How identity theft happens — and how to keep your accounts safe
With losses due to identity theft in Canada at an all-time high and internet scammers arming themselves with an increasingly sophisticated array of tricks and techniques, Canadians need to be vigilant and avoid becoming fraud victims.
The methods these fraudsters use have become more insidious and invasive over time. However, their goal is still largely the same: they want to know more about you so they can steal your identity, access your accounts and, eventually, take your money.
What is the best way to stay ahead of scammers? Keep informed.
“Client education is really the most important thing,” said Josh Shivaram, Tangerine’s Senior Manager of Fraud Governance and Operations. “If you have an awareness of the scams that exist, you will be in a far stronger position than someone who doesn’t know.”
With that in mind, here are a few of the most common methods fraudsters use to pry your personal information and access your accounts, plus tips for staying ahead of them.
Social media
Your social media accounts are a buffet for a scammer hungry for information about you.
“Social media is the perfect spot for a collection of information,” Shivaram said.
Just think about all the identifying info you might have unwittingly offered up on your social media feed. Right off the top, many Facebook profiles feature our real names, birthdays and geolocation. Digging deeper into your posts, photos and comments could likely reveal names of family members, details about your employment and educational history, and insights into your interests.
All of that information could be used to bypass your security questions, crack your passwords, or create convincing phone scams relating to your family or work.
How to stay ahead:
✅ Boost your social media privacy settings.
✅ Scrub any sensitive personal information that may be there.
✅ Be skeptical of unsolicited friend requests.
“People say to never accept a friend request unless you really know the person, and that really is important,” Shivaram said. “Be cautious about what you’re posting and what information you’re providing in terms of who you are.”
Phishing, vishing and smishing
For many of us these days, it can feel like we’re wading through a never-ending swamp of scam texts, calls and emails.
Phishing is when cybercriminals pose as legitimate businesses in order to get your personal information. We need to be wary of legitimate-looking emails and texts with links to fraudulent facsimiles of the real websites of banks, government institutions and other trusted organizations. When you enter your account information and password on phony sites, you hand them directly to scammers.
Vishing refers to the same process of fraudulently impersonating reputable institutions and companies but doing so over the phone. And smishing is when the impersonation happens over a text message.
In all cases, fraudsters are getting more crafty, clever and convincing with their approaches.
“From a fraudster's perspective, there are very strong capabilities to spoof that never existed before,” Shivaram said.
“They can spoof the number that’s calling the client, so that it looks very much legitimate, or they can perfectly spoof or emulate a real website for its look and feel.”
Apart from a web address that might be slightly different than the legitimate one – perhaps with an extra letter or with the letter I substituted with an L – it can be hard to tell them apart.
Although these types of scams can affect anyone, the rise of senior spear phishing — targeted attacks on older Canadians — means older people may need to exercise a higher degree of caution.
How to stay ahead:
✅ Trust your instincts if a call, text or email appears suspicious.
✅ Confirm that websites you visit are trustworthy, especially if you are providing any personal data, such as a password or credit card number.
✅ Ensure you have the most up-to-date security software on your computers.
✅ Set your mobile devices to update automatically.
✅ Protect your accounts using multi-factor authentication, or authentication that requires biometrics such as a Face ID or fingerprint.
❌ Avoid public wi-fi.
❌ Don't click on unsolicited links.
Bank impersonations
A particularly prevalent type of scam, bank impersonations are “fairly widespread and transcend age demographics,” Shivaram said.
Often fraudsters trick their victims into thinking they're real representatives of the bank by supplying personal information that might be available online. They might even share the first four or eight digits of your debit or credit card number. This is known as a Bank Identification Number or BIN, and it connects your card with the financial institution that issued it. Anyone can look up a BIN online, but to someone receiving what seems like a legitimate call from their bank, that piece of information could seem like enough to establish trust.
These scammers even have strategies to try to breach the extra protection of multi-factor authentication.
Once they have you on the phone, having already used spoofing or other trickery to gain access to your account, getting past two-step authentication is the final hurdle. So the scammer might say that they need to confirm your identity by emailing you a code and then asking you to read it back to them. What's actually happening is that they're trying to log into your account, which triggers an email from your bank with a temporary, one-time passcode. Once you share that passcode, they can use it to change the email address associated with your account and gain full access.
How to stay ahead:
✅ Be skeptical of unsolicited requests for account verification.
✅ Always protect your personal information using strong passwords and two-step authentication.
❌ Never give out your passwords, including temporary passwords used in two-step authentication.
Staying safe and secure
There are plenty of practical steps you can take to try to protect yourself against identity theft.
When you get a call claiming to be from your bank or another trusted institution, look up the number on the back of your bank card and call back. Never disclose your PIN to anyone for any reason (real banks will not call and ask for this information). Shivaram also recommends using biometrics whenever possible — using your face, fingerprint, or voice print to verify your identity — for an added layer of security.
And most importantly, stay continuously informed and aware.
“Try to access your accounts regularly, checking and reading any notifications from your bank — we send them out when certain changes are made to your Accounts or profile information,” Shivaram said. “If you see any activity that you feel might not be your own, that’s certainly a trigger to call us.”