Potential security risks for online accounts

Many investors access their accounts through the Internet. Although passwords are required, there are various methods that a perpetrator can use to get into your account and steal confidential information.

Two of the more common methods are called "phishing" and "keylogging."

What is phishing?

Phishing is a type of fraud that is designed to trick individuals into disclosing confidential information for the purpose of identity theft. Identity theft occurs when an individual's personal information, such as social insurance or driver's licence numbers, is stolen and used to impersonate the individual for the purpose of fraud for financial gain. Fraudulent e-mail messages and websites that are linked to what appear to be legitimate organizations are often used in phishing schemes.

How do you know if you have been affected by phishing?

  • You receive an unsolicited e-mail appearing to be from a legitimate and reputable company.
    • The e-mail asks for personal information. For example, it asks you to update account information or informs you that you have received money.
    • The e-mail indicates a sense of urgency and a consequence associated with not replying. For example, you are asked to validate your account information in order to prevent it from being suspended or terminated.
  • You are asked to take action by following instructions that leads you to a website – this may be a fake website which appears valid. Often, the link and the web address of the fake website are very similar to a legitimate source.
  • You are asked to provide or update your personal and financial information by completing an online form or by responding to an e-mail directly. Valuable information such as account numbers, passwords, date of birth, driver's license and social insurance numbers are typically requested.

In these situations, the information obtained by the perpetrator can be used to gain access to online accounts.

Helpful tips to avoid phishing schemes:

  • Do not open any e-mails from unknown sources.
  • Phishing schemes are designed to look real by using logos, trademarks or reproducing an entire web page to trick users into believing that it is genuine. Look closely at the e-mail or website for anything peculiar – logos that don't seem right or unusual language.
  • Look for misspelled words in either the message of the e-mail or in a hyperlink, if one is provided.
  • Avoid responding to an unexpected webpage or pop-up window that requests confidential information for a purpose that seems legitimate.
  • Never click on a link contained in an e-mail that you suspect may be fraudulent. This could take you to a fake website or initiate the installation of unwanted software onto your computer.
  • If you do submit confidential or financial information online, always ensure you are using a secure website. Check the bottom right corner of your computer screen for a security symbol, i.e. closed padlock. Another way is to ensure that the web address always starts with "https".
  • Have a computer technician check to make sure the security implemented on your computer is adequate and up-to-date.
  • If you think your password has been compromised, change it immediately.

What is keylogging?

Keyloggers are programs that can record everything that people do on their computer. Keylogging software is used to steal information by capturing keystrokes, mouse clicks, opened and closed files and websites visited. It allows perpetrators to access an individual's password and other confidential data.

How it works

The following are some of the ways that keylogging software may affect your computer:

  • By opening up an e-mail attachment that contains the software.
  • Through a phishing scam where you are sent a link to a hoax website or blog which hosts the software.
  • Visiting websites requesting you to download software to view certain pages.
  • Some computer viruses, such as Mydoom.J and Bugbear.K, have built-in keylogging programs.

Tips to prevent keyloggers:

  • Use a firewall to prevent keylogging software from sending your details back to the intruder.
  • Make sure you have up-to-date anti-virus/malware software installed on your computer.
  • Do not blindly accept downloads from web pages under any circumstances.
  • Always open a new browser window and go directly to the homepage of a company to ensure you are downloading official products or updates.
  • Use an anti-spyware program to prevent all freeware and shareware downloads.
  • Do not use a public Internet kiosk to access confidential information. You will have no control over the security implemented on the terminal.

Sources: Canadian Bankers Association