In response to COVID-19's disruptive impact on the economy, Canada has announced a comprehensive package of aid measures directing billions of dollars to Canadians who are struggling as a result of the pandemic. More than ever, Canadians are vulnerable and many are eager to take advantage of the aid the Canadian government has promised. Sensing this combination of vulnerability and urgency among Canadians, cybercriminals have quickly devised scams intended to take advantage of Canadians looking for help.
On or around March 25, 2020, some Canadians began receiving text messages purporting to be sent from the Federal Government. The messages stated that Canada had sent a deposit to the recipient of the message in connection with Canada's emergency aid measures. The Canadian Broadcasting Corporation ("CBC") reported the message was labeled an "Alert" indicating, "The emergency response benefit of Canada relief fund has sent you a deposit for $1375.50". The message provided a legitimate-looking URL and warned that "data rates may apply". CBC further reported that the destination website was branded to resemble a Government of Canada page and asked for personal information – including banking information – purportedly required to accept the deposit. By all accounts, the fake website was a convincing one and there is significant risk that those not alert to the dangers posed by malicious cybercriminals may fall victim to the scam.
There are a few easy steps you can take to help protect yourself and others from malicious cybercriminals trying to prey on the vulnerable.
Verify sources of information.
Fraudsters tend to rely on individuals they target taking the path of least resistance and clicking on whatever links they are provided. For this reason, when receiving information via text message, email or any other means, it is important to verify that the information is coming from an official source. In the scam described above, this would mean following up on the text message by visiting the Government of Canada's official website – not by following the link in the text message, but by using Canada's official URL or using a trusted search engine like Google or Bing to find official resources. Sometimes, especially in the email context, a fraudulent message will contain a link that looks exactly like an official URL. This is possible because text in email, regardless of what it says, can be linked to any page on the Internet. For example, text of a URL given in an email may read "canada.ca", but may actually direct to a fraudulent website. To combat this, the text of the URL can be copied from the email and pasted into a web browser's address bar, which will bypass the hidden link to the fraudulent website.
Approach requests for information with caution.
It is unusual for the Federal Government, or most other large organizations, to request information – particularly sensitive personal information – directly from an individual in an email or text message without requiring login to a pre-existing account, or registration of an account. For instance, for direct communications the Canada Revenue Agency ("CRA") communicates with individuals by (1) emailing the individual an alert that a message has been posted to their account, and (2) inviting the individual to login to their existing CRA account to view the contents of the message. After that, any follow-up activity that is required can be conducted through the CRA account. With respect to registration for government accounts, there is often a process whereby an individual applies for an account online, and the Federal Government snail-mails a unique access code to activate the account before it can be used. Another important point with respect to information requests is to be weary of urgent requests for information. Fraudsters often try to communicate a sense of urgency in their information requests to prevent individuals from thinking too hard about why or by whom the information is being requested. This sense of urgency is difficult to combat in the COVID-19 context because for many people that sense of urgency is inherent in the prevailing context of the outbreak. Nevertheless, it remains critical to approach requests for information with caution and to take steps to verify that the party requesting information is who they say they are.
Talk to friends and family.
At the best of times, the risks of being defrauded by an SMS or other scam can seem distant, and unlikely to affect us. Some choose to dismiss the risk completely. Compounding the issue now is the COVID-19 outbreak, which demands considerable attention as we navigate the uncertain times it has ushered in. For these reasons, it is important to talk about the risks associated with SMS and other scams with friends and family, to spread general awareness and understanding of the impacts they can have and why they should be taken seriously.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
