Canada | Fraud

3 current scams to keep on your watch list—and avoid

From SIN scammers and fake couriers to highly sophisticated ransomware purveyors, there are always tricksters out there concocting new schemes. Here are some of the latest.

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

Courier worker delivering parcel to womanPackage delivery scams involve a phone or other high-value item being delivered to your door. The package has your name on it—but you didn’t make the order. (Getty Images/Dougal Waters)

As we head into the early months of a new decade, it would be encouraging to be able to say there has been a clear reduction in the number of scams being devised.

Unfortunately, that is not the case. For example, figures from the Canadian Anti-Fraud Centre show that total losses from reported phishing scams in Canada almost doubled from 2018 to 2019 (to $296,355.74 from $127,128.96), even though the number of reports was down slightly (to 5,048 from 6,760). 

What are some of the scams currently making the rounds? According to Jeff Thomson, manager of the fraud intake and prevention unit at the Canadian Anti-Fraud Centre (CFAC), spear phishing (also known as wire fraud) remains a top money maker for fraudsters who are targeting businesses; in fact, it is at top of the list in terms of dollar losses for 2019, at $20,007,419. 

Also, it appears that the SIN scam and other schemes in which fraudsters pretend to be calling from federal government departments are still very common; even the CFAC has been hit by the scam, says Thomson. (The scam has become so ubiquitous that the Canadian Radio-television and Telecommunications Commission recently ramped up its efforts to combat it.)

Here are some of the other scams that are currently targeting Canadians.

1) LOOKING FOR LOGIN INFO 

Scammers don’t always solicit money; these days, they might go after your personal info as well. As Thomson points out, the CAFC has been seeing an increase in scams where the perpetrators are seeking the victim’s login credentials for various apps and online services, including Amazon or Netflix. “Some even go after reward points (e.g. Aeroplan and PC Optimum rewards points),” he says.

One such credential scammer—known as the Hamburglar—has been hacking customers’ McDonald’s apps to order meals for pickup. In one case in April 2019, for example, a customer in Toronto was charged for more than $2,000 worth of meals ordered at different McDonald’s restaurants in Montreal. And in October, one customer said someone used her app to order $34.87 worth of Chicken McNuggets and burgers for pickup at a McDonald’s in Toronto—about 140 kilometres from her home.

HOW TO PROTECT YOURSELF

  • As always, practise due diligence by strengthening your password and keeping it secure. If you have other accounts with the same password, change those as well.
  • If you have already fallen victim to the scam, request a refund from your credit card provider.
  • Report the incident to the merchant. 

2) PACKAGE DELIVERY SCAM

In this scheme, which has been making the rounds in the U.K. and elsewhere, a phone or other high-value item is delivered to your door. The package has your name on it—but you didn’t make the order.

Later, a courier shows up, explaining that it was delivered by mistake and asking you to give it back. If you do, you are asking for trouble, because the scammers might have stolen your personal info to order the item in the first place.

As Adam French, a consumer rights expert for Which? (a UK-based consumer body), pointed out in a report on the subject, “Delivery scams are just one of the increasingly sophisticated methods fraudsters are using to leave victims out of pocket.”

As with credential phishing, the scam starts when the fraudsters find a way to get hold of your personal info to place the order. Then, if they don’t manage to intercept the package before it is delivered, they pose as a courier, there to collect the item that was delivered by mistake. 

As one victim explained, “After it happened to us, we were worried about how someone was able to get so far in ordering a phone in our name. We were also worried that it could impact our credit rating, as we were buying a house.”

HOW TO PROTECT YOURSELF

  • If a courier unexpectedly comes to your door asking for you to hand over a package that you just received but didn’t order, don’t do it. Instead, call the company they say they are representing immediately.
  • Get in touch with the retailer and arrange for the item to be sent back.
  • As always, be on your guard against tricksters trying to abscond with your personal details. “Identity theft is on the rise so if you spot any suspicious activity on your account, report it to your bank immediately,” says French. “Ensure personal documents such as bank statements are not left lying around, and are shredded before throwing away."

3) RANSOMWARE MEETS DATA EXFILTRATION

Falling victim to a ransomware attack has long been one of a computer user’s worst nightmares. The term ransomware—also called malware—refers to a malicious type of software that is used to infect a computer, denying access to the system or data. Victims will receive an on-screen alert stating their files have been encrypted or a similar message. A sum of money is then demanded to restore the information. 

Currently, ransomware attacks are on the decline (some reports suggest infections decreased by as much as 28 per cent between 2017 and 2018). That said, there is now an additional twist on this scam that is proving even more pernicious: ransomware developers are copying a victim’s data and releasing it if they don’t pay the ransom. In such a case, as Thomson explains, victims of ransomware also become victims of a data breach.

In one case last fall, Allied Universal was infected by a kind of ransomware that copies the files to servers under the attackers’ control before encrypting the local copies. When the company failed to pay the (approximately) US$2-million-plus ransom, the developers published almost 700 MB worth of stolen data and files from the company. And they said they would release the rest if it did not pay the increased ransom. (For more on how to avoid data breaches and what to do if you are hit, see Data breaches can have a huge impact on you and your business.)

HOW TO PROTECT YOURSELF

Tips for dealing with a ransomware attack also apply to those that are combined with a data breach, says Thomson. However, if a breach occurs, a company must report it to the Office of the Privacy Commissioner. 

For individuals:

  • Do not click on links or open attachments in emails sent to you by someone you do not know.
  • Do not provide personal information over the phone or online to untrusted sources.
  • Install a reputable security software suite on all devices and secure your wireless router.
  • Disable file sharing and remote desktop.
  • Make sure all your software, including anti-virus software, is up to date on all your devices.

If you become a victim:

  • Don’t panic. Do not do anything further on your computer. Contact a trusted IT professional who can try to isolate the threat. 
  • Report the incident to your local police force.
  • Contact the Canadian Anti-Fraud Centre.
  • Consult nomoreransom.org, which was developed by law enforcement and IT security companies globally to help victims retrieve their data. 

For businesses:

  • Train and educate staff on good security practices, and restrict administrative privileges.
  • Do not click on links or open attachments in emails sent to you by someone you do not know. 
  • Use a reputable security software suite. 
  • Back up your system/data regularly to a cloud or removable media such as an external hard drive not constantly connected to the server. 
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. 
  • Make sure all software, including anti-virus software, is up-to-date on all computers, servers and devices, including mobile phones and tablets. 
  • Develop a business continuity plan and incident response plan. 

If your business is targeted:

  • Do not do anything further on your computer. If available, consult your local IT department or an IT professional for assistance.
  • Critical infrastructure, businesses and provincial/ territorial/municipal governments should immediately report the incident to the Canadian Cyber Incident Response Centre (CCIRC).
  • Report the incident to your local police force of jurisdiction and inform CCIRC you have done so. 
  • Contact the Canadian Anti-Fraud Centre.

The RCMP suggests you do not pay the ransom for several reasons:   

  • There is no guarantee that your data will be recovered. 
  • You may be extorted for more money after the original ransom is paid. 
  • You can make yourself a future target. 
  • Extortion via ransomware is a criminal offence, and the money you pay will be used to fund criminals and/or criminal organizations and motivate them to further victimize others. 
  • Even if you have paid the ransom, the RCMP still encourages you to report the incident.

DID YOU KNOW?

As CPA Canada’s 2019 fraud survey shows, fear of identity theft and fraud are big concerns for Canadians. Find practical tips on spotting fraud in Protecting you and your money: A guide to avoiding identity theft and fraud.