Learn how fraudsters have targeted the CRA and other organizations during the pandemic, and how to protect yourself online.
While cyberattacks are as old as the Internet itself, they’ve been particularly prevalent during COVID-19 as criminals seek to take advantage of people’s vulnerabilities.
The Canada Revenue Agency, for example, was the target of a series of attacks in August that compromised the personal information of thousands of Canadians. The fraudsters specifically targeted CRA and GCKey accounts. (GCKey is an online portal that allows Canadians to access government services such as employment insurance).
The timing of these attacks shouldn’t come as a surprise. Millions of Canadians are using CRA’s website to apply for and access COVID-19 emergency benefits such as the Canada Emergency Response Benefit (CERB) and Canada Emergency Student Benefit (CESB). The breaches have since been contained, but not before 11,200 CRA and GCKey accounts were affected — and fraudsters were able to redirect emergency benefits to themselves.
To put this in perspective, the Canadian Anti-Fraud Centre, which collects information on fraud and identity theft, received 2,770 reports of COVID-related fraud between March 6 and July 31, for a total loss of $5.5 million. As reported by the CBC, the centre has also identified more than 700 cases of identity theft linked to CERB.
Great unrest, fear and anxiety are ideal conditions for fraudsters to take advantage of people’s vulnerabilities through social engineering attacks. These devious schemes can trick victims into giving away personal credentials such as passwords, or clicking on a link that installs malware.
A phishing attack (a type of social engineering attack) could come in the form of an official-looking email, such as a bogus health-related announcement from the Centers for Disease Control (CDC), World Health Organization (WHO) or Health Canada. It might even look like it comes from a government agency (related to a CERB payment from the “CRA”) or a person’s workplace (with a link to the company’s updated infectious disease policies from the “HR department”).
The Canadian Anti-Fraud Centre has a comprehensive listing of COVID-related scams, which includes fraudulent third-party companies offering to help fill out CERB applications, or criminals stealing identities to sign up for CERB payments. There are also fraudulent charities requesting money for supposed COVID-19 patients or research.
Also preying on people’s fears are malicious sites related to the coronavirus, some touting “cures” for COVID-19 or bogus medical advice, and encouraging users to click on a malicious link. A common scam earlier in the pandemic was an email with a link to a coronavirus map. This interactive map would come from a legitimate source, like John Hopkins University, but users would click on the map and be redirected to a malicious site.
Bank-related scams and fraud
Kat Attwell, Corporate Risk Officer with ACU, has noticed an increase in online job scams targeting young people who are out of work. When they apply for a bogus job, the fraudster sends them a cheque to deposit remotely. Then, when the cheque bounces, the account holder is responsible for the missing deposit.
Because of the job losses during COVID-19, people are more susceptible to it,” Kat explains. “But there’s no such thing as easy money. If you’re applying for a job, go directly to the source.”
Another issue relates to e-transfers. “Interception has been on the rise with e-transfers,” she continues. That means a fraudster accesses the e-transfer while it’s in transit, so it never reaches the intended party. “And once the money is gone, it’s gone,” Kat cautions. “A strong password and strong security question should prevent that from happening.”
How to protect yourself from cyberattacks during COVID-19, and beyond
Once you’ve fallen victim to a cyberattack, it’s likely you’ll continue to be a target, according to Kat. Here’s how to protect yourself from COVID-related cyberattacks now and in the future:
- Avoid public Wi-Fi for banking. “If it’s free, anyone can hack into it, so do your online banking at home or on a device that you know is safe,” she explains. You may want to go the extra step to install anti-malware software and anti-phishing filters on your devices.
- Treat email and texts from unknown senders — or those who don’t normally communicate with you via email or text, like the CEO of your company — with skepticism. “CRA never texts you,” Kat notes. And if there are spelling or grammatical errors in the email, it’s most likely fraudulent. (Also check the URL, as this can be a big indication of a ‘phishy’ message.)
- Don’t click on links or attachments in suspicious emails, and don’t donate to charities via a link in an email. If you get an email saying your account with CRA has been compromised, call CRA directly. “Never use the number that was given in the email, and never click on the link — always go to the source,” she cautions further.
- Only use trusted sources for COVID-related information, such as the World Health Organization, Public Health Agency of Canada or the Government of Canada’s CERB resources.
- If you’re unsure about something, speak with one of the ACU branch staff who are trained to spot scams and fraudulent activity.
- If you do fall victim to a scam or cyberattack, report the incident to your ACU branch and local law enforcement. Contact the Canadian Anti-Fraud Centre (1-888-495-8501) and change any usernames, passwords or PINs that may have been compromised.
During this uncertain time, there will be some who try to take advantage of others. While it’s not fun to feel on the lookout all the time, it’s important to be aware of the potential risks and ways to stay a step ahead of fraudsters.
Learning to spot would-be fraud now can save you time, money and headaches in the future.
If you need help protecting your accounts or discussing any issues, set up a time to speak with your ACU financial advisor today. We’re here to help.