Reader's Digest (Canada)
HOW TO OUT SMART A SCAMMER
They’re stealing passwords, impersonating the CRA, charging thousands to credit cards and ruining our lives. It’s time to beat them at their own game.
As if the COVID-19 pandemic hadn’t stolen enough from our lives, it also created a fertile ground for scams. The Canadian Anti-Fraud Centre saw a 32 per cent increase in reports of scams between the end of 2019 and the end of 2020. The most common are phishing emails or texts, phone calls from scammers impersonating banks or governments, phony job advertisements and retail scams hawking fake goods. It’s not that there are more fraudsters, explains Jeff Thomson, an RCMP senior analyst at the CAFC, but more innovative forms of fraud—and more people online to target. “Right now, we are forced to do our everyday shopping or groceries online, so we’re increasing that online user base,” he explains. And Thomson expects those scams to keep proliferating throughout 2021. “More people are vulnerable to scams, and more people are more likely to run into scams.”
This is the year to scam-proof your life. Here’s how.
DON’T FALL FOR FACEBOOK FRAUD
With its 2.79 billion users, Facebook is an all-you-can-eat buffet for cyber fraudsters. These are the five most common ways scammers will try to steal your money or your identity—or both.
1. the phishing attack One of the most common scams on Facebook is phishing, in which individuals or organizations send you a message seeking money. An urgent DM from a trusted friend, exhorting you to click on a sketchy-looking link or install software, is likely coming from a scammer who has either hacked into or cloned that friend’s account. Clicking on that link might trigger an unauthorized malware download or send you to a fake
login page, compromising your information. Some scammers personalize the attacks—a technique known as “spear phishing,” says Kathy Macdonald, a former Calgary police officer and independent cybersecurity consultant. “This means the attacker has done some research on their target so that they can personalize the contact—they’ll find out, maybe from social media, where you live, where you like to go on vacation, your relationship status,” she explains. The conclusion? Don’t click on those links. If you’re interested in the content, search for information in a separate browser.
2. the fake contest Many scammers will bait users with the promise of a tempting contest prize: a legitimate-looking post offering entrants the chance to, say, meet Vin Diesel or win a free SUV. These links can lead to malware infections and damage to devices. “At the
very least, they’ll get your account added to spam lists,” explains Claudiu Popa, president of the cybersecurity company Datarisk. Even real contests are susceptible to fraud: in January, for example, the P.E.I. restaurant Nimrods’ held a contest to win a gift certificate. Within days, entrants were receiving false emails from fake accounts claiming to be Nimrods’, telling them they’d won and asking for credit card info. “It hurts to see that people are misusing our company name, and tricking people to make money,” said Nimrods’ owner Mikey Wasnidge.
3. the share scheme The classic chain letter has received a digital makeover. Scammers will pose as Facebook administrators updating users on privacy policies or data ownership, and urgently implore those users to share the link and pass it onto their friends. “Fraudsters will track those shares,
identifying the Facebook profiles of those who fall for it as the marks in future fraudulent or disinformation campaigns,” says Popa.
4. the non–existent grant In COVID-19 times, the government is offering all kinds of financial assistance: CERB, small-business loans, rent relief. And scammers are taking advantage. Users might see an official-looking ad for free government funding, which will take them to fraudulent links with plenty of strings attached. “Ultimately it leads to a request for personal information and money up front to get the grant,” says the CAFC’s Thomson. “And, of course, there’s no grant. They don’t receive anything at all.”
5. the catfishing scam A sophisticated class of romance scammers are taking advantage of lonely hearts. Facebook helps them learn crucial information about their victim before establishing contact. A romance scammer will often claim to be in the military, working on an oil rig or volunteering overseas, waiting to save enough money to move back home. They might spend months grooming their target, and will seem to always be available to chat because, in reality, the suitor is several people working in cahoots. The first rule of online romance: never send them a penny. If they ask you to cover travel expenses or medical bills, or even buy them Amazon gift cards, it’s time to move on.
AVOID TOO-GOODTO-BE-TRUE DEALS
Early in the pandemic, online shopping doubled, with Canadians spending some $4 billion between February and May 2020, according to Statistics Canada. New and sophisticated retail scams also increased: over the 2020 Black Friday–Cyber Monday weekend, for example, suspected e-commerce fraud in Canada spiked by 435 per cent compared to the same time in 2019. Thomson says much of the fraud involves brand name or designer items. “We saw fake blenders, hot tubs, Lego,” he says. “PlayStation 5s were a particularly hot commodity, since those are hard to come by to begin with.”
Fraudsters have become alarmingly good at the work they do—they often create slick, faux third-party resale sites to hawk the most coveted video game consoles and designer sneakers, or post ads on eBay, Amazon and Kijiji with glossy, highquality product photos that look just like the real thing. Some of the most scammable items are pricey tech devices, like laptops, hard drives or tablets, says Popa. “In the best-case scenario, you might buy it and discover it’s either not functioning or it’s not the right amount of data storage,” he explains. Sometimes you pay for the product—and it never arrives. “I find this happens with eBay a lot. Two months pass, you’ve bought a bunch of other products [and] you’ve forgotten about the one you were expecting,” Popa says. “Then you go back a couple of months later, and the seller has disappeared.”
The most glaring warning sign to watch for is probably the thing that attracted you to the product in the first place: the price. If it seems too good to be true, chances are it is. “If you want a Canada Goose jacket that costs a thousand bucks, and you hop online and suddenly you’re finding ads offering them for $400 or $600, that’s likely a fake,” Thomson says. Popa, meanwhile, flags a practice known as astroturfing, where sellers publish false reviews on sites like eBay and Amazon to make their account look more legitimate. “You’ll find those to be very superficial. Sentences are very short or incoherent, and sometimes they’re just star reviews with no text,” he says. He advises buyers to read reviews closely and critically, and also to stick with sellers who have proven longevity and a significant number of transactions. “If the vendor has been on the platform for 15 years, you can see their track record,” he says.
To further steel yourself against scammers, use platforms with fraud protection. “You need to transfer the risk of fraud to sites providing you a service,” Popa says. PayPal offers some fraud insurance, he says, while eBay has a money-back guarantee, though only for certain types of purchases.
HANG UP ON THESE FAKE CALLERS
Scammers aren’t just thieves—they’re master manipulators. “This pandemic has been perfect for tricking people into divulging personal information using technology,” says Macdonald. “That’s because people are already highly emotional. They’re fearful, they’re anxious, and scammers can leverage those things.” Increasingly, fraudsters are doing this through phone scams, which doubled in 2020, according to the CAFC. One of the most common schemes is when they impersonate officials from the Canada Revenue Agency or RCMP. “They’ll play on your fear by shocking you and telling you something’s happened to your account, that you owe taxes or fines,” Macdonald says. In reality, when the CRA calls, they may ask you to verify your name, birthdate or address, but they will never ask you for your driver’s licence or social insurance number, or demand immediate payment. If you suspect you’ve been targeted by any of these scams, you should report the sketchy behaviour to the Canadian Anti-Fraud Centre’s website or hotline (1-888-495-8501).
A similar phone scam, Thomson says, involves a fake bank investigator claiming that there have been unauthorized charges on your account and that you’ll need to pay a fee to protect your funds. These calls usually occur early in the morning and target people with landlines; this is because landlines often have something called a delayed disconnect, which means the caller is still connected even after you hang up. He might ask you to hang up and dial the number on the back of your credit card, but you’ve never really hung up. So, when you provide your personal information to the person who answers at the supposed credit card company, it’s still the same fraudster on the line.
STOP OVERSHARING YOUR CREDIT CARD
Credit card information should always be dispensed sparingly—given those details, some swindler might rack up
unauthorized charges, damage your credit score or even sell that information to other fraudsters. But in our online-everything climate, it’s often necessary to provide those digits to buy goods or services. If you do, take steps to ensure the site where you enter that information is secure. “Look for the HTTPS in the URL,” Thomson says. “That shows the site is locked and encrypted, and it’s standard across most reliable sites.” Other times, sites for things like newspaper subscriptions or streaming services will offer users free 30-day trials, promising not to charge the card until the trial period is
up. You’re best off avoiding those trials altogether, says Claudiu Popa. “You have no idea whether this company can protect your information, and the fewer companies that have your credit card on file, the better,” he explains. When it comes to credit cards, hypervigilance is the best policy: instead of paying bills automatically, read statements closely, check your credit score once a year and familiarize yourself with your card’s fraud insurance.
SECURE YOUR WI-FI AGAINST INTRUDERS
No matter how secure your Wi-Fi password is, a hitchhiker can sneak onto your network. If someone is stealing your Wi-Fi, you might notice slower speeds than usual, pop-up ads that seem out of sync with your family’s interests and browsing, and higherthan-usual usage bills. To get to the bottom of the issue, you’ll want to
check your router to see which devices are logged into your network—which is probably a smart practice even when you don’t suspect a Wi-Fi weasel. And this kind of vigilance is a good idea outside of the home, too; coffee shops and co-working spaces may seem like a distant memory, but one day we’ll be using public Wi-Fi again. When you do, be sure to avoid sensitive transactions until you’re safely back on your own network. “I always suggest that people never use public Wi-Fi to enter credentials into a bank, for example, or buy any products,” says Macdonald.
PROTECT YOUR PASSWORDS
Immediately kibosh all kids’ birthdays, pets’ names or beloved sports teams from your rotation. What you need instead are long, random passwords— blends of capital and lowercase letters, numbers and obscure symbols galore— and you’ll need a different one for each of your accounts. If a scammer figures out that you reuse a password, they can hack into your other accounts, and even into your email. Once inside your email, they will have all kinds of information to impersonate you. Download an authenticator app on your phone and use it for two-factor identification for email and banking passwords, since those are the treasure chests of information for would-be identity thieves. Collect all your passwords in an offline database, either a password manager you download for your computer— Popa recommends Password Safe and KeePass as trustworthy options—or the one that comes with your smart phone. Then do it all again: protect the password database with a two-factor authentication method along with a long, unique password.
BLOCK SITES FROM TRACKING YOUR EVERY MOVE
Every time you sign up for a newsletter, register on a website, accept cookies (chunks of tracking data) onto your browser, order an item online or comment on a forum, you’re expanding your digital presence and potentially exposing yourself to people who might pilfer all that information and use it against you. One way to mitigate that risk is to use pseudonyms and nicknames when signing up for accounts, communities and forums. Another tactic Popa recommends is using disposable emails: when a website asks for your email address to read an article or create an account, you can use a service called Mailinator to generate a one-time email address without compromising your real one. “No one tells you this, but email addresses are the primary attack method for any type of cyber fraud—ransomware, phishing, spam,” he says. “The scammers can keep trying new angles and scenarios until you bite.” Periodically, it’s smart to clean your digital footprint: for a fee, services like DeleteMe will help close all the accounts and services you’ve signed up for, and keep checking periodically to ensure your information hasn’t been re-added to any spam lists.
Despite their sweet name, cookies aren’t always harmless. When a site asks for session cookies, that’s usually okay, because all it’s doing is saving your preferences for that particular site. Some sites, however, ask you for permission to use third-party cookies, which means they can share the information they collect with other parties. Review the settings on your web browser to block these persistent cookies. Popa also recommends a browser extension called Privacy Badger, a free tool that tracks the cookies being written into your computer and blocks them before they’re finished. You can even set your browser to automatically clear your history and cookies every time you close it.
Also important: never agree to store your passwords to an auto-fill. You’ll have to log in fresh each time you re-open the browser, but your online information will be much more secure. “Make these steps part of your regular practice,” Thomson says. “Then it’s not a matter of whether you’ll be the victim of identity theft, but whether you’re able to stop it before it happens.”