|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
![]() |
![]() ![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Indicators |
Legitimate |
Phishing |
---|---|---|
Greetings |
normally personalized |
may have strange greeting or not personalized |
Spelling |
normally does not contain spelling mistakes |
may contain spelling mistakes |
Urgency |
gives you time to think about the offer |
uses upsetting or exciting statements to provoke impulsive and immediate reaction |
Imbedded/Hidden Link |
no deception |
visible link appears legitimate but actual redirection may be fraudulent |
Personal Information Request |
normally information not requested |
may be requested or lead to a fraudulent site that does |
Sender |
e-mail address is consistent with the identity/country of the sender |
e-mail address may not be consistent/spoofed with the identity/country of the sender |
Corporate E-mail Use |
legitimate organizations avoid asking client personal information by e-mail |
use of legitimate organization’s name and reputation to contact a large number of consumers |
Text |
not likely to contain incomprehensible text |
may contain disguised random text |
Table 1.2: Comparison Between a Legitimate and Phishing Site
Indicators |
Legitimate |
Phishing |
---|---|---|
Secure Site Markers |
https:// in address bar and padlock icon in the status bar |
may have discrepancies or not have any security markers |
Functionality |
fully functional |
may not be fully functional or link to some the legitimate site functionality |
Request for Personal Information |
will not request for information that they already have |
will request personal information |
Domain Name |
will use and display the correct domain name |
address bar or status bar may be spoofed or contain a similar looking domain name or not have a status bar at all |
Error in Browser Status Bar |
normally will not contain error |
may contain errors while loading web page |
Login |
will only be accessible with valid password |
bogus user ID and password may work |
The Internet is structured around a numeric protocol called IP for Internet Protocol. It currently uses IP version 4 which is essentially represented by four numbers from 0 to 255 separated by periods. For example 198.103.98.139 is the RCMP Web site IP address. This is simply more difficult to remember than a domain name like “rcmp.ca”. Criminals have become very clever in creating domains that sounds and look like the real thing. These can be difficult to notice unless you know how to read them. In this section, we going to show you how to read domain names.
Domain names are to be read from right to left. Consider the following the domain name in red in the following Web address:
Figure 2: Complete Breakdown of a Web Site Address
This address will tell your browser that you are looking for the a-to-z_e.htm Web page (http://), located in rcmp.gc.ca domain, following the /help/ path. The www following the protocol identifier (http://) does not have any significance in the domain name. Your browser will send this domain name to a special server to see if such Top, Second or Third level domains exist. In this case, the matching Internet address is 198.103.98.139. Once you have identified the domain name, you may find more information about it by using a “Whois site” (See Appendix 4). This site will let you see if the domain registration is incomplete or if it is inconsistent with the corresponding organization. Your computer also has an IP address that may be recorded on sites that you visit. Therefore, your computer may be providing clues about itself and your identity. All of this information can be used by criminals to get more information on you and/or gain access to your computer. Choose a non-descriptive e-mail address. A bad choice is to use your name.
Phishing scams will often use variations of the legitimate name to fool the user. Beware of changes in the location or periods and slashes, as well as the presence of special characters and variations in the domain name. For example, if you were to replace the lowercase letter L (“l”) in the following website, www.ghijklmnop.com , with the number l, you would be brought to following bogus site: www.ghijk1mnop.com . This subtle variation will go unnoticed if the Internet user does not pay close attention to what is in the address bar.
Another variation of a phishing scam would be the alteration of the Website address by adding a subtle domain level. This addition of a domain level would consequently change the position of all the following domain levels and therefore trick the user by bringing them to a different site than expected. Take the first example for instance, if you add a .ca before the real domain, you will end up with www.ghijklmnop.ca.com which becomes a totally different new domain.
There is no foolproof method to validate a website and there is always a possibility of a spyware infection on the user’s computer or DNS poisoning. Always watch for unusual patterns and any discrepancies in the website’s address or on it’s Web page. If you are suspicious about the website you are about to use, enter any bogus random username and password combination. This simple test will help you greatly minimize the risk of using a phishing website by observing whether or not the false username and password combination is accepted.
Pharming, also known as DNS poisoning, is very similar to Phishing but does not include any electronic message as bait. This type of scam is caused by a deliberate corruption of the DNS that direct the user to the requested website. This allows the hacker to redirect a website’s traffic from a legitimate website to a corrupt website. Therefore, even if the user types in the correct URL (Web address), the hacker can still redirect the user without his knowledge or consent to a bogus site.
A consumer may come in contact with a prize pitch scam by e-mail, telephone or mail. This scam is usually a prize notification. The consumer is led to believe that, to be able to receive or collect the prize, he/she must either pay a series of bogus taxes or fees. Another variation of this scheme is the obligation to purchase a product or service in order to receive the prize. No taxes or fees are to be paid in order to receive a legitimate prize in Canada.
The recovery pitch scheme is a variation of the prize pitch scams. If you have been a victim of a prize pitch scheme, chances are that you may receive a call from someone promising you that they can retrieve your prize or money for a small cost. The caller will most likely pose as a police officer, a government revenue employee, a customs agent or a legitimate company employee.
Online auctions consist of a selection of items for sale that may be bought by bidding on the items. Online auction scams include such frauds as the misrepresentation of an item, non-delivery of goods and services, as well as non-payment for goods delivered.
The reason why many consumers are scammed through dealing with online auction houses is because they are either not following or not aware of the proper buying and selling procedures. Most online auction houses have an online learning guide and security tips available which contain information such as proper online payment methods systems and precautions. These payment systems are very secure and when used, they may minimize the risk of becoming a fraud victim and may as well offer purchase protection.
Malicious software is designed to introduce unintended computer behaviour and can be found in different forms such as viruses, worms, trojan horse programs, spyware and adware. Computers can become infected with malicious software by opening e-mail, by accessing a website, by using infected media or by downloading infected programs such as games. Malicious code may capture personal information from your computer/keyboard and transmit it to another individual.
Therefore, properly protect your computer by keeping your operating system and software packages up to date. Updated software such as anti-virus, firewalls, anti-spyware and anti-adware should also be used to protect your computer. Be aware that malicious code may come disguised as any type of computer file and that a fully protected machine can still contain vulnerabilities.
Any information travelling on airways could be at risk of being intercepted. As a safe practice, avoid transmitting or storing personal information in data or voice format over the following channels:
In the past few years, Wireless Networks (Wi-Fi) convenience has gained a massive increase in popularity with consumers. New products with built-in Wi-Fi capability are appearing on the market. To avoid accidentally exposing your information:
Before initiating a Wi-Fi session, use an invalid user ID and password combination. Do not use if you are able to logon with invalid account information.
Table 2: Wireless Networks (Wi-Fi) Tips
Practice |
Tip |
Using an open or unsecured hotspot. |
All information that you are sending and receiving is transmitted as a radio signal and can be monitored by all and the owner of the Hotspot. This includes your personal information you contained in your browser settings. |
Using a secured access point or hotspot. |
Technically, the administrator of the hotspot will be able to monitor your information but others will not. WEP is recognized as the weaker protocol, use WPA as it is more secure. |
Using a secured session (https:// online banking or eCommerce session for example) on a secured hotspot. |
It is always preferable to use a regular Internet connection for that purpose. If the hotspot is legitimate your information will be fully encrypted from your computer to the secured site. |
Use and Configuration of a household Wi-Fi router/device. |
Be aware that criminals may actively scan your neighborhood to gain entry in your
|
False charities prey on a person’s giving nature to scam them into giving a donation. They will often use stories that are heavy-hearted and patriotic. The stories may focus on recent catastrophic events. Bogus charities will often have names that resemble legitimate charities by either adding or changing a word in a legitimate charity’s name. There are several things that you may do to avoid becoming a victim of false charities. First, be careful of incoming e-mails or calls because they could be misrepresenting a legitimate charity. Also be cautious of similar sounding charity names. If you have any doubts on the legitimacy of a site, independently visit the charity’s official website or call the charity. Do not use the Web address or telephone number that the charity in question supplies.
The 419/West African letter scams, also known as the advance fee letter fraud, are letters sent to individuals or businesses requesting foreign money transfers in exchange for a percentage of the transfer amount. These letters sent by e-mail, mail or fax transmission and emphasize that trust and honesty are important aspects in this confidential business transaction. Writers will most likely present themselves as a doctor, a major corporate representative such as from the Nigerian National Petroleum Corporation or as someone in the Nigerian or other African national government or military. The same scenarios can also apply to other foreign organizations and countries.
If victims communicates with the writer by e-mail, mail or phone, they will usually be asked to cover various expenses such as bribes, taxes, registration fees and attorney fees up front. This may continue over an extended period of time and be a condition before the money transfer can be completed. Obviously, the victim will never receive any money. Do not respond to these types of letters. Send a copy to PhoneBusters.
Advance fee loans are commonly advertised in classified adds of newspapers, magazines and tabloids. These ads guarantee a loan regardless of the applicant’s credit history, but the victim has to pay an upfront loan fee. Needless to say, the applicant never receives the loan and loses their upfront payment. Legitimate financial companies do not ask for an upfront payment. This practice is illegal in Canada and in the United States.
Do not agree to pay fees to obtain a loan. Do not believe promises of automatic loan acceptance, particularly if you have a poor credit rating or no credit history. If in doubt, consult with experts from a known legitimate financial institution. Promptly report suspicious activity to Recol.ca or PhoneBusters at 1 (888) 495-8501 and the financial legitimate institution’s security department.
Job Offer Scams
Be aware of job scams when searching for employment. This includes giving too much information to a possible or new employer. Do not divulge your personal bank account, credit card number and username/password for online accounts. You do not need to provide your Social Insurance Number (SIN) when applying for a job. The employer will only need it once you are hired. Be cautious when applying for job postings found in the classifieds, in the newspaper, on a bulletin board or on the Internet that involves package forwarding, money transfers, wiring funds or well paying telemarketing jobs. You may end up becoming involved in criminal activities. Report suspicious activities.
You lead an active life style constantly alternating between home, school and work. These activities put you in contact with a large number of individuals and organizations. This section deals with such scams as wallet theft, card skimming, counterfeit money, shoulder surfing, dumpster diving and eavesdropping.
Figure 3: Key Messages to Help Avoid Scams in a Public Setting Found in Different Environments
Theft or Loss of Personal Information and Documentation
Do not keep your life in your wallet. An individual should never carry more documents or cards of a personal nature than is needed. Store these documents and cards in a secure place such as a locked drawer, cabinet or safety deposit box. When documentation containing personal and financial information must be thrown away, it is important to properly dispose of these documents. One of the most common way of proper disposal is shredding.
Canada’s bank notes are issued by the Bank of Canada. The Bank is responsible for replacing mutilated genuine bank notes but is not responsible for reimbursing victims of counterfeit notes because they do not issue them. The best way to protect yourself from becoming a victim of counterfeiting is to make it a habit of regularly checking bank notes.
There are several security features on Canadian bank notes that are reliable, easy and quick to use. The Bank of Canada suggests that to verify your bank note you should always feel, tilt and look at and through. To obtain information on how to verify if your bank note is legitimate or not please visit the Bank of Canada website where you will find a detailed description as well as a picture of every different security feature of every bank note.
In order to minimize the risk of possessing a counterfeit note, take time to verify most of these features. Verify more than one security feature during a transaction to see if the bank note is legitimate. It is a good habit to verify your notes, just as you check your change and your credit card receipts. You may ask the merchant to give you a different note if you are uncomfortable with the note you have received.
If you do come in contact with a counterfeit note or one that you suspect is counterfeit, stop the transaction and request another note. Keep the suspected counterfeit if possible but do not put yourself at risk. It is your obligation to turn the bank note over to the proper authorities such as local police or a bank teller if received through an automated teller machine (ATM) at the bank. You will be given a receipt but will not be reimbursed for your counterfeit bank note. But most importantly, you should not try to pass it off to someone knowing it is counterfeit. You could face criminal charges.
It is important to be cautious when filling out prize entry forms at malls, sport shows and conventions because your personal information maybe later used by third parties to contact you over the phone, sending you spam or by sending you junk mail in order to lure you into giving them more personal information or to access your accounts. Some fraudulent organizations will even analyse the writing on the entry form to find potential victims for their scams.
The most common telephone threats come by fax, voice mail and incoming calls.
Figure 4: Key Messages to Help Avoid Telephone Scams Found in Different Environments
Telemarketing is used by legitimate businesses to advertise and sell their products and services over the telephone. Unfortunately, criminals also use the same telemarketing techniques to defraud people. You should therefore be cautious when receiving a telephone call stating that there is an amazing promotion or prize to be won.
Also be cautious of organizations that you do not know and do not be fooled by their extravagant promises. Remember, do not disclose any personal or financial information during an incoming call. Do not be afraid to say no and hang up. If you would like to report any suspicious phone calls, contact PhoneBusters at 1 (888) 495-8501.
Table 3: Comparison Between Legitimate and Fraudulent Mass Marketing
Indicators |
Legitimate |
Fraud |
---|---|---|
Enthusiasm |
May be very enthusiastic |
The caller is more excited than you are |
Friendliness |
May act overly friendly |
Want to create a personal connection to possibly to be leveraged later |
Pressure |
May be a legitimate technique to close the deal, will not normally get verbally abusive |
Want to force you into providing what they want, could get verbally abusive |
Urgency |
You may have time to think about the offer |
Will pressure you into making a decision if you don’t act now, may demand an immediate answer. |
Willingness to provide full references |
Normally not a problem, complete contact information will be provided |
May be more reluctant or willingly provide only limited information like a telephone number |
Mode of payment |
Normally, many options are available |
Limited to courier or wire services |
Price |
Market value |
Unreasonably low price with unrealistic explanation |
Benefits |
Benefits or incentives value are realistic in order to turn a profit |
Unreasonably high incentives or benefits with unrealistic explanations, too good to be true |
Credit offers |
Normally based on your credit rating |
May make offers regardless of your credit rating |
Surveys |
Your information will be used for the intended purpose |
Your information may be used for criminal purpose |
Explanations |
When challenged, will normally provide clear explanations that make sense |
Explanations are complicated, unclear and confusing to you |
Social Engineering |
Could be used as a sales tool |
May be used to gain psychological advantage on the victim and to trick them into providing their personal information |
The 900 scams are similar to the prize pitch scams. Consumers will usually receive an offer in the mail enticing the consumer to call a 1-900 number to learn about the type or value of prize they have won. The problem is that usually the call will last several minutes before the caller will find out that the value of the prize is very small. Some 1-900 numbers will advertise a free gift if you call. But you end up paying for the gift by making the 1-900 number call. Remember, 1-900 numbers have a per-minute rate. If you are concerned about a 1-900 number, immediately contact PhoneBusters.
Ads for jobs, advance fee loans, sweepstakes, lotteries and valuable merchandise can be found in newspapers, magazines, tabloids, classifieds and flyers or advertised on bulletin boards and posters. Some of these ads could be scams to obtain your personal and financial information or to just steal your money. Be cautious when responding to these printed ads. Keep in mind that ads that are published in a local newspaper, a popular magazine or posted on a bulletin board at school are not necessarily legitimate. You must take certain precautions such as researching the company’s credibility and calling the company to verify if they did publish the ad. You may fax the article to PhoneBusters at 1 (888) 654-9426.
Figure 5: Key Messages to Help Avoid Printed Material Scams Found in Different Environments
It is mostly likely that you have previously received mail advertising prizes, vacations and services. A major part of these solicitations may not be legitimate. They are variations or copies of scams equivalent to the advance fee loan, the prize pitch, the West African scam and the false charity. These solicitations may come as postcards, certificates, unsolicited cheques, letters congratulating you for prizes or lotteries, free magazine subscriptions, credit card approvals and loans offers.
There are other mail threats that could be used to steal your information such as mail theft, interception and redirection. Having a locked and secured mail box is the first step to insuring the safety of your mail and its contents. You should also only deposit mail in post office collection boxes or at your local post office. Being aware of your billing cycle and regularly verifying your mail are good habits to help figure out if your mail is being intercepted and redirected.
Figure 6: Key Messages to Help Avoid Mail Scams Found in Different Environments
There is no guaranteed method to know if you are being exposed to fraud. Read the following fourteen indicators and apply them to your daily life. Remember, a situation that raises one or several red flags does not automatically make it fraud. It only means that your should be careful, do your research and ask the right questions. If the provided answers or your research does not lower all flags, just opt out.
Indicators:
Phishing: |
|
Disposal of personal computer: |
|
Credit card skimming: |
|
Dumpster diving: |
|
Personal space intrusion: |
|
Eavesdropping: |
|
Shoulder surfing: |
|
Telephone: |
|
Fraudulent credit offer: |
|
Job offering scam: |
|
Internet wireless access: |
|
Publicly accessible computers: |
|
Online auction scam: |
|
Advance fee loan: |
|
Do not underestimate the importance of your personal information. A stolen identity is the key to your credit history and your money. It may also be used for criminal purposes. It takes a lot of work, time and money to fix your credit and to retrieve your money. Remember that it is not always possible to completely fix these problems. Use the tips enumerated in this guide to help prevent becoming an identity fraud victim. The importance of your contribution to the control of personal information and scam protection problem is generally not sufficiently recognized.
In your circle of influence, you have the power to educate others. In your daily activities, take a few moments to transmit some of your newly acquired knowledge to your family, friends and colleagues, specifically, better practices when handling money, credit or debit cards in public situations or better online safety practices. The best way to minimize your risks of being a fraud victim is by getting informed on the new scams and fraudulent techniques and staying informed.
Law enforcement needs your support to find the criminals who use this information to their advantage. Report any scam information to:
Canadian Fraud Reporting
Consumer Awareness/Government
Counterfeit
Credit Bureaus
Domain Names
Identity Theft
Personal Banking Security
Phishing
Quizs
Social Insurance Number (SIN)
Spam/Spyware
Terminology/Encyclopedia
Education/Awareness/Assistance
DNS:
DNS is short for Domain Name System. Internet functionality that automatically locate and translate domain names into Internet Protocol addresses.
Domain Name:
A domain name is an easier to remember and meaningful equivalent for a numeric Internet Protocol (IP) address.
Fraud:
Dishonest deprivation of someone’s economic interest.
Fraudster:
One who commits the Fraud.
Identity Fraud:
RCMP definition. The unauthorized acquisition, possession or trafficking of personal information, or, the unauthorized use of personal information to create a fictitious identity or assume/takeover an existing identity, in order to obtain financial gain, goods or services or conceal criminal activities.
Internet Protocol (IP) address:
Unique number that devices use in order to identify and communicate with each other on a network utilizing the Internet Protocol standard.
Machine Name:
Arbitrary name assigned by system administrators to servers or services within a server. The name “www” normally indicates a World Wide Web a server, “mail” a mail server, “news” a newsgroup server and “signin” for controlled user access services.
Malicious Code/Malware ("malicious software"):
Program deliberately designed to capture/modify/damage data or change a computer behavior without the user’s explicit knowledge or intention. Malware includes Trojan horses, spyware, viruses and worms.
Personal Information:
For the purpose of this document, personal information refers to any element or combination of information that can be normally used to uniquely identify an individual in the delivery of good and services, government services or law enforcement activities. Alternatively it can be information that can use to acquire additional information on someone.
Pharming:
Malicious code installed on a personal computer or server misdirect users to fraudulent websites without their knowledge or consent.
Phishing:
Pronounce “fishing”. It is the use of social engineering in electronic messaging to provoke an immediate impulsive reaction from individuals into visiting fraudulent websites. The ultimate goal is to acquire personal or sensitive information.
PIN - Personal Identification Number:
A security code used to access personal data or accounts.
Protocol:
An industry or international standard that consist of a special set of rules designed to manage communications.
Social Engineering:
The practice of manipulating someone’s trust for the purpose of gaining some advantage.
Spam:
The practice of indiscriminately sending unsolicited, unwanted or inappropriate electronic messages in mass quantities.
Spoofing:
Modification of identification or authentication information to mislead the reader on the true identity of the originator.
URL:
Acronym for Uniform Resource Locator. Unique address for a file that is accessible on the Internet.
![]() |
||
Content created: 2006-03-15 Content revised: |
Return to Top | Important Notices |