Security Advisory: Email Fraud and Identity Theft Phishing, the practice of using fraudulent e‐mails and copies of legitimate websites to extract financial data from computer users for purposes of identity theft, remains a serious threat to individuals and organizations. Criminals are getting more sophisticated and identifying fraudulent emails, websites and pop ups is getting harder. Although security software and tools provide some protection ‐ awareness, vigilance and common sense are necessary to protect yourself and your organization from email fraud and identity theft. Take a few moments to refresh your knowledge on what to watch out for and how to protect yourself. How to Protect Yourself Be alert and keep your eyes open for suspicious emails. Phishing emails often come from a generic name/email address like “Accounts Payable” or “Customer Service”. Email addresses will not use the correct domain, but will look correct at first glance, e.g., instead of “xyz.com” fraudsters may set up a fake domain or website such as “xyzcorporation.com”. Grammar and spelling mistakes in the email are also red flags. Emails often prey on people’s sense of urgency by threatening action, such as taking away account access, if you don’t respond by a certain deadline, e.g. within 24 hours. Do not reply to emails from unrecognized senders and do not reply to emails that request financial information, even if it appears to be from a trusted source. Financial institutions will not contact you via email and request personal information. If you do receive a message via email, text message or phone, requesting you to contact your financial institution, verify that the phone number provided is a valid number by checking their website or one of your statements and confirming the phone number is legitimate before calling. As is the case for many things in life, if it sounds too good to be true, it probably is. Although we have grown weary of people from foreign countries claiming they have an inheritance to share with us, we are still intrigued by emails claiming significant discounts off of brand name merchandise. Clicking on links in emails from unknown vendors or people is risky and can trigger the download of malicious software. Don’t do it. Staying Safe on the Internet Turn on your web browsers pop up blocker, and only enable pop ups from trusted websites. Enter sensitive data in secure websites only. In order for a website to be secure, it must begin with ‘https://’ and there should be an icon of a lock in the URL field of your browser. That does not mean it is safe to click on a link in an email that starts with ‘https://’ as the link could redirect you to a non‐secure, malicious website. A common phishing technique is to launch a bogus pop‐up window when someone clicks on a link in a phishing e‐
mail message. This window may even be positioned directly over a window you trust. Even if the pop‐up window looks official or claims to be secure, you should avoid entering sensitive information because there is no way to check the security certificate. Close pop‐up windows by clicking on the X in the top‐right corner. Clicking cancel may send you to another link or download malicious code. Take Action A significant portion of on‐line fraud goes unreported. Some people are too embarrassed to admit they’ve been taken in. Others simply don’t know what to do. If you think you provided sensitive personal information before realizing you may be a phishing victim, report the matter to your local police and keep a copy of the police report. You may need that documentation to resolve any fraudulent transactions. You can also go online to www.antifraudcentre‐centreantifraude.ca, the Canadian Anti‐Fraud Centre, or call the Centre toll‐free at 1.888.495.8501. Spread the Word Raising awareness about email fraud and identity theft isn’t new. We encourage you to share this advisory with your family and friends. Reminding ourselves about what to watch out for is good practice. We’ve attached two recent phishing examples to show how sophisticated the scams are getting and why it pays to be extra‐vigilant when opening emails from unknown senders or that you weren’t expecting. Examples of Fraudulent Emails (Phishing) The first example purports to be from Apple Support. Email messages that contain attachments or links to non‐
Apple websites are from sources other than Apple. Most often, these attachments are malicious and should not be opened. Apple websites that require Account information have apple.com, such as http://store.apple.com, or iforgot.apple.com (with the exception being iCloud.com). This example also preys on people’s fear that their account will be suspended if they don’t comply quickly. This second example was personalized and had the email address of the recipient, making it seem authentic. The use of the company logo and copyright information also makes the email seem legitimate.