The Canadian Radio-television and Telecommunications Commission or CRTC has the authority to administer the Telecommunications Act, including the National Do Not Call List (DNCL) and Canada’s Anti-Spam Legislation (CASL). CASL came into effect on July 1, 2014, and was intended to protect the public from unwanted communications, including annoying emails or texts, often referred to as spam. Spam is a term used to describe unsolicited and unwanted junk email and texts.
And yet — junk emails keep coming in. Worse, many of these emails are fraudulent and are an attempt to get access to your personal data. It is important to be aware of these types of emails and know how to protect yourself from these unwanted solicitations.
What is phishing
Phishing is an active attempt aimed at stealing your personal data. Phishing emails and text messages often tell a story to try to trick you into clicking on a link or opening an attachment. Phishing nearly always has malicious intent.
The volume of phishing emails coming in is higher than it has ever been. The ironic part of the CASL rules is that one would naturally feel that if these rules are in place, no organization can email or text you without prior consent.
Tip: Do not click on links and do not respond
One rule of thumb is to not click on any hyperlinks in emails or text messages that look suspicious. Similarly, avoid opening attachments that come from unknown senders.
If the unexpected email or text message is of a financial matter, we recommend that you forward the correspondence to your Portfolio Manager and then immediately delete it.
As an alternative, you can phone the financial institution to confirm if the communication is legitimate. For Scotiabank, the phone number is 1-800-472-6842. Customers of Scotiabank are given a Scotiacard with this number on the back, and it appears on their monthly statements.
We ask our clients to phone us directly if they suspect anything unusual with an email or text they have received. We will immediately be able to confirm whether we sent the email and the next course of action.
How to protect your personal information
Most phishing emails are trying to steal your personal information for financial gain. This is an area to have heightened awareness. The individuals doing the fraudulent activity are getting extremely creative, and the emails look legitimate.
I continue to receive phishing emails from individuals requesting me to validate or restore my account. In other emails, I am asked to confirm or update personal information.
Some of our clients have received phishing emails that look like they are coming from Scotiabank. I have also received these same types of emails.
With these emails, I forward them to a special “phishing department” at Scotiabank. I explain to clients that they can also forward these emails to Scotiabank at email@example.com.
We recommend our clients immediately delete these emails from their inboxes and sent folders. Never phone the number in the email, and never click on any links within the email.
I remind our clients that we will never ask for personal information by an unexpected email. All emails that we send with personal information will be sent securely, and we would have had a verbal conversation prior to us sending them the email.
All five of the large banks in Canada are good candidates for these types of phishing scams sent by emails and texts. If Canada’s population is approximately 39 million people, then there is a decent probability of a Canadian dealing with one of the five large banks in Canada.
Over the years, I have received phishing emails that look like they are coming from the other big Canadian banks (Royal Bank, Bank of Montreal, CIBC, and TD Bank) — even though I don’t have accounts at these institutions.
Regardless of the financial institution they are trying to replicate, the advice is the same as noted in the previous paragraph: Do not respond or click on any links in these emails.
All of Canada’s five large banks have a phone number that you can look up and call directly to confirm an email or text. All these institutions also have departments that deal with phishing scams that you can forward the email to.
Other things to be cautious of
As noted above, never click on, or respond to emails or text messages from senders you don’t know. However, phishing scams are becoming more and more advanced and creative.
A few additional tips we would like to pass on include always double-checking the name of the sender. Email and web addresses can be easily falsified. Observe email addresses and web addresses closely for slight name or spelling alterations. They may seem like they are coming from a trusted company or individual, but they may not be.
For example, you deal with ABC Company through their customer service inbox. The address for this inbox is firstname.lastname@example.org, and the name shows up in your contacts as “ABC Customer Service.”
One day, you receive an email from “ABC Customer Service” and you hover over the link since the email is requesting you to update confidential information. By hovering over the sender, you see that the email address is actually email@example.com. At first glance this looks correct, but if you slow down and look carefully, you will see that they left the ‘e’ out of customer.
In many of the phishing emails I have received, there have been typos and grammatical errors. In the scam artist’s haste, proper spelling and punctuation are not a priority. On its own, this doesn’t always mean the communication isn’t genuine, but it can be a red flag, especially if the sender is unknown or the email address seems suspicious.
Scammers like to create high-pressure environments and will often demand immediate information and threaten consequences or missed opportunities if not provided. It is always a good idea to slow down and think before clicking or moving forward. Take a moment to review what is being requested of you or what is being offered. In most cases, if it sounds too good to be true, then it is too good to be true.
When updating your computer system, only do updates from your device, or directly from the third party’s official website, and not from an email link requesting you to update your computer. Keeping your computer’s software and antivirus up to date is key in combatting these evolving phishing schemes.
We also recommend monitoring your financial transactions. By reviewing your credit card bills regularly, you will be able to spot discrepancies or charges that you do not recognize. We also recommend setting up activity alerts on your accounts like Google, Amazon, etc. This way you will be notified any time there is a new sign-on.
How we protect clients
In talking to our clients, I explain to them that we put measures in place to protect their information and capital from fraud. We will not accept trading instructions over email or text message, and we will never carry through with a money transfer request without first confirming with our client either in person or on the phone.
Our team knows to be especially careful if we receive rushed explanations, or explanations that are out of the ordinary. Extreme caution is necessary for any payments to third parties or to overseas bank accounts, and we require additional information, documentation, and approval for such requests.
How we communicate with clients
As a Portfolio Manager, we utilize email to distribute timely information quickly and efficiently — not your personal information. We may be sending periodic emails with economic and market commentary, recent financial news, and investing and wealth management ideas and strategies. We also use email to send out event and meeting invitations electronically.
One thing we never ask for is clients’ personal information (i.e. birthdate, social insurance number, bank information, etc.) by email. We will also never send an email to request a client validate, update or verify this information by clicking a link or responding to an email.
Think you've been phished? Steps to take
According to the Canadian Anti-Fraud Centre, 57,578 Canadians fell victim to fraud in 2022, losing a combined total of $531 million dollars.
If you do happen to click on a link or respond to an email or text, do not be embarrassed. It’s important that if a suspicious link has been clicked, that you act fast. Do not provide any of the information they are asking for and disconnect from the internet immediately. After you have disconnected from the internet, contact your local police to file a report as well as the Canadian Anti-Fraud Centre.
Kevin Greenard CPA CA FMA CFP CIM is a Senior Wealth Advisor and Portfolio Manager, Wealth Management with The Greenard Group at Scotia Wealth Management in Victoria. His column appears every week at timescolonist.com. Call 250-389-2138, email firstname.lastname@example.org, or visit greenardgroup.com.