E-mail fraud has reached new heights of deviousness.

In the past few months, I’ve seen e-mails designed to look like they were from major banks and the Canada Revenue Agency. Each surprised me with their level of polish. No longer are these so-called phishing e-mails a laughable mix of broken English and lame graphics.

“These e-mails are getting better,” said Jennifer Fiddian-Green, a forensic accountant at Grant Thornton LLP who investigates fraud. “They’ve had to get better to get more of us to click.”

Ms. Fiddian-Green’s suggested response when you get a suspicious e-mail or text that you weren’t expecting: Delete it – don’t even read it. Train yourself not to respond.

Phishing e-mails have two separate purposes, the first being to get you to click on a link that will install malevolent software (malware) that locks up your computer. You are then asked to pay a ransom to have the computer unlocked. The second purpose is to fool you into providing log-ins and passwords that could enable scammers to get into your online accounts.

A phishing e-mail I received recently was designed to appear like an Interac e-transfer from CRA for $214.17. To collect, I just had to click on the link provided. I keep a close watch on my taxes and knew my balance with CRA was zero. But the e-mail looked so realistic that I had to check. It even had the name Acxsys Corp. at the bottom, a reference to a company involved in electronic payment services.

When I later checked with CRA, its reply was that it never sends payments using Interac e-transfer – only cheques and direct deposit are used. In reference to other scams around these days, CRA said it also never requests payment by prepaid credit card or gift card, an apparent reference to a scam seen in Calgary last year where people were told to pay amounts owing to CRA by purchasing gift cards and providing the activation code.

The Canadian Anti-Fraud Centre says phishing generated 7,045 complaints for the period between Jan. 1, 2016, and the first week of this past December, ranking it third behind a pair of broadly defined categories, extortion and identity fraud as major fraud concerns. The number of phishing victims reported by the centre was 2,863, while losses totalled $849,166.

Phishing scams seek information as well as money these days. But CRA says it never asks taxpayers to provide their personal or financial information by e-mail, text message, or by clicking on a link. CRA does send notification e-mails to people who have subscribed to a service offering them, but the messages simply advise people to log into the secure My Account service to see the details.

Fear of the taxman and the repercussions of not paying what we owe has been exploited for a while now by scammers who call individuals at home to say they owe money and must pay immediately. I’ve had at least two voice-mail messages in the past year demanding payments. Ignore these messages and hang up if you pick up when a scammer calls. If you’re unsure whether a call from CRA is legitimate, call 1-800-959-8281 to verify.

Scammers have lately branched out to texts as well as e-mails – it’s called SMiShing, or SMS phishing (SMS stands for short-message service and means a text). A text I received not too long ago from one of the banks I deal with was so realistic that it, similar to the CRA e-mail, caused me to wonder if it could possibly be real. The message said that as a result of my recent banking activities with my bank card, I needed to confirm my PVQ to avoid suspension of my account. PVQ stands for personal verification questions, which many financial firms ask you to answer when you log-in (you can turn them off on a computer you use all the time).

As it happens, I was using a relatively new smartphone at the time and getting used to a virtual keyboard. Could a fumbling attempt to log into my banking app be what caused the “activity” referred to in the text? I decided to double-check. My bank replied by saying the text was yet another phishing attempt, just the sort of thing it sees these days in e-mails, text and social media.

Prepare yourself for even more deviousness from scammers in the future. People keep falling for these cons, Ms. Fiddian-Green explains. “It’s lucrative.”


What’s real, and what’s not

Canadian Imperial Bank of Commerce offers the following guidance on how to determine if electronic communication from the bank is legitimate:

CIBC sends …

  • Solicited messages that respond to customer requests;
  • One-time verification codes used to complete online banking transactions;
  • Online banking alerts that customers have subscribed to;
  • Messages that have live links to other CIBC marketing content.

CIBC does not send …

  • Unsolicited messages asking customers to provide, confirm or update personal records;
  • E-mails from a third-party address or link to a third-party site;
  • E-mails containing no information about why a customer is receiving the e-mail;
  • E-mails requiring an urgent response.

Source: CIBC

The Globe and Mail
Published Thursday, Jan. 05, 2017 4:29PM EST
Last updated Monday, Jan. 09, 2017 8:16AM EST