Frauds and scams


Online fraud is significantly different from more traditional, terrestrial theft: what is being stolen is the potential for criminals to use your information for illegal gain. You haven't physically lost anything. Without appropriate preventative measures, however, you could lose a great deal.

In this section, we discuss several more common types of threat that specifically target the online financial services industry. We also recommend going to the RCMP's site for consumers at http://www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm

Phishing is the practice of sending a phony email requesting that you divulge personal information, such as bank account numbers or credit card information. Many of these emails appear authentic. The phishers will steal brand logos and language directly from the institution to insert in the email. The email will either request you fill in some personal information in a registration form on the email or direct you to a phony company website – which again can look very authentic. In either case, your personal information is stolen and used for fraudulent purposes.

Successful phishers rely on visual misdirection. An email that appears authentic may have multiple clues as to its real nature. If you are at all suspicious, contact the company who sent the email to verify that they did send the communication. Do not use the phone number contact from the email. Likely the number is also fake.

At Questrade, we encourage our clients to send any suspicious communication to our security team at [email protected]. We evaluate each email individually.

Also called DNS poisoning, domain spoofing or domain name hijacking, this is the practice of taking over a legitimate domain address. There are a number of methods hackers use for pharming. The results, however, are the same: a user types a legitimate domain name into a browser and are led to a phony site. How? One method is for a hacker to break into your computer via malware and change host file (IP) addresses. Another method is to manipulate the gap between a domain name (www.companynamehere.com) and its associated IP address (the string of numbers attached to the URL) at a DNS or proxy server. In both cases, you input the correct name, but the IP associated with that name has been altered by criminals.

The big difference between phishing and pharming is user involvement. With phishing, it is up to the user to click on the link leading to a fake site. If the link is not compelling or the user is suspicious, he or she will not follow the link. With pharming, the user has no control over the sites they visit. A perfectly legitimate domain name can be an illegal ISP.

There are several of steps you can take to protect yourself against pharming:

  • If you use a wireless router, ensure you change its default settings and administrative passwords. Factory settings are easily cracked. Remote administrative access is one of the characteristics of wireless routers and is an enormous vulnerability. Criminals can access your computer without ever being on site or on-line. This is called drive-by pharming.
  • Look for the S at the end of the HTTP address. On Questrade's site, for instance, the address for all secure areas begin with https to indicate it has SSL (Secure Sockets Layer). Also, the address bar in your browser will turn green; it has been verified by Verisign's latest technology, EV recognition. This indicates that it is safe to continue with any confidential transactions with Questrade.
  • If a security certificate warning pops up, do not ignore it. This is your browser warning you that there is something irregular about the certificate, such as forgery.

Any unwanted software that is downloaded onto a user's computer without consent is called spyware or malware (although initially distinct, spyware and malware have evolved to such a point that the two terms are pretty much interchangeable today). The software can perform any number of unapproved operations, including tracking your online surfing destinations, key logging (tracking keystrokes to extract personal information), infecting your hard-drive, and turning your computer into a re-sender of more spyware. Some types of malware include: viruses, worms, Trojan horses, and adware.

Sophisticated security packages that can detect, isolate, prevent and remove spyware and malware are readily available commercially. Because criminals are continually introducing new types of malware, security packages typically include regular updates. Remember to install these updates for your security system to operate at peak performance.