There's Something Phishy Going On
Written by Matthew Braga
Thursday, March 11th, 2021
Jobs that don't exist. Fake online stores. Bitcoin fraud, and more. Here's how to protect yourself from today's top threats.
Glennys Egan was talking with her parents over Zoom when she got a text message from a number she didn't recognize.
"I opened it, and it was like, 'You have duties due at customs on your package that's being delivered,'" recalled Egan, who is 31.
Before the pandemic, Egan might have paused. She might have been more skeptical. But like many Canadians with nowhere to go and not much to do at home, Egan was ordering a lot more stuff online. It was likely there was something on the way, she reasoned. One of her Christmas gifts had been delayed, and she actually did have to pay duties on a few things already. It wasn't exactly a surprise that she might have to pay more.
So she clicked the link, and started filling out a form. "It didn't look that different than the official DHL emails I've gotten," Egan said. She entered her credit card information, pressed submit and…nothing. Odd. She submitted her information again, and maybe even a third time, before she realized the site looked a bit off. And that's when Egan's bank called to tell her there had been some strange activity on her card. It all clicked; Egan had been phished. "Honestly, I wouldn't have thought twice about it if I hadn't gotten a phone call," she said.
Anyone Can Be Fooled by Fraudsters
Egan's bank cancelled her card and refunded her money and, in the end, it wasn't a big deal. But the fact that she was fooled in the first place, she admits, was a little embarrassing.
Egan thinks she's pretty tech savvy: she uses a password manager, has multi-factor authentication on her accounts, and is usually careful with her financial information. But she's also been working from home in the middle of a pandemic, surrounded by screens, spending a lot of time online, inundated by messages, and is a bit more distracted than usual — exactly the kind of unusual circumstance criminals realized they could exploit.
Egan's attackers knew a lot of people out there were just like her - unable to go to the store, expecting deliveries of things they had ordered online, vulnerable to just the right message at just the right time.
The Global Pandemic: A Very Powerful Lure
Scams and frauds don't change much from year to year. What changes are the lures attackers use to reel their victims in — the calls, messages, apps and websites specifically designed by savvy criminals to prey on the fears, anxieties, and desires of the day.
It probably won't come as a surprise that the circumstances created by a global pandemic have proven to be a very powerful lure. Since the start of the pandemic, the Canadian Anti-Fraud Centre estimates that nearly 10,000 Canadians have fallen victim to COVID-19 related fraud, with more than $7 million lost (to put that into context, The New York Times reported last fall that Americans had been defrauded of more than $145 million). During the same period, the Canadian Centre for Cyber Security told CBC News that more than 4,000 fake Canadian government websites, emails and apps had been taken offline.
Ryan Singh, a senior manager on Tangerine's Fraud team, says that fake calls from Canada Revenue Agency (CRA) have been up in recent months — the kind offering financial aid or demanding a debt be paid. You've likely received at least a few of these calls in recent years, but the pandemic has only made them more powerful, "especially by preying on people's fears about CERB and having to repay it," Singh says.
CRA says it won't send messages about applications, payments or repayments by text or email.
Layoffs and concerns about financial insecurity have also meant a rise in fake jobs scams, where fraudsters with fake companies hire people for jobs that don't exist for the purpose of stealing money and personal information. In one case, Singh said people were offered jobs and asked to send a cheque for computer equipment. "They would do that and never get the computer equipment," he said.
Working from Home Scams
Attackers have tried to exploit the fact that many Canadians are spending most of their time at home, using information about stay-at-home orders, work-from-home policies, expiring Netflix subscriptions, or fake delivery notifications serving as lures. "There are new products that, if they're particularly hard to get during COVID-19, scammers can take advantage of our desire for them," said Yuan Stevens, the policy lead on technology, cybersecurity, and democracy at Ryerson University's Leadership Lab, pointing to the influx of scams promising new Xbox and PlayStation consoles, which are currently in high demand. At its peak last April, Google said it was seeing 18 million malware and phishing emails related to COVID-19 every day.
It certainly seems to be working. According to one study by the fraud prevention company Sift, account takeovers went up an incredible 282 percent year-over-year during the pandemic's first wave. Account takeovers happen when someone is able to gain unauthorized access to an account using stolen credentials from a phishing attack or data breach.
The Dangers of Digital Currency
Florian Kerschbaum, an associate professor at the University of Waterloo and director of the school's Cybersecurity and Privacy Institute, says another red flag is a payment that's requested in Bitcoin — especially if you've never handled Bitcoin before. While there are legitimate uses for the digital currency, Florian says Bitcoin is "very attractive as a payment method for people who commit financial fraud" because it's borderless, instant, and somewhat anonymous. As the price of Bitcoin has skyrocketed in the past year, so has the market for scams.
Phishing Still A Fraud Favourite
Phishing, of course, is an evergreen concern too. Attackers craft websites, messages, or even malicious apps made to appear legitimate, but are actually designed to steal passwords and personal information — just like what happened to Egan. Over the past year, attackers have used shortages of sanitizer and masks, vaccine trials, testing difficulties, and a general thirst for reliable information as lures, in some cases by pretending to be government or health officials in messages, or by setting up fake online storefronts. Florian said there have even been fake COVID-19 alert apps, with no relation whatsoever to the government. "Many of them were fraud attempts that just collected your personal information," he said.
Staying a Step Ahead of Fraud
At Tangerine, Singh says that these emerging threats don't come out of nowhere. The Fraud team has regular meetings to discuss emerging scams, partly informed by what they hear from Clients. They can take anecdotal accounts of emerging scams and look for further evidence in the data — examples of funds going to a particular bank, or cases that seem to centre around certain demographics like age or location. Then the team can have their systems flag any future potentially suspicious activity that meets a similar pattern.
"By analyzing the fraud the bank sees, it allows us to continually enhance our fraud monitoring effectiveness, savings more funds and Clients as a result," says Singh.
What Can You Do to Protect Yourself?
If you think you've been the victim of fraud or a scam, stay calm. And don't feel bad. Even experts can be fooled by a cleverly crafted message or call that arrives at just the right time.
If you think you've revealed financial information, you should start by calling your bank or credit card company as soon as possible. "Some folks, they're a little bit hesitant to come forward," said Singh. "Nobody thinks they're going to be a victim of fraud until it happens to them." But the sooner you report potential fraud, the easier it will be to get help. Your financial institution can flag your account as being compromised, send you a new card, help you change your password, and reverse any fraudulent charges. In some cases, your provider may even notice the fraud before you do.
You should also notify Canada's two credit bureaus: — Equifax and TransUnion — who can help you monitor for unexpected credit checks or unauthorized attempts to open new accounts. And you can help prevent others from falling victim to similar scams by reporting the incident to your local police and the Canadian Government's Anti-Fraud Centre.
"If something is too good to be true, oftentimes it probably is," says Singh, who recommends doing your research, only responding to messages from known and trusted sources and ignoring anything that looks suspicious. If a company or government agency contacts you, you can always contact them yourself using the phone number or email listed on their official website. And be wary of requests that sound unusually urgent or try to play on your fears. "If an email asks you for an immediate action, you should always think twice," says Kerschbaum, who has received his fair share of CRA scam calls, too.
Steps You Can Take Now to Make it Harder for Fraudsters to Strike in the Future:
Get a Password Manager. Apps like 1Password can create and store long, unique passwords for each of your online accounts — because you should never reuse passwords — and even alert you when a service you use has been breached.
Turn on Multi-Factor Authentication (MFA). This is a security feature offered by an increasing number of online services, including Facebook and Google, and makes it more difficult for someone who learns your password — through phishing, for example — to access your account.
Know How to Spot Phishing Attempts. Look for clever misspellings in links, usernames, and website addresses. If a site or message looks official but you're still unsure, avoid clicking any links and instead try visiting the site or service directly. And think critically about the type of information you're being asked for. Netflix shouldn't ever need your Social Insurance Number, for instance. You can also report fraudulent sites or messages to the Canadian Centre for Cyber Security.
Keep Your Devices Up-to-Date. Malicious apps often take advantage of security flaws in outdated software to infect devices and steal data. If you turn on automatic software updates, you'll always have the latest security protections against harmful apps.
Experts like Kerschbaum, Singh, and Stevens say if you do these things, you can stop the vast majority of attacks. "The more we live our lives online, the more we need to protect ourselves," says Stevens. Luckily, even when criminals change their lures, the things you can do to stay safe mostly stay the same. And as for Glennys Egan — who is still waiting on that missing package from December — "I'll definitely be looking more carefully before I enter my credit card information anywhere," she says.