Don't be a victim of cybercrime
Education and awareness are the best protection against email and other scams. Learn more about what you can do to avoid these scams and malicious computer viruses, while safeguarding your personal information.
Phishing or brand spoofing – sophisticated online trickery
Phishing attacks use 'spoofed' (look-alike) e-mail messages and fraudulent websites designed to fool recipients into divulging personal, business and sensitive information such as credit card numbers, account usernames and passwords or social insurance numbers. Phishing messages often appear to come from large and well-known companies or websites with a broad membership base such as well-known financial institutions, online retailers and credit card companies.
Phishing emails are sent to thousands of people at once. By masquerading as trusted brands, phishers attempt to convince recipients to respond to the e-mail and provide sensitive information. Responses can be a simple reply, a click on a fraudulent link, even opening an infected attachment.
How it works:
- You receive an unsolicited e-mail appearing to be from a legitimate company.
- The e-mail claims that a billing error or account problem has occurred or that you can enter a contest to win a prize. Other enticements may be used.
- You are asked to follow instructions that will take you to a website that appears legitimate, complete with a company's brand name and corporate colors.
- You are asked to provide updated personal and financial information via an online form.
- There may be a risk associated with the request. For example, you are asked to submit the information or risk having your account suspended or terminated.
How to spot and respond to a phishing email:
- Suspicious sender’s address - Carefully review the sender’s email address. Check for spelling errors in the email address.
- Links within email - Phishing emails will often include links to malicious webpages or programs. These links appears to be legitimate but will redirect you to a different website. You can determine where the links are going by hovering your mouse over the link. Do not click on any links.
- Spelling and grammar errors - Look for spelling and grammar mistakes. Cybercriminals often leave traces of spelling and grammar mistakes in their phishing emails.
- Request for personal information - Be extra cautious of emails that ask for personal, sensitive, and business information such as username, passwords, social insurance numbers, banking information, etc.
- Attachments - Phishing emails often include attachments. These attachments can potentially install a small program without your knowledge known as malware (malicious software) or spyware (spying software) on your computer. These programs can obtain sensitive information similar to links. Hence, do not click on any attachments.
- Urgent action required - Fraudsters often try to entice you to take action (click a link or respond) indicating urgency or importance. Be aware of emails requesting urgency and high importance, as they may be a phishing email.
- Threats - Fraudsters use scare tactics to get a reaction from you. They often use threats like “your security has been compromised.
- Use Google - You may be able to find out whether an email is fraudulent by searching some keywords from the phishing emails. If you received a phishing email, chances are that other people in the online community experienced the same as well and they may inform other users by posting in a forum or on a website.
Spear phishing – specifically targeted at the workplace
Spear phishing is an e-mail spoofing attempt that targets a specific organization, seeking unauthorized access to confidential data. It focuses on a single user or department and is addressed from someone within the company in a position of authority often appearing to be from a company's own human resources or technical support divisions requesting information such as login IDs and passwords. Once hackers get this data they can gain entry into secured networks. Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can steal data.
Vishing – using phones to phish
Essentially, this is voice phishing. There are two different kinds:
- An e-mail arrives alerting you to a problem with your account. Instead of going to a fake website, you're given a customer-support phone number where you hear an automated message prompting you to use the phone's keypad to log in with your account number and password. The fraudster then captures this information.
- The fraudster calls you directly or leaves a message warning that your account may be at risk and to call in immediately. An automated message again asks you to log in on your keypad and may even request additional information like your Social Insurance Number or date of birth.
In each case, don't provide any information until you independently verify the phone number. If a 'real' person answers the phone, don't answer any questions until you're sure the number is legitimate.
Smishing – using texting to phish
While it might not sound like something real, it is. Smishing, or SMS Phishing, is the mobile equivalent to phishing. A text message is sent to a user's smartphone or other mobile device with the intent to get the owner to click on a fraudulent link. Following the same safety guidelines as phishing and not clicking on unknown links can help you avoid getting caught by this type of scam.