Email scams have gone far beyond the old “Nigerian Prince” requests to mail cheques and send money abroad. Scammers are using more sophisticated methods of impersonation for the purpose of stealing your personal information or money. (For information on protecting yourself from phone scams, please click here.)
Let’s review some terms.
Phishing is the fraudulent practice of sending emails which appear to be from reputable companies with the goal of baiting individuals to reveal personal information, such as Internet passwords, banking information and credit card details.
Spear-phising is even more sophisticated and targeted – often the email will contain details, such as the recipient’s name, mention a previous email conversation and may come from a trusted friend’s email address.
Here’s how it works:
An email with an attachment may appear from a known and even trusted contact. The attachment may look like a PDF file, but it’s actually an image with a link embedded that once clicked takes the user to a very legitimate appearing Google log-in (as example).
Once the recipient goes through the log in process (supposedly to open the attachment), that information is captured. The attacker now has full access to your email and, as example, Google account.
There are only two small cues that this is a scam.
- On a high resolution computer screen, you may be able to detect that the PDF is not legitimate and actually an image.
- Once the faked image is clicked taking the recipient to the fake log in page, the URL does not begin with “https://” and is rather: “data:text/html.”
Credit: Tom Scott
You can read more about this phishing technique here.
Once your email is compromised, this is what can happen:
- They have total access to your email.
- They can now send emails, posing as you.
- They can find personal information, such as past conversations to send very personalized emails, posing as you.
- They look for contacts who have sent you attachments in the past, and replicate them for phishing purposes.
Avoid online shopping scams
When shopping online, even on trusted retail websites such as Amazon, you may see an advertisement with a great deal. These might not be legitimate, and if clicked, take you away from the Amazon page.
The website may appear to be just like the Amazon website and/or payment page, but once a purchase is made, the scammers now have your money. If the purchase is not finalized (such as “we’re currently out of stock”), you may be contacted via email by the fake retailer to complete the purchase whereby they steal your money and other personal information.
If you’re shopping with Amazon or any online retailer, keep these tips in mind:
- Trust your instincts, deals that appear too good to be true, often are.
- Check the URL to be certain you’re still on the correct page.
- If you’re shopping with an Amazon “affiliated retailer”, contact Amazon’s customer service to ensure legitimacy.
Social media scams
You may have seen or heard of friend’s Facebook profiles being duplicated for the purpose of gaining trust then scamming friends via Facebook, and be aware that this problem still exists; but note that many savvy users these days turn to social media for a fast response to their customer service inquiries.
In a scam known as “angler phishing” the response may be from a faked replica of the company you’re contacting. You’ll then be directed to log in and give personal information on what may appear to be a real website, but is not.
For businesses – a real life example
Business email addresses can also be compromised. Consider the details of professional email conversations and combine that with what can be learned online about employees or even business owners who are active social media users:
- LinkedIn – work responsibilities and professional details, fellow employees and their start dates
- Facebook – daily activities and travel plans
This information can be compiled by a scammer, (and it’s happened locally!), sent another employee from a work email address, such as the following example:
I know that you’re on vacation in Florida, but this invoice needs immediate payment. As you know I would normally complete the transaction myself, but it’s a large amount, so I thought it best to send to you. Please find the invoice and the payment details attached. It can be paid online similar to how you paid last week’s invoice to ACME Company.
Thanks, see you soon. Jean
How can you protect yourself?
Be aware! Watch for emails, even from trusted friends or family members that contain language such as: (From the RCMP)
- E-mail Money Transfer Alert: Please verify this payment information below…
- It has come to our attention that your online banking profile needs to be updated as part of our continuous efforts to protect your account and reduce instances of fraud…
- Dear Online Account Holder, Access To Your Account Is Currently Unavailable…
- Important Service Announcement from…, You have 1 unread Security Message!
- We regret to inform you that we had to lock your bank account access. Call (telephone number) to restore your bank account.
Protecting yourself online!
- Have a strong and unique password for all your online activities.
- When possible, utilize a two-step authentication and/or add a recovery phone number or email address for verification purposes.
Never send money based on an online request. Let you friends and family know that you will never request money from them online without personal contact.
- Keep your travel plans off of social media.
- Be a savvy shopper. If a deal looks too good to be true, it often is.
- Check out the legitimacy of websites before making a purchase. http://www.wikihow.com/Find-if-a-Website-Is-Legitimate
- If you’re making an online purchase via Amazon or other online retailers, be sure you’re shopping on their legitimate website. Do a quick Google Search of the URL or company’s name. Look for online reviews or research the company on the Better Business Bureau’s website. http://www.bbb.org/search?ref=77
- Before making an online purchase, check the website’s security status in the URL – look for https and a padlock symbol.
- Business owners need to create a system for dealing with online payments, invoices and social media security.
Actions to take if you believe you’ve been sent a phishing email
(From the RCMP website)
If you receive one of these suspicious e-mails:
Report it to the Canadian Anti-Fraud Centre or the institution that it appears to be from.
If you received one of these suspicious e-mails and you unwittingly provided personal information or financial information, follow these steps:
Step 1 – Contact your bank/financial institution or credit card company
Step 2 – Contact your credit bureau and have fraud alerts placed on your credit reports:
Equifax Canada Toll free: 1-800-465-7166
TransUnion Canada Toll free: 1-877-525-3823
Step 3 – Contact your local police
Step 4 – Always report phishing. If you have responded to one of these suspicious e-mails, report it to the Canadian Anti-Fraud Centre
Please share this important information with everyone in your life, particularly those who are not savvy Internet users who may be more vulnerable.