Security Threats

What is phishing?

Phishing consists of sending an unsolicited e-mail to a large number of recipients with the goal of having some of those addressees commit an act that compromises the security of their information. The techniques used for phishing are varied and constantly changing. The most common examples are as follows:

• The e-mail contains a link to a site that infects the recipient’s computer.
• The e-mail directs the addressee to a false secured site that resembles a legitimate site and has the same logos or content presentation but that records the information entered by the visitor with the intention of stealing it.
• The e-mail contains an attachment with a virus or other type of malware that infects the recipient’s computer or steals information.
• The e-mail prompts the recipient to get into contact with fraudulent individuals passing themselves off with a false identity.

Malicious e-mails can sometimes cause harm simply if they are opened, but most require the recipient to take some form of action. Users in the know are familiar with how to recognize malicious e-mails and avoid the pitfalls.

How to recognize phishing strategies?

As its name implies, phishing is analogous to fishing and is done with bait and a hook. It is important to be able to detect the bait in order to avoid getting caught on the hook.

In order to hook their victims and have them commit an act that compromises the security of their information, fraudulent e-mails use such proven methods as:

• triggering an impulsive reaction by the recipient to an “emergency situation”;
• presenting a problem that must be resolved by way of actions that the recipient would not normally take;
• generating a feeling of insecurity in the recipient that leads them to act to “protect” themselves;
• playing upon the recipient’s curiosity by providing little information and preying upon an individual who is anxious to know more.

In addition to knowing how to recognize the techniques used to make victims take the bait, there are certain detectable clues to help identify a fraudulent e-mail, such as the following:

• Addressing in a general manner rather than directly naming the recipient.
• Sentence syntax is questionable and there are spelling mistakes.
• The logos resemble the originals but can be slightly different or arranged in a strange manner.
• The site names and e-mail addresses are not those of the site from which the message claims to have been sent. For example, it could be written as “LaurentiannBank.ca” instead of “LaurentianBank.ca”.

What to do if the receipt of a fraudulent e-mail is suspected?

1. Resist
   
   
   • Do not respond to the e-mail.
   • Do not click on any links.
   • Do not open any of the e-mail’s attachments.
   • Do not enter any personal information.
     
     While the Bank can communicate with clients by text message, email or phone, it will never ask them to provide personal information, such as their credit card number, personal identification number (PIN) or password of their online account. If in doubt, clients should contact the Bank at an e-mail address or phone number they know to be legitimate.
   
   
2. Report

   This type of e-mail should be treated as if it was spam and notify electronic messaging service should be notified. If concern remains or if attempted fraud is suspected, the Fraud Prevention Department should also be contacted.

3. Delete

   The e-mail should be deleted from both the inbox and deleted items folder.

For more information on phishing:
https://cba.ca/email-fraud-phishing?l=en-us
http://www.getcybersafe.gc.ca/cnt/rsrcs/vds/phshng-en.aspx

What is spear phishing?

Unlike phishing, spear phishing targets a particular individual instead of a large group of people. The potential victim receives a personalized e-mail, usually from a company known to the general public, addressed to his or her name and asking him or her to follow a particular link or confirm personal information.

It is common for cyber criminals to target a key person in an organization (such as an employee of the finance or accounting department) and send a message to him or her appearing to come from a senior executive of that organization. This senior executive will then ask the employee to perform a suspicious transaction or send sensitive information.

A frequent form of spear phishing is the overpayment scam. With the growing popularity of online consumer-to-consumer sales websites (Kijiji, eBay, etc.), criminals see an opportunity to take advantage of people who are less cautious.

The payment scam consists of making the person selling his or her property pay an extra amount. The buyer (the scammer) makes an offer by e-mail to the seller and then makes a payment that is greater than the agreed price. He or she will generally claim that the extra amount was included to cover all sorts of fees (customs charges, shipping, etc.) or that it was simply a mistake. The scammer will then ask the seller to refund this excess amount or forward it to a third party from which he or she will recover it.

Once the amount has been paid, the seller usually finds out that the cheque has bounced and that he or she has therefore given the buyer a portion of his or her own money.

How to recognize the signs of spear phishing?

Like phishing, there may be certain signs in the way the e-mail is presented:

• The way the e-mail is addressed is questionable (e.g., “Mr.” instead of “Ms.”).
• An instruction is given to follow a link when this is not necessary for the operation.
• The e-mail tone doesn’t match the institution or person.
• The e-mail includes a .zip file.

As for the payment scam, the following steps can protect a seller during an online transaction:

• Never agree to receive an amount greater than that of the sale.
• Systematically ask for the buyer’s complete contact information (name, address, telephone number).
• Insist on a certified cheque.
• Never transfer funds directly to the buyer.

What to do if the receipt of a spear fishing e-mail is suspected?

When we suspect the receipt of a personalized fraudulent email, the same prevention techniques are recommended: resist, report, delete. Consult the Phishing section for details.

For more information on spear phishing
https://www.cba.ca/three-telltale-signs-the-email-you-just-received-is-a-scam?l=en-us

What is a malicious program?

Malicious programs, or “malware”, can take numerous forms today, including viruses, ransomware, Trojan horses, keyloggers, etc. In all cases, these programs are installed without the user’s knowledge and attempt to compromise the security of the user’s data. They usually originate from:

• malicious Web sites that may have been visited inadvertently or by having clicked on a link;
• attachments to unsolicited e-mails or “spam”;
• software downloaded online that has not been produced by a reputable firm.

How to recognize a malicious program?

Most malicious programs cause symptoms that can be recognized and identify the fact that the computer or mobile device is infected. These symptoms include:

• a general slowdown in the computer’s performance;
• a delayed response to input commands;
• redirection of the Web browser to pages that that have not been selected and the appearance of numerous advertising windows that are difficult to close;
• a modification to the wallpaper image, or messages being displayed asking to provide personal information and, often, to make a payment to return the computer to normal.

What to do if a malware infection is suspected?

1. Resist

   If the malware asks for information, to click on a link, or to make a payment, do no such thing. Otherwise, the situation may escalate.

2. Clean

   A computer infected by one or more malicious programs must be cleaned in order to make it secure to use again. To do so:

   • use recognized antivirus or antimalware software;
   • use certain tools designed to clean up specific malware;
   • have the computer cleaned by a qualified technician.

To prevent infections by malware, please consult the Protecting Yourself section.

For more information on malicious program
https://cba.ca/ransomware?l=en-us
https://www.getcybersafe.gc.ca/cnt/rsrcs/cmpgns/cmpgn-07/tps-en.aspx

What are the risks of social networks?

The daily use of multiple social media platforms makes users prime targets for cyber criminals. In fact, people sometimes post personal information believing that they are simply sharing it with their friends or close connections. Careless users expose themselves to cyber-attack attempts.

How to avoid vulnerabilities on social networks?

1. Be discreet

   It is crucial to always pay attention to what is being exposed on personal profiles, since a criminal could use this information to carry out identity theft:

   • Never post phone numbers, addresses, birth dates (with year) or other personal information.
   • Never share banking information, not even the bank’s name.
   
   
2. Accept friend requests only from known contacts

   Using judgment before adding “friends” to a personal network is also a good practice, as the true identity of who is behind an online account may be hidden. A new “friend” could be a criminal trying to obtain personal or financial information.

3. Check who can view profile details

   The security and privacy settings of the social network should be verified on a regular basis. Do not just accept the default settings, which generally allow more access than may be necessary.

4. Learn about privacy policies

   It may be helpful to carefully review the website’s privacy policy. Be sure that there is no clause allowing the social network to use the information posted on the website because it could then sell e-mail addresses or other information.

For more information on the risks associated with social networks
https://www.cba.ca/staying-safe-online?l=en-us
https://www.getcybersafe.gc.ca/cnt/rsks/nln-ctvts/scl-ntwrkng-en.aspx

What is identity theft?

Identity theft occurs when a person obtains and uses personal information for criminal purposes without the owner’s knowledge and consent.

Recognizing identity theft :

• E-mail is no longer being received, or there has been a surprising change to the account’s e-mail address.
• Unrecognized account statements are being received.
• Unauthorized transactions appear on credit card or bank account statements.
• Calls for the collection of payments for unrecognized expenditures are being received.

What can you do if you are the victim of identity theft?

Fraud Prevention Department

For more information on Identity Theft
https://cba.ca/identity-theft-can-happen-to-anybody-learn-how-to-protect-yourself?l=en-us
http://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctn-dntty/index-en.aspx

How secure is Interac e-Transfer?

Interac e-Transfer features like Send Money, Request Money and Autodeposit are secure. It's one of the safest digital money transfer services in the world. For more information, visit the Interac e-Transfer security website.

How to recognize scams that use Interac e-Transfer features:

Even though sending funds with Interac e-Transfer is safe and secure, fraudsters and scammers may still leverage Interac e-Transfer features for phishing and malicious purposes.

Scams related to Send Money, Request Money and Autodeposit.

• Request Money scam: When selling items online, be cautious if you plan to complete the purchase using Interac e-Transfer. Instead of sending a money transfer, a scammer or “potential buyer” may send you a request for money instead. Read the email carefully, because if you select “Accept”, you’ll end up sending money instead of receiving money.
• Fake representative scam: scammers send an email or text message that looks like a legitimate notification. The message will ask you to confirm your transfer by providing information like the answer to your Interac e-Transfer security question or by directing you to select a link to claim funds. Doing so will give the scammer access to your security question. Never select a link or provide the answer to your security question if you or someone you know hasn’t initiated the request.
• Online sales platform scam: Buying something from an independent seller online can be risky. The seller may ask for payment upfront with Interac e-Transfer or by sending a Request Money instead. Once you send money, you may never hear from the seller again.
• Apartment rental scam: Fake landlords post rental properties and claim to be out of the country. They request that you send a security deposit with Interac e-Transfer. Once they receive your money, they break off all contact and disappear.
• Loan scam: Ads for an attractive loan offer will ask that you pay notary, insurance or other fees in advance through Interac e-Transfer. A legitimate financial institution would never do this.

Beware of phishing attempts that send you a money transfer you weren’t expecting. If you accept the Interac e-Transfer request and provide your personal information to retrieve the money, you may be handing it directly to a scammer.

How can I protect myself when using Interac e-Transfer features like Send Money, Request Money and Autodeposit?

Only act on transfer notifications from senders that you know. Legitimate notifications provide the legal name of individuals and the full business name for Request Money notifications. If you know the sender, contact them to confirm the request is intentional.

If you receive a notification email that looks suspicious, be sure to check that it’s valid before you select any links. When in doubt, forward the notification immediately to phishing@interac.ca.

It’s important to carefully read the transfer notification to determine if the requestor is sending money to or requesting money from you. A Request Money notification clearly states “request for money” and an Interac e-Transfer notification says “sent you money”.

We strongly recommend you register for Autodeposit to automatically deposit all Interac e-Transfer requests directly into your chosen bank account. This reduces your risk of becoming a victim of phishing or other scams by clicking and accepting fraudulent Interac e-Transfer notifications and requests for money.

What can I do if I’m the victim of a scam or fraud through Interac e-Transfer?

If you see any unusual transactions on your account or suspect you’ve been a victim of fraud or a scam, contact us or escalate the claim to the Fraud Prevention Department.