The world is still dealing with the enduring COVID-19 pandemic. At the onset of the crisis, organizations scrambled to move business operations online, while employees quickly transitioned to working remotely. This all created ripe conditions for cyberattacks. Reports of fraudulent emails that extort information and money – otherwise known as phishing scams – have skyrocketed during the pandemic.1 Some attempts have even been disguised as COVID-19 lifelines.
In July 2021, the United States Secret Service intercepted a Business Email Compromise (BEC) scam that could have resulted in an American company losing almost US$750,000. The successful interception was a direct result of a Canadian company reporting the scam to the Canadian Anti-Fraud Centre (CAFC) in June, which notified the authorities in the U.S., prompting the bank to put a hold on the transfer.2 This was a close call that could have had a disastrous outcome. In Canada, the CAFC says more than 67,000 consumers and businesses suffered total losses of $104 million after falling victim to fraud last year. Unfortunately, it’s estimated less than five per cent of victims file a fraud report with the CAFC. 3
Here are a few telltale signs of BEC scams, according to the Canadian Bankers Association (CBA)4:
The CEO scam: Spoofed emails that appear to be sent from senior company officials, such as the CEO or CFO. These emails are typically directed to people in the accounting or finance departments and will make urgent requests for wire transfers to a third party.
Supplier phishing: Suspicious emails that look like they’re coming from suppliers your company works with. These emails will request an individual pay an outstanding invoice and wire money to a fraudulent account. The CAFC says a variation to the supplier scam is the point-of-sale service scam where a caller claims to be your point-of-sales vendor who needs to update your debit machine. In fact, the caller is trying to get you to sign up for point-of-sale services with the scam company.
Information theft: Cybercriminals may also seek classified information about your company’s operations and finances, such as tax statements or account numbers. These emails aren’t always obvious and can appear legitimate.
The CAFC recommends the following steps for organizations to take to crack down on fraudulent phone calls or emails5:
- Compile a list of companies that are typically used by your business and give authority only to certain staff to approve purchases and pay bills.
- Before sending any funds or products, contact existing clients in person or by telephone to confirm that the request is legitimate.
- Don’t provide information on unsolicited calls and educate staff at every level to remain vigilant.
- Watch for spelling and formatting errors and be wary of clicking on any attachments as they can contain viruses and spyware.
- Inspect invoices thoroughly before paying a supplier/vendor.
Other scams focus more on individuals and because of the shift to remote work, it’s not as easy to spot a ruse.
Employment scams have become more prevalent as the economy continues to recover and job seekers look for work. The Better Business Bureau (BBB) says although these scams are as old as time, they became rampant during the pandemic. In 2019, an estimated 14 million people were conned by cybercriminals posing as new employers, resulting in $2 billion in direct losses.6
Earlier this year, Toronto Police Services issued a warning to the public about ongoing work-from-home scams aiming to steal large sums of money from unsuspecting victims. Cybercriminals disguised as employers reportedly posted job advertisements online and asked applicants to accept money through an e-transfer or deposit a cheque. The applicant was then asked to withdraw money from their own account and deposit it into a Bitcoin ATM machine. When the applicant went to cash the cheque, they discovered it was not honoured by their bank. It was also determined that the e-transfer was fraudulent.7 In the end, victims were down and out a substantial amount of money.
Income tax scams are also common. While Canadians are getting better at spotting these scams, the threatening phone calls are recognized by the CAFC as a type of extortion fraud that resulted in Canadians losing $12.5 million in 2020.8
How to avoid this scam:9
- Remember that the Canada Revenue Agency (CRA) will never demand immediate payment by e-transfer, bitcoin, prepaid credit cards or gift cards from major retailers.
- The CRA will not use aggressive language or threaten you by saying you will be arrested.
CRA officials will not give or ask for personal or financial information by email or send you an email with a link to your refund. The CRA will never request to meet you in person to settle a payment.
We live in a digital age where information comes at us hard and fast. Cybercriminals recognize that society is trying to keep up with the onslaught of news about the deadly COVID-19 virus, so they find unique ways to capture our attention. Suspicious emails offering vaccine passports, miracle cures for COVID-19, herbal remedies, vaccinations and other virus-related products or services are all attempts to steal money and personal information. Other fraud schemes range from fake job offers to government assistance applications.10 Chances are if it looks or sounds too good to be true, it probably is.
Knowledge is power and remains the best line of defense against fraud for both businesses and individuals. According to the CBA, here are a few ways to spot and avoid phishing scams:11
- Is the information request legitimate? Your bank should never send you an email demanding that you disclose personal information such as your password, credit or debit card, or your mother’s maiden name.
- Does the email have a sense of urgency? Warnings that you will be locked out of your account if you don’t hand over personal information are red flags.
- Does the sender email address seem suspicious? Look for spelling errors or if the email domain doesn’t match where the sender says they’re from.
- Does the email contain an unusual link or an attachment you weren’t expecting? Sometimes a link to a website may look valid, but if you hover your curser over it, you can see the real hyperlink. If it doesn’t seem to match what the sender says it is, it’s probably a phishing attempt. Never click on or open suspicious links and attachments.
Remember, HSBC Bank will never request information that could be used to make a payment, such as asking you to provide security device codes or requiring you to divulge any of your security details over email or by phone.