Bank Fraud. We all know it happens. It’s never happened to me. Hopefully, it won’t. Hopefully, it hasn’t and won’t happen to you either. Below, you’ll find some tips to prevent it. It happened to a friend of mine. This is a true story. He woke up and found his bank account was overdrawn. He went from having money and knowing how his bills were getting paid to having negative $250 and stressing about paying rent. As he started to unravel the trail, he discovered just how devious these criminals are. They had gained access to his online banking with Scotia Bank. Then they sent an E-Transfer to someone already on his transfer recipient list (in this case, his roommate that he had sent money to for concert tickets). They sent all the money in his account, plus his overdraft in an E-Transfer and gained access to the roommate’s email to accept the E-Transfer and send it to the criminal’s account. Poof! All of my friend’s money was gone. He’s filed a fraud report with the bank and hopefully will get the money back. I doubt the criminal behind this will be caught though. And even if the money is returned, my friend is in for a very stressful time. All his day to day expenses are currently being put onto his emergency Credit Card. The longer it takes the bank to finish up their investigation and place the lost funds back in his account, the more debt he will incur and the more interest he’ll need to pay. He’s so stressed out about it, he can hardly concentrate at work.
Y-Not Tech Services can’t be sure how the criminal gained access to my friend’s account. But we have some guesses.
- Keylogger – A keylogger on the device used to log into the bank account would send the account number and password straight to the criminal. Perhaps a shared device also gave the criminal the roommate’s email password.
- A weak password – The criminal may have been able to guess or use a brute force method to find the password used on the account.
- Using the same or similar password – It’s doubtful in this case that Scotiabank’s servers and files were compromised. However, if my friend used the same password for his banking as he used on other, less security minded websites, and one of these were hacked, the criminal could simply apply that compromised password to the bank account.
- Easy Security Questions – Most Accounts have security questions you can set up to gain access to your account if you forgot the password. Questions like, “What was my mother’s Maiden name?”, “What elementary school did I attend?”, or “What was my first pet’s name?” Do you know where I can find the answer to most of those questions? Your social media accounts.
- Poor Email Security – This is related to the others, but if a criminal gains access to just your email account, they can wreak havoc on your life. Not only can they see all the accounts you’ve signed up for, but some accounts will actually send your password in a welcome email in plain text. Now if you have a habit of doing number 3, the criminal has a great starting point to reverse engineer the passwords to your other accounts, like your bank. Additionally, your bank and other accounts may offer to email you a link to reset your password, so if the criminal has access to your email, they will get the link.
- Social Engineering and Phishing – It’s possible my friend was the victim of a phishing attack, having entered his account details in a fraudulent site without realizing it.
Now let’s look at each of these possible attacks and examine how we might be able to avoid them.
- A good Anti-Virus/Anti-Malware should take care of any keylogger lurking on your computer. In Y-Not Tech Services experience and research we’ve come to trust Emsisoft. You can get a FREE 30 Day Trial here.
- Coming up with and remembering good passwords can be a challenge. This is why so many people end up using simple passwords. Some of the most popular passwords out there include 1234, password and football. It’s important for us to use strong passwords. It’s a good idea to include both capital and lower case letters, numbers and symbols in your password.
- OK, I’ve created a strong password. Let’s say it’s 3x@mP1e – I’ll just use this strong password on every site I visit! That’s not a good idea. If you do, all it takes is one site to be compromised and have their user data stolen. Now the criminals behind the attack on the site could have both your email and the password you used. Then it’s just a matter of typing them into other sites and gaining access to your accounts. We should use a different password for different sites.
- We want to pick obscure questions when choosing our security questions. Don’t choose anything that the answer can be found on your Social Media profile. Even if you have locked down the privacy on your own social media account, criminals may gain access to your information through a friend who has their account compromised.
- Keeping your email account safe, mostly comes down to focusing on the other aspects we’ve mentioned. Use a strong, unique password for your email account. Choose your security questions carefully. If available, you might consider using 2-factor Authentication for your account. Change your password frequently and use a good Anti-Malware software.
- To avoid Social Engineering attacks you need to familiarize yourself with the tactics they use. You can start with Y-not’s Internet Security Basics article. Once again, a good security software will often detect and alert you to fraudulent sites.
I hope that these tips will help you avoid identity theft and fraud. I know that many of them are inconvenient to stay on top of. Using strong passwords and remembering many different ones, but it can be compared to the inconvenience of locking your home’s door. It takes extra time and it’s annoying to unlock it while juggling 17 grocery bags, but you do it because burglary is all too common. It’s the same with our digital security. It might be annoying, but if want to avoid financial loss and stress we should take the time to review our online security.
Why not let Tony help you audit your security measures?
UPDATE: About a month after this happened, the bank concluded their investigation. They determined that this wasn’t something they could prove was fraud (or something like that) and they aren’t able to return his money.
Contact us today to set up an appointment.