What is phishing?
Phishing is a popular way for fraudsters to compromise your government IDs and banking details by sending messages that appear to come from a trustworthy person or business. The fraudster tries to trick you into thinking the message is legitimate, so you’ll follow an embedded link or open an unsafe attachment. Often, this will result in malware compromising your computer or phone, or lead to your sensitive information being uploaded to fake websites.
Phishing is typically carried out using email or text messages (SMishing) but it’s also been used on social media platforms and instant messaging applications. Fraudsters will often impersonate friends, government officials, or brands you love, to steal money or personal information. Here are a few examples:
-
Scams bait victims into providing their social insurance number by pretending to be the CRA (Canada Revenue Agency) emailing, or even calling, about an urgent problem with their taxes.
-
Fraudulent emails that look like they’re from streaming and other online subscription services trick people into clicking on phony links to update payment information.
-
Scams related to e-Transfers have become very common. Fraudsters create fake e-Transfer notifications from Interac to trick victims into following the e-Transfer pickup link. Unfortunately, this compromises their login and password information when they land on the fraudulent website to try and deposit the fake e-Transfer.
How spot a phishing email
Phishing scams tend to use the same tactics over and over – because they work. Here are a few ways to spot a phishing email:
It asks for personal or account information
If the email asks you for your account login, password, payment information or personal details, it’s a scam. Real companies don’t do this.
It tells you to log in
Some phishing scams build a web page that looks real and then ask users to sign in using their banking credentials. For example, they’ll often say that they’ve noticed some suspicious activity or failed login attempts and ask you to log on to confirm your info. Real companies won’t email you to request that you log on to a site.
How to check if a website is legitimate:
Any site asking you for financial information should have a URL starting with “https” to indicate that it’s secure. There should also be a padlock icon in the address bar of secure sites. You can select the padlock to read the site’s security certificate details. A fake site won't have these details.
The details are close, but not quite right
Let’s say you get an email that looks real - it has the right logo and header - but there are a couple of things that still seem off. Maybe it has a different URL, telling you to go to a site called meridianonline.com instead of meridiancu.ca, for example. Pay attention to those red flags.
It warns that something bad will happen
Phishing scams often try to scare you into giving up information by saying that your account will be suspended or cancelled if you don’t do it. For example, they might say: “We’ve noticed some unusual activity on your account. Click the link below to login and confirm your credit card information. Failure to do so with 24 hours will lead to us suspending your account.” Big red flag. Real companies don’t do that.
It’s too good to be true
The same way that some phishing scams use threats, others will dangle a big reward. For example, they might send an email saying you’ve won their annual $1,000 sweepstakes, and all you have to do is click this link and enter your banking info so they can deposit your winnings. Another red flag. If it sounds too good to be true, it probably is.
They don’t know your name
When you get emails from your bank, or any company that has your personal info, they almost always address you by name. So if you get an email that starts with a generic greeting like “Dear Customer” instead of “Hello Jane,” it’s probably fake. Other generic greetings might include: Dear Sir/Madam, Attention account holder, Dear client, etc.
There are mistakes
Legitimate companies won’t send you an email full of spelling mistakes – they have professionals writing them. One typo? Sure. But an email full of mistakes is probably a scam.
How to avoid phishing scams
Be careful with e-Transfers
This is a really common type of phishing scam, so it pays to be careful.
-
Don’t click on any links in e-Transfer notifications from a sender you don’t recognize.
-
If you receive a deposit or money request notification that you weren’t expecting, then trust your instincts if it seems off. Contact the sender through a different channel to check if the transfer or request is real.
-
Consider using Interac e-Transfer Autodeposit. If you have Autodeposit set up, Interac e-Transfer transactions sent to your email address will automatically be deposited into your Meridian account, which allows you to bypass steps that require you to enter a password and/or an answer to a security question.
-
If you get a notification that looks like a scam masquerading as an Interac e-Transfer, and it includes Meridian as one of the deposit options, please forward the email to onlinebankingsecurity@meridiancu.ca. Our security team will further investigate and work to shut it down.
Don't click, don't type
If you don’t trust an email or site, don’t engage.
-
Don’t click on links in suspicious emails.
-
Don’t provide personal or financial information over email or on sites you don’t trust.
-
Check to see if the website links are for real companies by typing them into Google and checking for security certificate details.
Tighten security
There are lots of security features available to you that help prevent phishing. Take advantage of them.
-
Protect your computer with security software and set it to update automatically.
-
Protect your phone by setting software to update automatically.
-
Set up your email account’s spam filters.
-
Use any additional security features offered – like Touch ID, Face ID, passcodes sent by text message, and security questions.
What should you do if you receive a suspicious email claiming to be from Meridian?
At Meridian, we’re really serious about protecting our Members. We will never ask you for personal information in an email. If you get a suspicious email that looks like it’s from Meridian, follow these steps:
-
Do not click on any links in the email or reply to it.
-
Immediately forward the email to onlinebankingsecurity@meridiancu.ca.
-
Delete the email once you’ve reported it.
If you suspect someone has cracked your password or if you suspect any loss, theft or unauthorized use of your account, contact Meridian immediately at 1-866-592-2226
What should you do if you suspect you've fallen for a phishing scam?
If you suspect someone has cracked your password or if you suspect any loss, theft or unauthorized use of your account, contact Meridian immediately at 1-866-592-2226.
If you accidentally follow and/or fill out personal information in a link from a phishing scam, change your online banking password and contact Meridian.
If you just followed the link or opened an attachment in a phishing email, also get your devices (computer and/or phone) serviced at a trusted computer technician.
A version of this article was originally published on September 30, 2019.
Learn more about protecting yourself
How to create a strong password