Cyber security: spam, scams, frauds and identity theft
Spam, online scams and frauds, identity theft and issues related to online purchases are a serious issue in the online world. Navigating the Web while avoiding these threats can be a challenging task.
Spam refers to unsolicited bulk messages being sent through email, instant messaging, text messaging or other digital communication tools. It is generally used by advertisers because there are no operating costs beyond that of managing their mailing lists. It could also take place in chat rooms, in blogs and more recently within voice over internet conversation (such as Zoom). Beyond being a simple nuisance, spam can also be used to collect sensitive information from users and has also been used to spread viruses and other malware.
Online identity theft is the theft of personal information in order to commit fraud. This can happen through your email account but can also be a result of online purchases or other situations where you give out sensitive information such as your credit card information.
A related concern is identity spoofing, in which the victim is impersonated on social networking sites such as Instagram or Twitter. Identity spoofing may also involve spoofing someone’s Internet Protocol (IP) address (the unique number associated to your computer as you surf the internet). The purpose of identity spoofing on social networking sites can range from a simple prank to more serious attacks aimed at shaming or hurting someone’s social networks. Internet Protocol spoofing is used by hackers to cover their tracks or to gain access to places normally closed to them.
Risks relating to online shopping can include overspending or receiving items that do not match their description once you have already paid for them (or not receiving any item at all). Scammers sometimes offer deals that are too good to be true, selling things that are counterfeit, stolen, damaged or that just don’t exist. Even a lot of legitimate online shopping sites have hidden costs that make what you’re buying more expensive than you thought it would be, like shipping and duty charges.
The best defenses to these online scams and frauds generally rely on caution and skepticism when using the internet. For example:
- You should only open email from trusted senders.
- Verify any request for your personal information online before responding. For example, no reputable financial institution will ever ask you for highly personal information via email. To find out if a request is legitimate, call your bank or navigate to their website (do not follow links in an email claiming to be from a bank or credit card company).
- Don’t give out personally identifiable information (your full name, your age, your address, your social insurance number, etc.) without a good reason.
- Turn any device that uses the internet to offline mode when they are not in use (most mobile devices have an “Airplane mode” that turns off their internet functions).
- You can also help to minimize your risk by visiting only trusted sites.
- If you see something you think might be a scam, report it to the Canadian Anti-Fraud Centre.
The sections that follow give more detail on these threats and more detailed security tips for each.
Email spam is often disguised in an attempt to fool any anti-spam software you may have installed. Spammers try to find ways to modify or conceal their messages to achieve this, such as putting spaces between letters or replacing key letters with numbers or characters so that spam filters will not be triggered. While your anti-spam software may not always be able to catch this, you should be able to identify it fairly easily. Spam may be used to bombard you with unsolicited messages, which may include inappropriate or offensive adult content. Spam may also contain malware or be part of a “phishing” scam (see the Online scams section below).
Instant Messaging (IM) or text message spam
Instant Messaging spam (IM spam) is similar to email spam. The main difference is that rather than focusing their efforts on bombarding your email inbox, spammers attempt to fool you on an instant messaging service such as Facebook Messenger, Apple’s iMessage, or as SMS text messages. While not as common as email spam, IM/SMS spam is more difficult to block out because no particular software exists specifically for spam received while using these services. A good way to avoid most of it is to create a closed list of friends from whom instant messages are accepted or to block numbers you do not recognize. Even then, it is always possible that a computer belonging to someone within your “safe” list could become infected, so any strange link you receive via IM/SMS should be verified before you click on it. If you click on the link, sometimes it will lead you to a webpage that has been made to look like the company it is claiming to be, but with slight differences, such as logos that are not hyperlinked back to main pages or slightly different fonts.
Spam is also often found in the comments s sections of online articles, as well as on social media platforms. These comments may simply be ads but can also include links leading to malicious or inappropriate websites. Most social networks, such as Instagram, warn that “scammers use these fake or compromised accounts to trick you into giving them money or personal information.” If you see a comment that you think is spam, report it to the platform.
Smart phone spam
It is possible to receive spam messages through email, text messages or even phone calls on your mobile phone. On top of the usual issues with spam, you may be charged for these unsolicited text messages or pay valuable minutes for the intrusive phone calls. It is important that you do not call back the number that has called you asking for information, even if it is from a source you recognize, as it could be a spammer or hacker pretending to be an institution. You should always call the company back on the number from their webpage that you personally find and dial.
Never reply to spam. Doing so only identifies your phone, email or IM account as active to the sender and guarantees you will get further unwanted messages. Rely on your better judgment: anything that looks like marketing or advertising or generally out of place usually isn’t worth your attention.
- The most effective way to defend against smart phone spam is to protect your email address and phone number. Avoid giving out your email address in a public forum or, if it is absolutely necessary to do so, write it in such a way that a person can read it but not a computer (for instance, write out the @ sign as “at” or the periods as “dot”). To prevent sales calls on your mobile phone, the strategy is very much the same: never give out your mobile number if you don’t have to.
- If you are receiving marketing calls on your mobile phone, you can add your number to the Do Not Call Registry (you can register your number by visiting https://www.lnnte-dncl.gc.ca/ or by calling 1-866-580-DNCL and you must renew every three years). Telemarketers are not allowed to call numbers on this list. The exceptions are charities registered in Canada, political parties and general-circulation newspapers. As well, telemarketers can call you if you have an “existing business relationship” with them: this is defined as having bought, leased or rented something from the telemarketer, having a written contract with the telemarketer that is still in effect or has expired less than eighteen months ago or having asked the telemarketer about a product or survey in the last six months.
Online auction fraud is common and one of the most complained-about online issues today. You can run into several different scams when shopping online. While making purchases on an online auction site such as eBay, for example, you could end up paying for stolen or counterfeit goods, or for goods that never arrive at all. In addition to this, sellers can place false bids on their own goods to drive their prices up or could include disproportionately large or hidden shipping and handling fees. A healthy dose of skepticism and caution is definitely required when shopping online. Some sellers, unfortunately, take advantage of the scarcity of popular products such as the Nintendo Switch to defraud buyers.
Email/IM phishing scam
The main goal of these scams is to obtain personally identifiable information or to get access to credit cards or bank accounts. Phishing (mentioned above) is when someone attempts to lure you into compromising your password information through emails (usually claiming to be from a bank) and Web pages that appear to be legitimate but are not the real thing.
Keep in mind that banks and other financial institutions never contact clients by email first. If you think there may be a problem with your bank account or credit card, call your bank or credit card company or go to their legitimate website (remember to confirm that the Web address starts with https, as in https:www.abank.ca).
There are a number of signs that can raise red flags about the legitimacy of emails that claim to be from a financial institution:
- They request your password or account number. Banks will never ask you to “confirm” these.
- They say you need to act immediately. These emails often try to prey on your fears by saying that your account will be closed if you don’t act right away.
- They make spelling or grammar mistakes.
- The link they want you to click has a long URL, often with a lot of meaningless numbers and letters. Banks actually keep their URLs as short as possible to help you remember them.
- They don’t look or feel quite right. Phishing URLs sometimes try to copy the logo or other visual elements of a bank or financial institution, but they often don’t get it quite right. Even if it looks right, don’t trust an email claiming to be from a financial institution if it fails any of these tests.
Scareware is the term used to refer to online “pop-up” alerts which claim to have detected a virus or other problem on your computer. These often claim to be from internet security companies or from law enforcement agencies. Clicking on one of these can have a variety of negative effects, from downloading malware onto your computer to exposing your personal information. In some cases, clicking on a scareware pop-up will simply freeze your computer, after which the scammers will try to extort money from you in exchange for unlocking it.
Scareware can generally be avoided by running a pop-up blocker. Most browsers allow you to determine whether or not you see pop-ups:
- In Edge, select Settings and more (the three dots), then Settings (the gear icon), Site Permissions and then Pop-ups and redirects. Switch the Block toggle to on.
- In Firefox, select the Firefox button (three horizontal lines) then Options, then Privacy and Security. Scroll down to Permissions and check the Block pop-up windows box.
- In Chrome, select More, then Settings. Under Privacy and Security, select Site Settings and then Pop-ups and redirects. Then turn on the Blocked (recommended) toggle switch.
- In Safari, select Preferences, then Security, then Block Pop-up Windows.
Running a reliable internet security program will also help keep you from receiving malicious pop-ups, as will some add-on programs such as AdAware and NoScript.
This scam, also known as the advance fee scam, starts with an email from someone who claims to need your help moving money out of another country. The catch is that you must provide some money up front, supposedly to cover a transfer fee, with the promise of receiving a small fortune when the task is complete. Victims of this fraud typically lose thousands of dollars.
Chain letter scams
Chain letter scams involve sending an email to a large list of contacts which prompts them to forward it to their own contacts and so on. In the email, you are asked to send a small amount of money to a certain number of contacts and to add your name to the contact list. This supposedly guarantees that in the end a large amount of money will come back your way. The problem with this is that it is a modern-day version of a pyramid scheme: only the original senders ever make any money. Chain letter scams of this nature are illegal in most countries, including Canada and the U.S.
Postal forwarding/reshipping scam
In this scam, you are asked, either through emails or online job postings, to receive and then reship goods for a foreign company. The goods that come your way, however, are usually stolen or acquired through credit card fraud, making you an accessory to the scammers’ crimes.
“Congratulations, you’ve won a PlayStation…” scam
This scam begins with an email telling you that you have won a popular gadget, such as a new gaming console, but to receive it, you have to submit your bank account or credit card information to cover shipping charges. Not only will you lose that money, but you may also have your bank account or credit card compromised. If you legitimately win a product, you will not be asked for any personal financial information or to pay for the shipping.
Gaming console threats
Because most gaming consoles today are able to connect to the internet, they are now susceptible to some of the security issues that are associated with computers. Hackers can gain access to gaming consoles and personal details through emails claiming that payment methods have not gone through and also by offering discounts through in game messaging. A third way that hackers gain access is by directly breaching the security of the game companies themselves. Supply chain hackers have also been known to sneak malware into the video games being inserted into devices, causing the malware to spread throughout the system and steal personal data.
- Most online scams and fraud rely on the greed or gullibility of users. Being cautious online will always payoff: almost all online scams and fraud can be avoided by following the principle that “If it seems too good to be true, it probably is.” This applies to any sweepstake, request for personal information or underpriced online merchandise.
- To determine if an online offer or request is legitimate, check it out on an anti-hoax site such as http://www.snopes.com/.
- An exception is phishing, which counts on people not knowing how to verify the validity of a website or email. Knowing that a Web address is fake will allow you to safely assume that any content contained on it is also illegitimate. You can check your Bookmarks or look up an institution on a search engine to find out its correct Web address.
- Financial institutions do not send emails relating to account information. If you are in doubt, call the financial institution the email claims to be from (using Google or a Canada 411 search, as opposed to phone numbers included in the email) and verify whether or not it is legitimate.
- Similarly, security companies and law enforcement agencies do not run scans on your computer without your permission, nor do they approach you through pop-ups.
- Most online commerce sites have tools to help you avoid auction fraud. Kijiji, for instance, provides a rating of each seller (found at the right of any item for sale) based on previous buyers’ experiences with that seller, while Amazon provides similar ratings about all third-party vendors.
- If you are a victim of any kind of fraud, it is important to report it to the Canadian Anti-Fraud Centre. This site directs reports of online fraud to the appropriate police agencies as well as collecting fraud reports to help fight online crime.
The internet provides innovative ways for people to steal personal information and to commit fraud. Thieves can obtain your information in several different ways, such as spreading viruses that install key loggers (programs which record everything you type) on your computer to discover your passwords, usernames and credit card numbers.
Many online businesses store personal information about customers and shoppers on their websites so that it can be used for quick and easy service when a customer returns to the website. While convenient, this also provides another way for personal information to be accessed. For example, in 2018, MyFitnessPal experienced a data breach that resulted in around 617 million customer accounts leaked and information offered for a price on compromised websites like Dream Market. Following the breach, MyFitnessPal, owned by Under Armour, urged customers to change passwords regularly, review accounts for suspicious activity, be cautious of “unsolicited communications” and to avoid downloading links from suspect materials. Their acknowledgement went on to claim they did not know who had breached the system and would update the software to prevent it from happening again. Unfortunately, only one breach is enough for consumers to lose faith in the security of a company that stores their personal information.
Identity theft can go beyond criminals using personal information for monetary gain. This information may also be used to obtain legal documents such as a driver’s licence, health care, social insurance number and passport. This was the case for Gerber Guzman in 2014, who was arrested and detained twice for long periods of time because his identity had been stolen six years prior and there was a warrant out for his name regarding drug charges. Yarina Hernandez, Guzman’s wife, fought very hard to get him out of prison and stated, “they told us it wasn’t going to happen again and fast forward six years later, and it’s still happening!”
A good start for preventing identity theft is not giving out any unnecessary information. Be especially careful in protecting your social insurance number.
- Make sure your online accounts have strong passwords: a good password includes both lower and upper case letters as well as a mix of numbers and non-letter characters (such as @ or #) and is at least eight characters long. It’s a good idea to have different passwords for different online accounts so if one is compromised, the others are safe. You can do this easily by having one “master” password and putting the first and last letter of each online service at the beginning and end, so that if your master password is B!u3b3rrY, your Facebook password would be FB!u3b3rrYk.
- Never send personal information via email. Email is not secure.
- Social networking sites are a breeding ground for identity thieves. You should never accept a request to be friends from someone you don’t know and you should also be careful and selective about what type of information you post and share online.
The Office of the Privacy Commissioner of Canada (OPC) is one of many organizations that provides valuable facts and information about identity theft, including preventative measures to identity theft concerns. For consumers who believe they are a victim of identity theft, the OPC recommends taking immediate steps to protect yourself by placing fraud alerts on your credit cards, filing police reports and filing a complaint with the Office of the Privacy Commissioner. This can be done by contacting firstname.lastname@example.org.
Online identity spoofing is when someone else impersonates either you or your computer. Professional scammers have been known to impersonate famous actors, musicians and athletes as well as other important political and corporate figures. For example, in 2018, a woman in Chicago was convinced she was speaking with Bruce Springsteen, who was being impersonated over social media. After the scammer manipulated her into thinking they were in relationship and continuously asking the woman for money, she ended up sending them $11,500 through money transferring sites. Similarly, a 78-year-old woman, believing she’d been communicating with Kenny Chesney, ended up sending the scammer over ten thousand dollars that ended up in China, according to the police.
IP address spoofing
Spoofing an IP address involves changing the header of an Internet Protocol address (that allows servers to know where information is coming from) to match someone else’s IP. If your IP address is spoofed, this may cause you to be associated with illegal activities like hacking websites and may also provide a hacker with access to systems that read your computer as “trusted.”
- It is difficult to fully guard against identity spoofing, as services such as Instagram and Twitter allow anyone to set up an account in any name. To report an impersonated account, use one of the following links:
- Facebook: https://www.facebook.com/help/contact/169486816475808
- Twitter: https://help.twitter.com/en/safety-and-security/report-twitter-impersonation
- Instagram: https://help.instagram.com/contact/636276399721841?helpref=faq_content
- On YouTube or Tiktok, click Report and then choose Impersonation or Pretending to Be Someone.
- To avoid having your own social network account hacked into, never share your password with anyone and make sure to sign out of each service before you close the tab or window.
- Your IP address is most at risk when you are using public internet hotspots at places such as airports or coffee shops. When using these, it is a good idea to use an IP anonymizer such as Hotspot Shield (http://www.hotspotshield.com/) which temporarily assigns you a random IP address so that your computer’s own IP address is not compromised.
Typosquatting involves setting up false, scam or malicious websites with Web addresses that are very similar to popular sites, in the hopes that users will navigate to them by typing them in accidentally. To avoid this, bookmark the sites you use often (using the “Bookmarks” or “Favorites” function in your browser) rather than typing them in the address bar.
Mouse trapping is a technique used by online marketers to ‘trap’ users on a malicious site. The website can disable your “back” button or bombard you with multiple popup windows. After a certain amount of time you may be able to leave but in some cases you may have no other choice but to restart your computer.
Pagejacking occurs when a search engine misdirects users to a false copy of a popular website. Once there, users are usually directed to new pages that contain advertisements and offers. In some cases, these sites may be malicious or contain inappropriate material such as hate content or pornography.
Pharming redirects users from legitimate sites to fraudulent sites that track the information that is entered such as credit card numbers, banking information and usernames or passwords. To do this, ‘pharmers’ send out a virus that causes computers to associate a legitimate domain name with a fraudulent website. Some pharmers, however, attack the website’s server rather than individual computers, so that every visitor is sent to a malicious version of the site.
- Accessing sites through Favorites or Bookmarks can help to avoid pagejacking. If re-directed to or trapped on a bogus webpage, these lists can also be used to jump directly to a trusted site. Opening the computer’s Task Manager tool will end the task manually: on PCs, this is activated by pressing the control, alt and delete keys at the same time and on Macs this can be done by pressing Option, Command and Escape. If all else fails, shutting down or restarting the computer can correct this.
- To avoid falling victim to pharming, ensure that you are visiting secure websites by verifying that the website address begins with the https:// prefix. Reputable internet security software (such as Norton, McAffee or AVG) will warn users if a website’s certificate (record of authenticity) is invalid.
- Issues related to online purchases
Overspending on real goods
With a host of online retail, auction and daily deals sites it’s easy to get carried away and spend more than intended. This is especially true considering that most online purchases are made using credit.
Overspending on virtual goods
The market in “virtual goods” - items and services that exist only online - is estimated to reach USD $189.76 billion by the year 2025. Many of these goods relate to online games, from purchasing the games themselves, to upgrading avatars, purchasing items or getting through levels more quickly. Apps for mobile devices are also popular purchases online (Apple claims to offer 1.96 million Apps for its iPod, iPhone and iPad platforms).
Whether overspending is on physical or virtual goods, there are a number of tools and strategies that can help keep this under control.
- Since most online purchases are done using credit, keeping the spending limit on a credit card low - or using prepaid credit cards - can help curtail impulse buying. Some retailers such as iTunes allow parents to give their children a set “allowance.”
- When buying physical goods online, watch for hidden fees, shipping and handling or customs fees.
- When buying any virtual product or service, make sure to read the description and service agreement carefully.
- Finally, parents and trusted adults should talk to children about some of the risks associated with buying things online and make sure they understand that many virtual goods cost real money. It’s especially important to talk to them about the ways that video games pressure them to make in-game purchases, such as through selling virtual items that give you an advantage over other players, letting you skip boring parts of the game and “loot boxes” that give you unpredictable rewards (in some countries, loot boxes are regulated as gambling).
 Prooftpoint Spam Protection. (n.d.). Retrieved from http://www.proofpoint.com/products/protection/spam-detection.php
 (n.d.) Mobile Phone Scam. PC. Retrieved from https://www.pcmag.com/encyclopedia/term/mobile-phone-spam
 Satterfield, B. (2006). Ten Spam-Filtering Methods Explained. Retrieved from http://www.techsoup.org/learningcenter/internet /page6028.cfm
 (2018). Who Can Still Call You. Government of Canada. Retrieved from https://lnnte-dncl.gc.ca/en/Consumer/Who-Can-Still-Call-You
 (n.d.) Dealing with online auction side fraud. The Cyber Helpline. Retrieved from https://www.thecyberhelpline.com/guides/online-auction-fraud
 Meyers, Adam. “5 red flags than an email is a scam.” Moneyville.ca, April 22 2012.
 “Scareware uses child porn warning to scam money.” CBC News, April 19 2012.
 Nolen, Stephanie. Nigerian Scammers Feeding on Greed, Gullibility. The Globe and Mail, December 5 2005.
 Keiling, H (2021). Everything you need to know about holiday reshipping scams. Indeed. Retrieved from https://www.indeed.com/career-advice/finding-a-job/reshipping-scam
 Maludzinsk, B (2020) Are video gaming consoles vulnerable to viruses and malware? TIM. Retrieved from https://www.takingitmobile.com/video-gaming-consoles-vulnerable-to-viruses/
 Greenberg, A (2019) Supply chain hackers snuck malware into videogames. Wired. Retrieved from https://www.wired.com/story/supply-chain-hackers-videogames-asus-ccleaner/
 Swinhoe, D. (2020) the 15 biggest data breaches of the 21st century. CSO. Retrieved from https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
 MyFitnessPal (2018). Account Security Issue. Retrieved from https://content.myfitnesspal.com/security-information/FAQ.html
 2014. Drug charge confusion gets LA identity theft victim arrested for a second time. RT News. Retrieved from https://www.rt.com/usa/158000-gerber-guzman-identity-stolen-jailed/
 Consumer Measures Committee. (2009). Watch Your Identity: Tips for Reducing the Risk of Identity Theft (Catalogue No. Iu23-6/2007E-PDF). Retrieved from Prevention http://cmcweb.ca/eic/site/cmc-cmc.nsf/eng/fe00040.html
 (2020). Identity Theft and You. Office of the Privacy Commissioner of Canada. Retrieved from https://www.priv.gc.ca/en/privacy-topics/identities/identity-theft/guide_idt/
 Zakman, P (2018). 2 Investigators: Fans scammed out of millions of dollars by fake Instagram accounts. CBS News Chicago. Retrieved from https://chicago.cbslocal.com/2018/09/25/2-investigators-fans-scammed-fake-celebrity-accounts/
 Whyte, D. (n.d.). Following the Journey of a Spoofed Packet. Retrieved from http://people.scs.carleton.ca/~dlwhyte/whytepapers/ipspoof.htm
 Pagejacking - identifying and dealing with pagejackers (n.d.). Retrieved from http://www.tamingthebeast.net/articles4/pagejacking.htm
 Pharming (2005). Retrieved from http://searchsecurity.techtarget.com/definition/pharming
 (2019). Rising popularity of social networks gaming to drive the virtual goods market at a CAGR of 22.3%. Adriot Market Research. Retrieved from https://www.adroitmarketresearch.com/press-release/virtual-goods-market