How identity theft happens — and how to keep your accounts safe
With fraud losses and identity theft in Canada at an all-time high and internet scammers arming themselves with an increasingly sophisticated array of tricks and techniques, Canadians need to be vigilant and avoid becoming fraud victims.
The methods these fraudsters and scammers use have become more insidious and invasive over time. However, their goal is still largely the same: they want to know more about you so they can steal your identity, access your accounts and, eventually, take your money.
What is the best way to safeguard yourself against this rising identity theft? Stay informed.
“Client education is really the most important thing,” said Rachel Topalov, Tangerine’s Director of Fraud Strategy and Governance. “If you have an awareness of the scams that exist, you will be in a far stronger position than someone who doesn’t know.”
With that in mind, here are a few of the most common methods identity thieves use to pry your personal information and access your accounts.
Your social media accounts are a buffet for a scammer hungry for information about you.
“Social media is the perfect spot for a collection of information,” Topalov said.
Think about all the identifying info you might have unwittingly offered up on your social media feed. Right off the top, many Facebook profiles feature our real names, birthdays and geolocation. Digging deeper into your posts, photos and comments could likely reveal names of family members, details about your employment and educational history, and insights into your interests.
All of that information could be used to bypass your security questions, crack your passwords, or create convincing phone scams relating to your family or work.
“People say to never accept a friend request unless you really know the person, and that really is important,” Topalov said. “Be cautious about what you’re posting and what information you’re providing in terms of who you are.”
Phishing, vishing and smishing
For many of us these days, it can feel like we’re wading through a never-ending swamp of scam texts, calls and emails.
Phishing is when cybercriminals pose as legitimate businesses in order to get your personal information. We need to be wary of legitimate-looking emails and texts with links to fraudulent facsimiles of the real websites of banks, government institutions and other trusted organizations. When you enter your account information and password on the phony sites, you hand them directly to scammers.
Vishing refers to the same process of fraudulently impersonating reputable institutions and companies but doing so over the phone. And smishing is when the impersonation happens over a text message.
In all cases, fraudsters are getting more crafty, clever and convincing with their approaches.
“There are very strong capabilities from a fraudster perspective to spoof that never existed before,” Topalov said.
“They can spoof the number that’s calling the client so that it looks very much legitimate, or they can perfectly spoof or emulate a real website for its look and feel.”
Apart from a web address that might be slightly different than the legitimate one – perhaps with an extra letter or with the letter I substituted with an L – it can be hard to tell them apart.
Although these types of scams can affect anyone, the rise of senior spear phishing — targeted attacks on older Canadians — means older people may need to exercise a higher degree of caution.
A particularly prevalent type of vishing, bank impersonations are “fairly widespread and transcend age demographics,” Topalov said.
Often fraudsters trick their victims into thinking they are real representatives of the bank by supplying personal information that might be available online. They might even share the first four or eight digits of your debit or credit card number. This is known as a Bank Identification Number or BIN, and it connects your card with the financial institution that issued it. Anyone can look up a BIN online, but to someone receiving what seems like a legitimate call from their bank, that piece of information could seem like enough to establish trust.
These scammers even have strategies to evade two-step authentication.
Once they have you on the phone, having already used spoofing or other trickery to gain access to your account, getting past two-step authentication is the final hurdle. So the scammer might say that they need to confirm your identity by emailing you a code and then asking you to read it back to them. Of course, what's happening is they are trying to log into your account, which triggers an email from your bank with a temporary, one-time passcode. Once you share that passcode, they can use it to change the email address associated with your account and gain full access.
How to stay safe and secure
There are plenty of practical steps you can take to try to protect yourself against identity theft.
When you get a call purporting to be from your bank or another trusted institution, look up the number on the back of your bank card and call back. Never disclose your PIN to anyone for any reason (real banks will not call and ask for this information). Topalov also recommends using biometrics whenever possible — using your face, fingerprint, or voice print to verify your identity — for an added layer of security.
And most importantly, stay continuously informed and aware.
“Try to access your accounts regularly, and check and read any notifications from your bank — we send them out when certain changes are made to your online accounts,” Topalov said. “If you see any activity that you feel might not be your own, that’s certainly a trigger to call us.
“And the No. 1 key here is still client education.”