Lesson Account profile and security

Online fraud and scam prevention

Learn how to keep yourself safe from online fraud.

Online fraud occurs when bad actors use someone else’s personal information for illegal gain. This information is often stolen by criminals who seek to take advantage of the anonymity of the Internet to both trick people into giving over their information, and to anonymously use that information for their own personal gain. This could cause great harm to you without appropriate preventative measures.

In this article, we discuss several ways online fraudsters might try to steal your personal information, and some tips on how you can keep your personal info safe.

Phishing

Phishing is the practice of sending a phony communication requesting that you divulge personal information, such as bank account numbers or credit card information. You’ve likely seen many of these communications before through text messages or emails claiming to be from a bank, a courrier, a corporation, or even the government.

Phishing messages usually include information meant to panic or excite you, such as saying that your account has been charged, that you owe money, or that you have a rebate to claim. 

Phishing messages will often include a link to a website meant to look like it belongs to the company they’re pretending to be. These can be tough to spot, as they use the real company’s logos, language, and layouts to trick you into entering your personal information into the form or giving them your login and password when you try to log in.

Phishing scams often ask you to:

  • Log into your account to claim an offer or dispute a transaction
  • Fill out a survey that includes key personal information
  • Download, install, or run software which contains an information-harvesting virus
  • Open an attachment that will install keyloggers, ransomware, or other malware on your system


Once they have your login or personal information, they’re then free to sell it off to the highest bidder or use it themselves for fraudulent purposes.

Five basic steps to avoid a phishing attack:

  1. Be skeptical of all messages: If you receive a notification email or text message that claims a breach to any company's customer database, remain cautious of any communication from that company.
  2. Be cautious of SMS links and attachments: SMS links and attachments can be legitimate; however, some attachments can contain malware code that will compromise your computer, and SMS links can download and install malware onto your phone. Only open a link or file if you’re absolutely certain it’s from a legitimate source.
  3. Ignore commands or requests for actions: Most companies clearly state that they will never ask for personal information, such as your account number or password. Be skeptical if you receive a request to confirm your personal information.
  4. Read the link: Many attacks have links that go to imposter sites. Only open links to URLs that you are familiar with, and be sure to check for spelling errors: bad actors will often get a domain that is one letter off (such as “questade.com”) to trick you. Never click on or open a suspicious link. Delete all suspicious emails and texts.
  5. Reach out indirectly: If there is a demand for action, don’t respond directly to the text or email, and don’t click the links provided. Instead, contact the company through their corporate number or log in on your own and contact them through their legitimate website.

Scam robocalls

The robo-call is something with which you’re likely all-too-familiar. They’re automated calls that use similar tricks to phishing emails and texts: they will claim to be a corporation, financial institution, or government agency, reaching out to contact you about either a special offer or an urgent warning. 

If you stay on the line or follow the pre-recorded instructions, you will be transferred to a call center where an agent will try to scam you in one of a number of ways, such as taking your personal information, collecting your login and passwords, or even convincing you to install software onto your computer that will let them run scams and hijack your system.

Currently, the best way to handle a robocall is either to not answer unfamiliar numbers, or to hang up on the robot without taking any action. If the robocall claims to be from a specific company and you think that they legitimately want to reach you, you can always hang up and call the company directly to be certain.

Vishing: non-robo scam calls

While robo-calls are currently the most common type of scam call, there are bad actors who call in themselves to run specific scams. Vishing (or “Voice phishing”) has been using the telephone to take advantage of victims since long before robo-calls existed.

One example of a “vishing” scam is the “Grandparent scam”, where a scammer will call an elderly person and say “Grandma/Grandpa, do you know who this is?” If the victim says “yes”, the scammer will claim to be in trouble and need money.

Scam calls that don’t involve robocallers are known to be more targeted, meaning they may already know details about you, and may even be using a “spoof” to make it look like the call is coming from a familiar number.

The rules of thumb for non-robo scam calls are largely the same as other scam prevention: never give out personal information if you’re not certain, and always be cautious about anyone who calls asking for money.

If you receive a call asking for money or personal information, hang up. If you’re worried that it may be a legitimate call, hang up and directly call the person or institution they’re claiming to be.

Pharming

Also called DNS poisoning, domain spoofing or domain name hijacking, this is the practice of taking over a legitimate domain address. There are a number of methods hackers use for pharming. The results, however, are the same: a user types a legitimate domain name into a browser and is led to a phony site. How? One method is for a hacker to break into your computer via malware and change host file (IP) addresses. Another method is to manipulate the gap between a domain name (www.companynamehere.com) and its associated IP address (the string of numbers attached to the URL) at a DNS or proxy server. In both cases, you input the correct name, but the IP associated with that name has been altered by criminals.

The big difference between phishing and pharming is user involvement. With phishing, it is up to the user to click on the link leading to a fake site. If the link is not compelling or the user is suspicious, he or she will not follow the link. With pharming, the user has no control over the sites they visit. A perfectly legitimate domain name can be an illegal ISP.

There are several of steps you can take to protect yourself against pharming:

  1. If you use a wireless router, ensure you change its default settings and administrative passwords. Factory settings are easily cracked. Remote administrative access is one of the characteristics of wireless routers and is an enormous vulnerability. Criminals can access your computer without ever being on site or on-line. This is called drive-by pharming.
  2. Look for the S at the end of the HTTP address. On Questrade's site, for instance, the address for all secure areas begin with https to indicate it has SSL (Secure Sockets Layer). Also, the address bar in your browser will turn green; it has been verified by Verisign's latest technology, EV recognition. This indicates that it is safe to continue with any confidential transactions with Questrade.
  3. If a security certificate warning pops up, do not ignore it. This is your browser warning you that there is something irregular about the certificate, such as forgery.

Spyware and malware

Any unwanted software that is downloaded onto a user's computer without consent is called spyware or malware (although initially distinct, spyware and malware have evolved to such a point that the two terms are pretty much interchangeable today). The software can perform any number of unapproved operations, including tracking your online surfing destinations, key logging (tracking keystrokes to extract personal information), infecting your hard-drive, and turning your computer into a re-sender of more spyware. Some types of malware include viruses, worms, Trojan horses, and adware.

Sophisticated security packages that can detect, isolate, prevent and remove spyware and malware are readily available commercially. Because criminals are continuously introducing new types of malware, security packages typically include regular updates. Remember to install these updates for your security system to operate at peak performance.

What scammers do with the information

Bad actors can do a lot of damage with your personal information. If they get your login and password, they can not only use it to access whatever account you thought you were signing in for. Plus, they could also access any other bank account, email, payment software, social media, and any other account that uses the same password. And, if they get enough personal information, they can commit identity theft.

What is identity theft?

When someone commits identity theft, they use your personal information to do things like open accounts, take out loans, and sign up for credit cards in your name.

Worst of all, scammers might be able to use your personal information to scam the people close to you as well, sending emails and private messages from your accounts claiming to be you.

Needless to say: when it comes to scammers, an ounce of prevention is worth a pound of cure. Always be cautious about unsolicited emails, texts, and phone calls, and never send money or give personal information if you’re not 100% certain about the legitimacy of who you’re talking to. 

What if your personal information is already compromised?

If you suspect that you are the victim of identity theft:

  • Keep records of all charges, documentation, and correspondence related to the suspicious activity
  • Contact your local police, and get a copy of the police report to share with your financial institutions, credit card issuers, and credit reporting agencies if necessary
  • Contact your financial institutions to make sure they’re aware of the identity theft, and change any passwords that may have been compromised
  • Contact a credit reporting agency like Equifax Canada or TransUnion Canada to monitor your credit and minimize the damage done to your credit
  • Contact Service Canada if you think your Social Insurance Number has been compromised
  • If you believe you know how they got your information, report the scam to the Canadian Anti-Fraud Centre

Note: The information in this blog is for educational purposes only and should not be used or construed as financial or investment advice by any individual. Information obtained from third parties is believed to be reliable, but no representations or warranty, expressed or implied, is made by Questrade, Inc., its affiliates or any other person to its accuracy.

Related lessons

Want to dive deeper?

Read next

Explore

Have more questions?

Tell us what you need help with, and we’ll get you in touch with the right specialist.