It arrives in your inbox one day: An official-looking email from your bank, a favourite retailer or maybe even the taxman, with an urgent request for you to click on a link to verify personal details or face the consequences.
Although these requests appear serious and you may be tempted to take action, odds are they are phishing scams: Emails designed to lure users into sharing personal information or click on links that infect their computer with malware — and they're getting more sophisticated every year, say experts.
From the second you click that link, says Tom Hancock, director of Tangerine's financial economic crimes unit, the fraudsters are in your computer system.
"People don't necessarily think that anyone can really get that much with this malware, but it will continually send information back to the fraudster. So you go online to do banking, they've got your account, they've got your name, they've got your PIN, your login," he says.
For those who fall victim to online fraud, the impact on their bank account, credit rating and identity can be devastating.
Larry Keating, president and CEO of NPC, a provider of secure, managed mobile computing solutions for professionals, says personal information is like gold to cyber criminals because they can use it for so many purposes.
“It may not be a direct attack on that person's finances, trying to get at their money and credit cards. They could use (someone's personal info) to create other false identities that can then ruin the creditworthiness or the credit picture of that individual," he says.
While our constant use of technology means it's almost inevitable that one of these suspicious emails will find its way to you, there are steps you can take in order to minimize the risk of being a victim.
Beef up your technology: First of all, make sure you have the right technology, says Keating. The more advanced your system, the better it will be at protecting you from incoming threats.
“The latest is usually the best — and that's your operating system, your office suite, your web browser. Make sure those are all new and up-to-date. It's worth the investment." Being up-to-date will allow other technologies that protect you from phishing scams — anti-malware software and your firewall — to work more effectively.
Use common sense: Although most consumers are wise enough not to fall for a phishing email from a financial institution they don't bank with, the scam may not be as obvious if the email is spoofing your employer, says Teju Herath, an associate professor at Brock University who has studied phishing scams.
In all cases, she says, there are tips every user should follow when communicating by email, especially if you haven't initiated the conversation.
“Never send these sensitive pieces of information: username, login information, password, your Social Insurance Number, your birthdate, etc., through emails," she says.
As Keating suggests, if you're unsure whether an email is the real deal, phone the company to ask, or send a new email to an official address you trust.
Pay attention to subtleties: In 2016, many phishing attempts are close replicas of legitimate emails, says Keating, including the company's logo and the language they typically use. 'Spear phishing' is also affecting consumers, he says: Targeted emails containing information that is more personalized to the recipient, so they are further enticed to act.
Although the attempts have become harder to detect, there are still variations to look out for, specifically when it comes to the sender's email address or any of the links in the message, which will be unique and unfamiliar.
With newer web browsers, Keating suggests doing a rollover of the link — hovering your cursor over it, which will reveal the URL but will not take you to the site.
Stay informed and report: Getting educated about how banks and other organizations communicate with their clients is one key to avoid becoming a victim, says Hancock. “Every bank, and certainly we do it on a regular basis, always advertises, 'we will never ask you for your personal information.' Even in marketing campaigns, we ask you to call us and we will never give out anyone's banking information, certainly not without their permission."
If an organization gets word that phishing emails are being sent out in their name, they'll normally try to let their user base or customers know, says Herath. Generally, these communications will warn users not to respond to the phishing email, or emphasize the fact that the organization will never ask for personal details via email. To ensure the company is aware of the problem, be sure to let them know about any phishing attempts.
I fell for the scam. What should I do?
As the RCMP explains, if you think your identity has been compromised online and the breach involves your personal or financial information, contact your bank or credit card company to let them know. Be sure to keep an eye on your accounts and monitor your credit.
"If you have been victimized, definitely notify the credit reporting agencies, EquifaxR and TransUnionR, because they can put a fraud alert on the account, and if any applications for credit are made, the credit reporting agency will alert the institution," says Hancock.
Herath says to report the scam to local and national authorities. In Canada, phishing should also be reported to the Canadian Anti-Fraud Centre.
Equifax is a registered trademark of Equifax Canada Co.
TransUnion is a registered trademark of TransUnion LLC
NPC is a trademark and/or registered trademark of No Panic Computing Inc.