The Canadian Radio-television and Telecommunications Commission or CRTC has the authority to administer the Telecommunications Act, including the National Do Not Call List (DNCL) and Canada’s Anti-Spam Legislation. CASL came into effect on July 1, 2014. CASL was intended to protect the public from unwanted communications, including annoying emails or texts, often referred to as spam. Spam is a term used to describe unsolicited and unwanted junk email and texts.
Last week we focused on unwanted telephone calls. This week, our focus will be on both spam and unscrupulous emails and text messages. Similar to last week’s column, the purpose of this article is to provide tips on how best to protect yourself and your money from fraudulent activity. Despite CASL coming into effect nearly seven years ago — junk emails keep piling up. What is more concerning now are the fraudulent and non-legitimate emails — we will refer to these emails and texts as phishing.
Phishing emails and texts are malicious
Phishing is an active attempt aimed at stealing your personal data. Phishing nearly always has malicious intent. The volume of phishing emails coming in is higher than it has ever been. The ironic part of the CASL rules is that one would naturally feel that if these rules are in place, that no organization can email or text you without prior consent. In my opinion, CASL is not effective in stopping emails from those unscrupulous individuals that may, or may not, live in Canada.
Always be skeptical
Similar to phone calls, always be skeptical of uncertain emails or texts. These days, more than ever, people must be extremely careful when they receive unsolicited emails and texts. In this age of technology, computer systems can send text messages and blanket emails to large populations quickly. Never provide personal information when you are not 100 per cent sure the email or text message is legitimate.
Do not click on links and do not respond
Unless you know for certain that the email is legitimate then never click on any links, call phone numbers in the email, or respond to the email. If the unexpected email or text message is of a financial matter, we recommend that you forward the email to your Portfolio Manager and then immediately delete the email from your inbox and sent folder.
As an alternative, you can phone the financial institution to confirm if an email is legitimate. For Scotiabank, the phone number is 1-800-472-6842. Customers of Scotiabank are given a Scotiacard with this number on the back of the card, and it appears on their monthly statements. We ask our clients to phone us directly if they suspect anything unusual with an email they have received. We will immediately be able to confirm whether we sent the email and the next course of action.
Phishing email-seeking information
Most phishing emails are trying to steal your personal information for financial gain. This is an area to have heightened awareness. The individuals doing the fraudulent activity are getting extremely creative, and the emails look legitimate.
Over the last several years I have received phishing emails from individuals requesting me to validate or restore my account. In other emails they have asked me to confirm or update personal information. Some of our clients have received phishing emails that look like they are coming from Scotiabank. I have also received phishing emails appearing like they are coming from Scotiabank.
With these types of emails, I forward them to a special “phishing department” at Scotiabank. I explain to customers that they can also forward these emails to Scotiabank at firstname.lastname@example.org.
We recommend our clients immediately delete these emails from their inbox and sent folder. Never phone the number in the email and never click on any links within the email. You can hover your mouse over the link until a small box appears with the URL which will show the web address. Do not click on this link either.
I remind our clients that we will never ask for personal information by an unexpected email. All emails that we send with personal information will be sent securely and we would have had a verbal conversation prior to us sending them the email.
All five of the large banks in Canada are good candidates for these types of phishing scams sent by emails and texts. If Canada’s population is approximately 38-million people, then there is a decent probability of a Canadian dealing with one of the five large banks in Canada. In fact, over the years I have also received phishing emails that look like they are coming from the other big Canadian banks (Royal Bank, Bank of Montreal, CIBC, and TD Bank) — even though I don’t have accounts at these institutions.
Regardless of the financial institution they are trying to replicate, the advice is the same as noted in the previous paragraph: do not respond or click on any links in these emails. All of Canada’s five large banks have a phone number that you can look up and call directly to confirm an email or text. All these institutions also have departments that deal with phishing scams that you can forward the email to.
All large companies and organizations are at risk of phishing scams
Risk exists with all responses to any phishing emails. Up above we used financial institutions as an example. The risk exists with any emails that you receive requesting information. Whether you received a fraudulent email claiming that you have to validate your account or update your details on Netflix, Amazon, Apple, Shaw, Canada Revenue Agency, etc. — do not open links, call the number in the email, or respond.
The fraudulent emails look real and they typically target popular companies where people are likely to have accounts. Similar to financial institutions you are always best to look up the contact details yourself and contact the company or organization directly to confirm if an email is fraudulent if it is not obvious.
What to look out for
As noted above, never click on, or respond to emails or text messages from senders you don’t know. However, phishing scams are becoming more and more advanced and creative. A few additional tips we would like to pass on include to always double check the name of the sender. Email and web addresses can be easily falsified.
Observe email addresses and web addresses closely for slight name or spelling alterations. They may seem like they are coming from a trusted company or individual, but they may not be. For example, you deal with XYZ Company through their customer service inbox. The address for this inbox is email@example.com and the name shows up in your contacts as “XYZ Customer Service”.
One day, you receive an email from “XYZ Customer Service” and you hover over the link since the email is requesting you to update confidential information. By hovering over the sender, you see that the email address is actually firstname.lastname@example.org. Anyone could develop their own email domain to pose as a notable brand.
In many of the phishing emails I have received, there have been typos and grammatical errors. In the scam artist’s haste, proper spelling and punctuation is not a priority. While on its own this doesn’t always mean the communication isn’t genuine, but it can be a red flag especially if the sender is unknown or the email address seems suspicious.
An emotion that scammers play on is the sense of urgency so it’s always a good idea to take a step back and think twice about what is being requested of you, or what you are being offered. For example, scammers will often request you to confirm your account details immediately or else you may ‘lose access to your money’, or ‘miss out on a once in a lifetime opportunity’. If it’s too good to be true, chances are it is.
When updating your computer system, only do updates from your device, or directly from the third party’s official website, and not from an email link to update your computer. Keeping your computer’s software and antivirus up to date is key in combatting these evolving phishing schemes. We also recommend checking your financial accounts regularly and setting up activity alerts on your accounts like Google, Amazon, etc. This way you will be notified anytime there is a new sign-on.
In talking to our clients, I explain to them that we put measures in place to protect their information and capital from fraud. We will not accept trading instructions over email or text message, and we will never carry through with a money transfer request without first confirming with our client either in person or on the phone. Our team knows to be especially careful if we receive rushed explanations, or explanations that are out of the ordinary. Extreme caution is necessary for any payments to third parties or to overseas bank accounts, and we require additional information, documentation and approval for such requests.
CASL deals with Commercial Electronic Messages (CEM). As a Portfolio Manager, we utilize email to distribute timely information quickly and efficiently – not your personal information. We may be sending periodic emails with economic and market commentary, recent financial news, and investing and wealth management ideas and strategies. We also use email to send out event and meeting invitations electronically – all of which is classified as a CEM.
We will never ask for a client’s personal information (i.e. birthdate, social insurance number, bank information, etc.) by email. We will also never send an email to request a client validate, update, or verify this information by clicking a link or responding to an email.
Obtaining CASL consent
As noted above, we communicate a lot with clients through email. We can send our clients emails as we have obtained “consent” as part of the account opening process. Consent is best understood by looking at two terms, “express consent” or “implied consent.”
“Express consent” is obtained when a business asks for your permission to continue sending CEM and you provide consent (i.e. you say “yes” or click “accept” on an email). Scotiabank has created electronic marketing systems to keep track of those individuals who have provided “express consent”. In asking for permission, Scotiabank must explain the reasons why they are asking for consent and provide the following information: name, address, telephone number, and website. The sender of the CEM must provide you the ability to unsubscribe from any future email communications if they so wish.
“Implied consent” is best understood from looking at certain actions. If an individual business owner receives an incoming email requesting information, then the business owner has implied consent and can respond to that email. One incoming email does not provide ongoing “express consent.” If the person who initially emailed a business does not reply to the business’s response email, the email chain ends and so does consent.
For example, we have readers of the Times Colonist that have read our column and then email us with questions, or to set up an initial meeting. In this example, we have implied consent to respond to the email.
Steps to take
According to the Canadian Anti-Fraud Center, 41,007 Canadians fell victim to fraud in 2020, losing a combined total of $107.5 million dollars. If you do happen to click on a link, or respond to an email or text, do not be embarrassed. It’s important that if a suspicious link has been clicked that you act fast. Do not provide any of the information they are asking for and disconnect from the internet immediately. After you have disconnected from the internet, contact your local police to file a report as well as the Canadian Anti-Fraud Center.
Kevin Greenard CPA CA FMA CFP CIM is a Portfolio Manager and Director, Wealth Management with The Greenard Group at Scotia Wealth Management in Victoria. His column appears every week at timescolonist.com. Call 250-389-2138, email email@example.com, or visit greenardgroup.com.