E-mail Fraud/Phishing

Last modified: 20 March 2013

E-mail fraud — or “phishing” or “brand spoofing” as it is also called — uses fraudulent e-mail messages and websites that look like they are from a legitimate company, such as a bank, credit card company, online retailer or government agency. The e-mail you receive may look real, with company logos and branding, but beware — you may have actually received this spam or mass e-mail from a criminal. The fraudsters will cast a wide net and send the spam e-mail to thousands of people at once, whether or not they are a customer of the organization, to “phish" for personal information.

Typically, these e-mails will ask you to update or validate your personal information. There will also be some urgency to the request, warning you that if you do not comply quickly your account may be shut down. In other cases, the e-mails will promise financial benefit for the recipient if they reply, or ask for a verification of information to help protect the recipient from identity theft. By clicking on the links in the e-mail you will be taken to a phoney website that, again, appears to be legitimate, where you will be asked to disclose some personal information, such as your social insurance number, credit card number or online banking passwords.

How to identify e-mail fraud

So, how do you know if the e-mail you received is fraudulent? Here are a few things you should know:

  • Your bank will never send you an e-mail, or call you on the phone, asking you to disclose personal information such as your credit card number, online banking password or your mother’s maiden name.
  • Be suspicious of unsolicited e-mails that have a sense of urgency and warnings that your accounts will be closed or your access limited if you don’t reply.
  • Does the e-mail look professional? While some fraudulent e-mails may look professional at first glance, if you look more closely you may notice spelling and grammatical errors, unusual language or branding that isn’t quite right. Fraudulent e-mails are not personalized and, instead, are addressed in general terms, such as "Dear valued customer."
  • If you receive an e-mail notifying you that an e-mail money transfer is being sent from a person you don't know, delete the e-mail as it is likely fraudulent.

Below is an example of a fraudulent e-mail that circulated recently. Logos and bank names that appeared have been removed and replaced with “Any Bank” to provide a generic example. Note the urgency in statements such as “the process is mandatory” and “failure to do so may result in a temporary cessation of your account services”. There are also spelling and grammar errors such as “promt” and “please do not reply to this e-mails”.

What banks are doing to protect you from e-mail fraud

It is important to remember that fraudulent e-mails sent out by criminals may look like they come from banks, but they are not connected with banks at all. Banks, however, take extensive steps to protect your personal information entrusted to them and to help you protect it as well.

Consumer education is one of the best ways to stop e-mail fraud and prevent customers from inadvertently disclosing their personal information. Most banks have information available on their websites and through booklets and brochures and provide practical tips on how to protect yourself and your money. Click the links below to be connected to the e-mail fraud pages on individual bank websites.

Banks also work very closely with police to prevent fraud and criminal activity. The fraud and security teams at the banks provide support and information to police, and work closely with them to shut down e-mail fraud websites to protect customers from potential losses.

How to avoid e-mail fraud

In addition to bank efforts, there are some simple steps you can take to avoid becoming the victim of e-mail fraud:

  • Be skeptical. Fraudulent e-mails can look like they come from a real bank e-mail address. If you have any doubts about an e-mail that looks like it is from your bank or a reputable company, contact them before responding to ensure that it is legitimate. But don’t use the toll-free number, e-mail address or website address provided in the e-mail: they may link you to the criminals rather than the bank. Use a phone number, e-mail address or website address that you know is correct.
  • Never send personal and/or financial information by e-mail.
  • Always enter your bank’s website using the website address (URL) that you know is accurate. Contact your local bank to get the correct website address if you're unsure.
  • Regularly review your bank and credit card statements to ensure that all transactions are authorized. Also check your credit report at least once a year by contacting credit reporting agencies Equifax Canada and TransUnion Canada.
  • Check the domain name shown as the link in the e-mail. When you click the link, if it does not match the name that appears in the browser at the top of the screen, then it may be a fraudulent website.
  • On the Internet, whenever entering personal information, ensure that you are using a secure website. Look for “https://” rather than just “http://” in the address bar of your Web browser as well as a closed padlock in the bottom right corner of your browser.
  • Make sure that your home computer is protected. Install anti-spam, anti-spyware and anti-virus software and make sure they are always up-to-date. You should also install a personal firewall to act as a barrier to viruses and other external attacks and check for operating system patches and upgrades on a regular basis.

What should you do if you receive a fraudulent e-mail?

If you receive a phishing e-mail pretending to be from a bank that asks for personal or financial information, there are two things you should do: report it and delete it.

Report it — Banks and other companies need your help to shut down fraudulent websites. By reporting any fraudulent e-mails you receive to the bank or other company being spoofed, you can help us prevent other people from falling for e-mail fraud. Click the links below to find out how to report e-mail fraud to a bank.

Delete it — The best way to protect yourself from e-mail fraud is to recognize it for what it is: a scam. Once you’ve reported the fraudulent e-mail, delete it. Do not reply or click on any link provided in the e-mail.

If you think you have provided your personal information in response to a fraudulent e-mail, you should immediately report it to your bank and to your local police.

Reporting e-mail fraud

Banks and other companies need your help to shut down fraudulent Web sites. By reporting any fraudulent e-mails you receive to the bank or other company being spoofed, you can help us prevent other people from falling for e-mail fraud. Click the links below to find out how to report e-mail fraud to banks:

External links

Related content