January 18, 2021: Spear phishing is one of the most common and most dangerous attack methods currently used to conduct fraud, usually on businesses and organizations. Fraudsters take their time to collect information on their intended targets, so they can send convincing emails seemingly from a trusted source.
- unsolicited emails
- direct contact from a senior official you are not normally in contact with
- requests for absolute confidentiality
- pressure or a sense of urgency
- unusual requests that do not follow internal procedures
- threats or unusual promises of reward
- Email and text, Phone and fax
- Businesses, Individuals
Spear phishing scams involve scammers pretending to be from legitimate sources to convince businesses or individuals to send them money. These scams leverage existing relationships between the person receiving the email and the person sending it. The sender’s address appears to be the actual email address of the source they’re pretending to be, a tactic known as spoofing. Many variations have been reported to us, including:
Business executive spoofs
Gift card variation
When targeting a business, a scammer sends an employee an email that appears to come from the owner, the president or another high-ranking employee. The email claims the boss is working offsite and needs help to buy gift cards for employee rewards or birthday gifts.
When targeting an individual, a scammer sends an email from a compromised and/or spoofed email account that appears to come from a known contact, such as a family member or friend. The email claims that the sender needs assistance to buy gift cards for birthday gifts or something else.
Wire transfer variation
In this variation, the email directs the employee to send an urgent, large wire transfer (e.g., more than $100,000) to a foreign account.
Financial industry client spoof
A scammer targets financial institutions, investment brokers and financial dealers with a spoofed email that appears to come from an existing client. The email directs the business to do an urgent wire transfer, usually to a foreign account.
Head office spoof
A scammer calls a franchise business and claims be from the head office. They tell the employee who answers the phone that there are problems with one of the financial products offered, such as gift cards or money transfer services. They ask the employee to select some prepaid cards, activate them, and provide them to the scammer. The scammer may also ask them to conduct a series of money transfers.
A scammer sends an email that appears to come from an existing employee. They request a change to the employee’s direct deposit information. This tricks the company into depositing the employee’s paycheque into a fraudulent account.
A scammer targets businesses that have an existing relationship with a supplier, wholesaler or contractors. They send a spoofed email informing the business of a change in payment details. The email provides new banking information. It requests that the business make future payments to this “new” account.
Protect yourself from scams and fraud
Scammers can target any Canadian or Canadian business. Here are some tips and tricks to protect yourself or your business from scams and fraud.
Remember, if it seems too good to be true, it is.
Don’t be afraid to say no
Don’t be intimidated by high-pressure sales tactics. If a telemarketer tries to get you to buy something or to send them money right away:
- Request the information in writing
- Hang up
Watch out for urgent pleas that play on your emotions.
Do your research
Always verify that the organization you’re dealing with is legitimate before you take any other action:
- Verify Canadian charities with the Canada Revenue Agency
- Verify collection agencies with the appropriate provincial agency
- Look online for contact information for the company that supposedly called you, and call them to confirm
- Verify any calls with your credit card company by calling the phone number on the back of your credit card
If you’ve received a call or other contact from a family member in trouble, talk to other family members to confirm the situation.
Watch out for fake or deceptive ads, or spoofed emails. Always verify the company and its services are real before you contact them.
Don’t give out personal information
Beware of unsolicited calls where the caller asks you for personal information, such as:
- Your name
- Your address
- Your birthdate
- Your Social Insurance Number (SIN)
- Your credit card or banking information
If you didn’t initiate the call, you don’t know who you’re talking to.
Beware of upfront fees
Many scams request you to pay fees in advance of receiving goods, services, or a prize. It’s illegal for a company to ask you to pay a fee upfront before they’ll give you a loan.
There are no prize fees or taxes in Canada. If you won it, it’s free.
Protect your computer
Watch out for urgent-looking messages that pop up while you’re browsing online. Don’t click on them or call the number they provide.
No legitimate company will call and claim your computer is infected with a virus.
Some websites, such as music, game, movie, and adult sites, may try to install viruses or malware without your knowledge. Watch out for emails with spelling and formatting errors, and be wary of clicking on any attachments or links. They may contain viruses or spyware.
Make sure you have anti-virus software installed and keep your operating system up to date.
Never give anyone remote access to your computer. If you are having problems with your system, bring it to a local technician.
Be careful who you share images with
Carefully consider who you’re sharing explicit videos and photographs with. Don’t perform any explicit acts online.
Disable your webcam or any other camera connected to the internet when you aren’t using it. Hackers can get remote access and record you.
Protect your online accounts
By taking the following steps, you can better protect your online accounts from fraud and data breaches:
- Create a strong password by:
- Using a minimum of 8 characters including upper and lower case letters, and at least 1 number and a symbol
- Creating unique passwords for every online account including social networks, emails, financial and other accounts
- Using a combination of passphrases that are easy for you to remember but hard for others to guess
- Enable multi-factor authentication
- Only log into your accounts from trusted sources
- Don’t reveal personal information over social media
Learn more about securing your accounts by visiting Get Cyber Safe.
Know who you’re dealing with
Watch out for invoices using the name of legitimate companies. Scammers will use real company names like Yellow Pages to make the invoices seem authentic. Make sure you inspect invoices thoroughly before you make a payment.
Compile a list of companies your business uses to help employees know which contacts are real and which aren’t.
Don’t give out information on unsolicited calls
Educate employees at every level to be wary of unsolicited calls. If they didn’t initiate the call, they shouldn’t provide or confirm any information, including:
- The business’s address
- The business’s phone number
- Any account numbers
- Any information about equipment in the office (e.g., make and model of the printer, etc.)
Limit your employees’ authority
Only allow a small number of staff to approve purchases and pay bills.
Watch for anomalies
- Larger than normal orders
- Multiple orders for the same product
- Orders made up of “big-ticket” items
These orders may be fraudulent.