S1-Episode 1: Don’t get caught! Protect yourself against phishing

Patricia Kosseim: Hello, I'm Patricia Kosseim, Ontario's Information and Privacy Commissioner, and you're listening to Info Matters, a podcast about people, privacy, and access to information. We dive into conversations with people from all walks of life and hear real stories about the access and privacy issues that matter most to them. Welcome everyone and thanks for tuning in. This is our very first episode, and I'm really excited to get started. Today, we're going to talk about phishing scams and how you can protect yourself so you don't take the bait. Now, you've probably heard about these in the news. For example, there was an incident not too long ago in Uxbridge, a town just north of Toronto, involving an elderly woman who went into a Shoppers Drug Mart to buy $3,000 worth of Google gift cards. She seemed a little scared, rather hesitant, all signs of a typical scam situation. In fact, gift cards are the preferred method of payment for many criminals because they can't be easily traced. The cashier noticed something wasn't quite right and started asking a few questions, and it turned out this customer had been targeted by criminals involved in the Canada Revenue Agency tax scam. Luckily, the employee convinced her not to make the purchase in this case, but unfortunately, not everyone can be so lucky. And these kinds of attacks are on the rise. Scams can be very convincing and their impact on victims devastating. My guest today for this first episode is Fred Carter. He's a senior policy and technology advisor with more than 20 years experience in the private and public sectors. He provides analysis and recommendations about privacy and security issues across the spectrum of technology, public policy, and law. His vast technical knowledge and sound advice, help inform our office's outreach and advocacy efforts. And I can tell you, we're very, very lucky to have him. Fred, welcome to our show. Fred Carter: Thank you commissioner. I'm delighted to join you today. PK: Let's get started with the basics. I can think of no one better than you to explain in very simple terms. We've heard terms like phishing, or spear phishing, or vishing, or now even the newest term, smishing. Can you try to shed some light on all of these terms and what they mean? FC: They're all forms of social engineering. That is to say, techniques of manipulating people to do things that are not in their own best interests. Phishing and vishing and smishing have three common characteristics. One is that they are an electronic communication. So phishing is a type of email. It's kind of like spam. Smishing is text messages. And vishing are voicemail messages, or sometimes we think of them as robocalls. Spear phishing is targeted phishing. It means it's aimed at particular people. The second characteristic is that they're deceptive or fraudulent. The person who is sending them is not who they claim to be. They're pretending to be someone else. That could be a financial institution, a delivery service, a vendor, your IT department, if you work in an employment situation. It could even come from a friend or family member or someone who claims to know you if they've taken over that person's account. So there's endless scenarios and the common denominator is that it's not who they claim to be. The third common characteristic is that these messages are trying to get you to do something that compromises your security. That could be replying with sensitive information like your credit card or a password, basically anything to keep the conversation going. It could get you to open an attachment that might have malware in it that infects your computer. A lot of times, these messages try to get you to click on a link. And that link goes to a fake site where you might enter in your login information thinking it's the real site, and now they've captured all of your login information and can go in and become you. They continue to work because we're human. And as I mentioned before, social engineering is a way of manipulating people. So when we think of phishing, we think of messages that exploit trust. You trust in authority or an expert or maybe a colleague or family member who sent you a message. We trust them so we do what they ask us to do, or maybe we're just busy and we don't pay attention. And we're really not paying attention and we click on that link or we respond. Or we want to be helpful and efficient, so we respond. Maybe we make a donation, or maybe we're curious. You get that text message and, "Did you get the money yet?" And, "What, what, what?" And so you click on that link because you're curious, but I think the biggest fear of all or the biggest motivation or the reason that phishing works is because we're fearful. Something bad is going to happen if you don't do something. You're going to lose your service and you really need to respond. And people really respond to that type of messaging, “urgent,” “do this right away.” And as a result, phishing, social engineering works and it compromises us. PK: Tell me, how common is this? We certainly hear about it on an awful lot, but in terms of stats or recent facts and figures, what can you tell us about how rampant it is, how much it's happening, and who's involved? FC: Well, precise statistics are hard to come by. We do know it's an epidemic and it's happening everywhere. There's an anti-phishing working group that tries to keep statistics and the statistics are up 600% in the last two years. It's very, very cheap to send text messages and emails. And a lot of them really get intercepted by webmail clients and never make it to your inbox. So it's really hard to be specific with the numbers. But because so many are sent, it doesn't take very many people to take the bait and get that bad things happen to them. This past year, it has gotten worse. The pandemic has made us all a little more vulnerable. We're all isolated. We're not seeing people face to face. We're using new and unfamiliar technologies and maybe we're unsure or anxious about health or financial or other concerns. And we are more vulnerable to being phished as it were. Now, phishing often leads to other kinds of fraud. And so the Canadian Anti-Fraud Centre does keep statistics. I think I have read that in scams, all in scams was almost $100 million lost in Canada to mass marketing fraud. But the problem is experts think that only 5% of these scams are actually reported. So it's likely to be much, much worse than we know. The problem is pretty big and the COVID-19 pandemic has made it worse because we are much more vulnerable to the kinds of tricks that these social engineers use to get us to click on those links and to open those attachments and install that software. PK: What I'm hearing then is whatever the statistics are, they're probably very likely to be under-reported. Interestingly, I also heard that Canadians are particularly vulnerable or particularly targeted more than other countries. Is that your understanding as well? FC: I've read that too. It's very surprising. Maybe we're just more trusting. Maybe we're more technologically connected. Maybe there are other reasons as well. For some reason, we seem to be more attractive as targets in Canada. PK: It must be our good nature, or our trusting nature, as you said. So really, I guess the question is why? Why do these bad guys want your information in the first place and what can they do with it? Or what do they do with it? FC: Well, the attackers may have many motives. I think the biggest one is they want your money and they want to get your credit card information and they want to buy stuff with it. Or they want you to transfer money to them like the lady who was buying them gift cards. Or maybe they want to steal your information, or maybe your bank account information or your login information and sell it. A valid credit card goes for a nice little price on the dark web. The dark web is the part of the web that you can't find on Google. The more serious types of crimes are when they use this information to impersonate you and to commit identity fraud, theft. They might use this information to change your address and divert your mail, or they might apply for a new identity documents, or they might take over your account and lock it out by changing the password and then asking you to pay money to unlock it. Or they can just threaten you and ask you to pay and pay and pay to stop the threats from happening. It's quite a spectrum of bad things can happen by clicking on a bad link. More and more, we're seeing them installing software on your computer or your mobile phone. And the software might record what you're doing or steal your information. It might spam everyone in your address book and send them a link because people will trust an email that comes from you. So it can be used to commit other types of similar phishing attacks. And in the worst case scenario, it can just lock up, encrypt everything on your computer and demand a ransom for them to open it up. I think maybe even the worst example is spear phishing because you're actually being targeted and you might be an executive in an organization that has the keys of the kingdom. You're the big fish. And there might be some additional motivations that would motivate an attacker to target you for other reasons that might not just be about money. In any case, phishing is often the first step in a more serious series of crimes. Phishing enables it to happen. There's lots of things that they can do that are not too good. PK: That's a good reminder that it's not just credit card information or your bank account number or other obvious financial related information that's vulnerable here. They can get their hands on any other forms of personal information. As you say, either to threaten us that they'll release it unless we pay them a handsome ransom, or interestingly, it's the gateway, like you said, to get to know you better so that they can actually get further information down the road. So as I like to remind my kids, not so young anymore, but they've heard this many times, even your date of birth or your email address or your phone number can be sensitive. So, that's a good reminder. Tell me, Fred, in your experience, how do the bad guys get your information? What are some of the typical scams that they use we should be watching out for? FC: Well, some of the most common ones are... Well, they'll tell you they've noticed the suspicious activity or login attempt. Well, you want to check it out. What? Why? Or they make claim there's a problem with your account or your payment information, "Click on this link to fix it." They might ask you to confirm some information, maybe eligibility for a government refund or a benefit. They might send a fake invoice. They might offer you a coupon for free stuff. COVID-related scams have been quite prominent in the last 10 months. We see a lot of things like free tests kits and masks and hand sanitizers. Just have to pay for shipping and you'll never get it, of course. Or they may want you to donate to a fictional charity. People are motivated to donate, "Just go right here and enter your personal information, your financial credit card." Maybe it's an unemployment insurance claim due to COVID-19. Just need to validate your information. Or maybe you're going to get free optimum points if you just click on this, or if you carry out this 30-second survey or that sort of thing. Scammers are incredibly inventive and they really go with the tide and take advantage of whatever is happening. There's a saying I've heard, "Don't let a good crisis go to waste." And in many respects, these scammers are doing exactly that. The things that are very important to us are the things that they're going to push on. Those are the buttons they're going to push and they want you to respond. It doesn't matter what it takes, but just want you to respond. Unfortunately, my parents and my spouse's parents are at the stage now where they really aren't using computers. It's very confusing and overwhelming for them, but they still managed to be exploited through voicemail and through telephone calls to do things that were not in their best interest. And yeah, then we have to go and change the passwords and change their credit cards and report it and help try to fix things for them and get them set straight because they've succumbed to this scam and they have no record of it. And they don't even know it even happened to them. So it's something that can happen to everyone from my mother, even to me, it's something we all have to be on guard for, I guess. PK: I'm thinking of my mother as you're speaking as well, and obviously concerned about the risks that she faces as well. If I were to give her a few pointers or a few simple things to look out for, are there some telltale signs of phishing attempts that she should avoid, or at least be attuned to to recognize and immediately delete? Or what are some that you can recommend or suggest to my mother, your mother, all mothers out there, or parents, especially elderly folks who are particularly vulnerable to these scams? FC: There are lots of these red flags, and sometimes you have to add them up, but there are a few that are really lethal than others. One is that the sender is not known to you. You've never heard from them. You weren't expecting to hear from them. And when you look at the email and you look at the name of the sender and you look at the underlying email, they're not the same. So an unexpected message or call is a real red flag. Someone who claims to know you and has reached out to you is probably the number one piece of advice I would give to anyone – is that that should get your guard up. You don't know the sender and you weren't expecting the message. When you look a little closer at the messages, you might notice spelling or grammar errors, a bad logo, it just doesn't look right. No company would send out a message that had such poor grammar or spelling. Sometimes I think my bank even tells you, "We will never send you an email." And so if you know that, or if you know CRA will never ask you for your password, you want to be aware of that because when you do get something from them, that should raise an alarm. An unknown attachment, don't open attachments unless you maybe have some expertise and understanding what it is you might be clicking on. Sometimes they're programs. Any mail that asks you to click on this link, don't click on that link. Maybe if it's them claiming to be the bank, maybe you can just contact the bank through a separate channel and not through the one that's in the email. And just generally urgent, urgent action required. It's urgent. That should also raise an alarm. You must do something soon. That should make you pause and think, "Do I really have to do this?" Our office has a fact sheet on phishing and it's targeted at institutions, but it has a lot of good advice for individuals and phishing can be very sophisticated. But I think the key is to be aware and vigilant and be very wary of unexpected messages from unknown senders, urging you to do something that you don't have time to think twice about. When in doubt, think before you click, I think is the mantra that we've always followed. PK: So to take a digital twist to an old adage, don't speak to strangers on the internet, I guess is the bottom line. What are some of the simple things you can do to protect yourself? Other than not falling for these phishing attempts or picking up on the signs, what other things can you do to protect yourself? FC: The good thing about email is that your email provider filters a lot of messages. And you wouldn't believe how many messages are sent spam and otherwise to you that are blocked before you ever see them. And quite often, those web mail providers or email providers will sometimes label those messages and say, "Warning." Pay attention to those warnings, suspected spam. It may put them in a special folder, warning, be aware of that. I guess to protect yourself from phishing, there are some things you can do. One is to protect your computer by using security software and make sure it updates automatically so that it always is up to date and can't be exploited by bad software. If you have a mobile phone, do the same thing. Set the software to update automatically so you don't have to worry about it. It's always up to date. Those are very, very powerful steps to protect yourself. I would add to that, it's very important to use different and unique passwords for different accounts. Don't use the same password for different accounts. And one of the reasons for this is that a very common attack is that once the spammers or the attackers get your password, they're going to try and use it on other sites. And if you use the same password, they're going to get in. And so a very simple thing is to make sure your passwords are always different from each other. And if that's a challenge, then you can use a password manager. And the really good thing is that modern browsers and cell phones, they have password managers built right in that will remember it for you. And they're good because they're free or inexpensive, and they're going to make sure your password is also complex and not guessable. And I think the really good thing is that if you go to a fake site, it's not going to enter your password in because your password manager will know it was a fake site. So use different passwords. And if you have to manage them, get some sort of a manager which has built in. The other thing is use strong passwords. Don't make them easily guessable. Don't use your... I think there's a joke that, "My account was hacked. I'm going to have to change my dog's name now." People use that. And then it's amazing people use password one, two, three, and that sort of thing, very easily guessable. I shouldn't say this. My mom uses her grandchildren as her passwords. And this is not a good idea, mom, but she can remember them. Some accounts, social media, or be your bank, sometimes they'll offer to send you a text message to your cell phone when you're trying to log in. That's a good thing to enable if you have a cell phone, because then if the attacker steals your username and password, they're not going to be able to get in because they're going to have to steal your phone as well. And so strong passwords are a really good idea. And lastly, I guess, protect your data and back it up because sooner or later you're going to get infected or your computer's going to crash and you're going to lose everything. And so that's something maybe the sons and daughters can help with to make a copy of the backup of the data, to make sure that if you click on a phishing link and you lose access to your computer, at least you won't lose all your data. So yeah, those are some good ideas. There's other things that are often offered, check that the sender is... You can always reply by another channel or don't respond. This only encourages them. They'll try to opt out of those messages. You could report messages to your ISP and your employer and your company and all that kind of stuff, but really take care of your computer and your mobile phone and make sure they're password protected and backed up and up to date on their software. And that'll go a long way to protecting you against the worst effects of phishing or vishing or smishing. PK: All of those excellent pointers. Of course, you can do to prevent an attack, but seeing as we're all vulnerable to it and it can happen to anybody, are there things that people can do? They’ve fallen for a scam, are there things they can immediately do when they realize that they might have clicked on a link they shouldn't have? FC: Depending on the breach or depending what happened, stop all communications with the fraudster or scammers. Probably the first step, shut the computer down. Notify your financial institution and don't make any financial decisions until you've secured your accounts. Keep a record of everything because you might need it. Of your purchases, payments, and any records you have of the fraud or scam, keep a record of it because you might need it if you have to fix the problem and you have to demonstrate what happened, or to share that evidence. You can call Consumer Protection Ontario to find out if a complaint has been filed about the business or the Canadian Anti-Fraud Centre has a number where you can report or forward the fraudulent email. You're going to want to notify the financial institutions and any other company that you have an account that might be affected. Changing your passwords are going to be a number one priority before they're used. And I guess if your device is infected or your computer or your laptop or your tablet, the one that was used to communicate with the scammer, take it to a professional and have it checked out. They'll make sure the software is up to date. They'll make sure that you have anti-spyware protection installed, and they can scan the hard drive and files to make sure that there's no residual results or nothing left on the computer that can betray you later. If things get really bad, you can put an alert on your credit report. And if you really have to, you may have to even apply for a new replace identity cards if a scammer has stolen your identity and changed your driver's license in your name and redirected your mail, you're in big trouble. So you have to really pay close attention. And what you might do in the event of succumbing to one of these scams will depend a little bit on the kind of scam there is. I mean, the good news is that sometimes your credit card charges can be reversed and some good things can happen. But generally speaking, keep really good records, notify the right people, go get your device checked out by a professional and change your passwords. PK: All of this is very alarming as it should be because this is serious stuff. I don't want everyone thinking the sky is falling. There certainly are some reassuring things that they'd like to hear from you, Fred. What would you leave as some partying thoughts on this topic? FC: Well, take comfort that it is becoming more and more a legal obligation for organizations to report these breaches to privacy commissioners and to other authorities. And that gives you an advantage to be able to do something about it. And now that whole idea has caught on, and I believe it's a requirement under the federal privacy law that governs private sector. So, this requirement to notify breaches brings in regulators and others. You're not alone, when a breach occurs, in fighting for yourself and defending yourself. You have help. And I think that's a really comforting thing in that you're not alone and there's anti-fraud centers and the RCMP, and there's many good sources to turn to for support and for help. Certainly, awareness and prevention are really key. I think that is something that comes out very clear across the literature that we are kind of the weakest link in all of this. If we can simply stop and think and be aware of the kinds of things that can happen, a lot of these problems can be stopped before they even begin. Yeah, we have some good resources as well I think on our site and on the Anti-Fraud Center site and RCMP site and lots of other... I think there may be some links in the show notes, but it's really worth checking them out. There's some good advice there and good support as well. And I do want to mention, to reiterate, what I said earlier that a lot of times financial institutions will sometimes reimburse you for these fraudulent charges. So you don't have to bear all of the costs yourself if you're a victim. That's at least a little bit cause for hope. PK: That was great, Fred, thank you so much for taking the time to speak with me today. It's always so educational when I hear you talk about these things. I know that behind the scenes you've been responsible for drafting many of the tips that we've produced, given your excellent ability to explain very sophisticated concepts in very simple terms. And for that, I really, really thank you and I appreciate all that you do. If you haven't caught all the details, I would encourage you to look at the show notes for this episode, or to learn more about phishing or other privacy and access topics by visiting our website at ipc.on.ca. You can also contact our office for assistance and general information about Ontario's access and privacy laws. And for all the listeners out there, I hope you found this episode as helpful as I have. And thank you once again, Fred, and that's a wrap on our first episode. Thank you everyone, and until next time. I'm Patricia Kosseim, Ontario's Information and Privacy Commissioner, and this has been Info Matters. If you enjoyed the podcast, leave us a rating or review. If there's an access or privacy topic you'd like us to explore on a future episode, we'd love to hear from you. Send us a tweet @IPCinfoprivacy or email us at [email protected]. Thanks for listening and please join us again for more conversations about people, privacy, and access to information. If it matters to you, it matters to me.