that individual circumstances are considered properly and action is taken based on the latest available information.

Tangerine Investment Funds are managed by Tangerine Investment Management Inc. and are only available by opening an Investment Fund Account with Tangerine Investment Funds Limited. These firms are wholly owned subsidiaries of Tangerine Bank. Commissions, trailing commissions, management fees and expenses all may be associated with mutual fund investments. Please read the prospectus before investing. Mutual funds are not guaranteed, their values change frequently and past performance may not be repeated.