Banking and financial services, like most daily activities, have largely become digital. According to How Canadians Bank, a large biennial study by the Canadian Bankers Association (CBA), more than three‑quarters (76 per cent) of Canadians use digital channels to conduct most of their banking transactions, and this is expected to increase in the years ahead. The COVID‑19 pandemic has also accelerated the shift to online and mobile banking.
The shift to digital is wide-ranging and is changing every sector, everywhere. The digitization of banking is unlocking new solutions and capabilities for customers and financial institutions alike, but it also creates new fraud risks. The risk-reward ratio for digital financial crime at a distance is becoming more attractive to criminals, and as a result, they are increasingly moving their illicit activities online. While this happened before the COVID‑19 crisis, fraudsters have ramped up in recent weeks. In this new security environment, banks and their customers must be ever vigilant to guard against a rising tide of digital financial crimes.
As fraud continues to move online, banks go to great lengths to protect and support clients affected by unauthorized activity. Banks in Canada are responding to evolving fraud risks and have developed whole new frameworks and advanced technologies to detect, prevent and defend against increasing fraud typologies. Indeed, in today’s digitalized environment security is a shared responsibility. Customers must also stay vigilant, always adhere to safe online and email practices, and distinguish between legitimate requests and attempted fraud.
The new frontier of fraud
In the early 2000s, phishing went from a relatively unknown phenomenon to an everyday topic. We have come a long way from "Nigerian Prince"-style email scams, however. Fraudsters are now using sophisticated tactics to perpetrate their scams, including romance and grandparent, government or tax agency frauds, business email compromise, and SIM swap, to name a few. These frauds all have the same aim: to obtain access to a person’s data in order to misappropriate their funds, or in some cases, use identity deception to con them into sending money to an account controlled by the fraudster.
To be sure, cyber and data breaches are a significant challenge for twenty-first century business. In an interconnected world, a breach at one company, in any sector, anywhere in the world has the potential to impact customers elsewhere. In a high technology environment, individual actors can have a disproportionate effect by collecting vast quantities of information for illicit purposes, including identity theft, social engineering, impersonation scams, "true name" fraud and account takeovers. Criminals can buy breach data on the Dark Web and use it to target people and their money globally. Further, they are sharing intelligence through organized networks.
Examples of recent high-profile cyber incidents:
- Target (2013): 110 million people
- Yahoo (2013): 3 billion accounts
- eBay (2014): 145 million users
- Equifax (2017): 148 million people
- Facebook (2018): 50 million accounts
- Marriott International (2018): 500 million records
With stolen data in hand, criminals' use of social engineering and phishing attacks is becoming more common. Social engineering is the process by which criminals exploit our basic human urge to respond to urgent requests, be useful or help out a friend in need, to lure us into providing information that can be used to commit financial fraud. Generally social engineering results in:
- Unauthorized access to customer bank accounts by criminals who have obtained personal information to gain access (i.e. account takeover)
- Authorized transactions where a customer is coerced or tricked into sending money to an account controlled by the criminal, believing them to be legitimate (i.e. scams)
Three ways to spot social engineering
- Using fear as a motivator. Sending threatening or intimidating emails, phone calls and texts are other techniques social engineers will use to scare you into acting on their demands for personal information or money.
- Suspicious emails or texts that include urgent requests for personal information is a major red flag that that someone is trying to trick you.
- Too-good-to-be-true offers or unusual requirements. If an online contact offers you free access to an app, game or program in exchange for login credentials, beware. Similarly, free offers online can often contain malicious code or malware.
The best defense is a good offense
Banks upgrade their security systems and procedures to help stay ahead of criminals. They invest significant resources into their security infrastructure, including layered fraud detection and mitigation technologies, and dedicated cyber and fraud professionals support the output of those systems. As fraud trends shift and new types emerge, banks frequently review system parameters to add new rules or scenarios. Beyond enterprise case management solutions, there are several additional point solutions that are deployed, monitored and analyzed to maximize results.
Even though the threat of digital financial crime is substantial, it does not always mean that people will lose their money. Banks make significant efforts to protect and safeguard customer accounts, guard against a range of fraud types, and have robust cyber security and resiliency programs and policies. Despite the growing number of attempts, Canadian banks have a strong record of protecting their systems and customers from ever-evolving cyber threats. Moreover, they work closely with law enforcement agencies and authorities in Canada, and internationally, to help them with their investigations into financial fraud and the prosecution of suspected criminals.
While massive investments in anti-fraud technology and highly skilled security professionals are having an impact, customers also have a very important role to play.
How can I protect myself from scams?
In the digital era, online security is by necessity a shared responsibility between banks and their customers. People must protect themselves in all that they do online, stay informed and use critical thinking. To that end, the CBA and its members widely share information resources to educate Canadians of the latest scams and provide actionable tips on how they can detect and avoid fraud and practice effective “cyber hygiene” and email security.
Start with these easy-to-implement safe online habits:
- Create a "passphrase" instead of a password. Don’t share this with anyone.
- Check if the email sender is legitimate. Fraudsters may disguise their identity.
- Beware of emails from people or companies that you do not know.
- Do not click on links in any suspicious looking emails or reply to them.
- Only give your personal information to people and organizations you trust.
- Type in the address for internet banking and avoid clicking on email links.
- Only bank on secure websites with the padlock symbol in the address bar.
- Avoid public computers and WiFi for internet banking (e.g. cafés, libraries, etc.).
- Keep your computer’s security software up to date.
In line with Fraud Prevention Month in March, the CBA recently developed helpful toolkits for consumers and businesses to protect themselves from the most common cyber threats.
Lastly, if you think you’ve been the victim of a banking scam, contact your bank immediately. You should also change your internet banking password as soon as possible.