I recently received a text message saying: “You have received $89.95 from Manitoba Hydro”. I was instructed to click on a link so that the money will be sent to me via INTERAC. Since I am not the one who pays our hydro bill at home, I was immediately skeptical. I deleted the text and searched online for similar scams.
Random texts = smishing
What did I discover? It turns out that this was one of the most common ways to smish. Smishing is an attempt to obtain sensitive information via SMS. The goal is to get bank account numbers, passwords, credit card details and even SIN (it’s phishing when done via email, and vishing if via a phone call). Had I clicked on the link from the text I received, it would have taken me to a page where I would need to provide my bank account information so that they can supposedly deposit the money. Once I provided my information, it will be possible for the scammer to wipe out my account in a matter of minutes.
There are various versions of this scam:
- Porting fraud – This is one of the newest online scams. Porting is when a phone account allows a customer to change service providers while keeping the same phone number. Fraud happens when a scammer impersonates the customer and has the account transferred to another account they created (CTV News). The scammer then takes control of the account, including the customer’s other online accounts. Victims receive a text message from their provider informing them that they have received a request to send their number to another carrier (even if the customer has not made the request). It will also ask them to click a link to contact them. If you receive a similar text message, don’t click on the link. Inform your provider immediately using their published number. Don’t ignore the message as some fraudsters are able to take over your account if you don’t take action. (Read: New scam uses your phone number to steal your online identity, Danton Unger, CTV News).
- Canada Revenue Agency (CRA) tax refund – This is sent around tax time (Jan-April) and will usually say that CRA sent you your tax refund via INTERAC e-transfer. It could link to a legitimate-looking bank webpage (for example, RBC or BMO) where it will say you can click to claim or deposit the money. It can also link to a fake CRA webpage where you will need to key-in your SIN to validate your identity. The aim of this scam is to get your personal, bank account, or credit card information which they can use to get money from you.
- Your bank asking you to update your bank account information – This could be in the form of an email or text saying that your account has been frozen so you need to reconfirm your bank account details. Like the CRA scam, it is done to get your bank account details. Examples:
“Due to your recent banking activities with your BMO card, please reconfirm your PVQ to avoid account suspension, use bmo-onlines.nut.cc/logon to secure.”
“FROM: CIBC ONLINE BANKING SECURITY. As part of our commitment to help keep your account secure, we have added some extra security features. Please sign in to register: http://signin-cibc.com.”
(Actual scam text examples from Text message fraud cost Canadians half a million dollars so far in 2016, Leslie Young, Global News, Nov. 15, 2016).
Mystery Shopper – This is a job offer to become a secret shopper. All you need to do is click on a link and provide your full name. Then they will send you a cheque which you will need to deposit in your account. You will also be given a list of stores to shop in and try. In one variation, the amount on the check will be so big that they’ll instruct you to keep some money for yourself and wire transfer the rest to them. Other times, one of the stores in the list will be a money transfer service (like Western Union) and you’ll have to send X amount to a specified account.
The trouble begins when your bank finds out that the cheque is fake. This means that you will be held liable for all the money you spent shopping. Meanwhile, the amount you wired goes straight to the pocket of the scammer.
How to protect yourself from SMS or email scams:
- Know that most legitimate companies and organizations don’t use texts or calls for official communication – The government, your bank, and other trusted establishments will not call, email or text you for rebates, tax refunds, or to ask for confidential information. For instance, to inform you about refunds or changes to your account, the CRA will send you a letter by mail. If you have a My CRA Account, you will receive an email informing you that you have communication coming from them. It will not contain the body of the message nor links. You would have to log-in to your account to read the message.
If you want to make sure if a text from a trusted establishment is legitimate, call Customer Service first before clicking on anything. If it looks suspicious, search online to check if it’s a common fraud.Go to the Canadian Anti-Fraud Centre to know the latest scams and frauds.
- Be suspicious if you don’t know the sender – Don’t click on any link or download anything. You can end up with malware (malicious software) like viruses, spyware or ransomware that can hold your mobile phone and computer information hostage. Also, don’t call or text them them to ask. If it’s a scammer, calling them back will let them know that your number is genuine. They will use it again for other fraudulent activities.
- Check for typographical and grammatical errors – If the message or website is full of misspelled words, bad formatting (no punctuations, does not follow capitalization or are in all caps) and wrong grammar, it’s a scam. Also, look at the link. Sites where you need to key-in personal information should start with https, not http. The ‘s’ stands for secure, which means that all communication between your browser and the website are encrypted. Be suspicious if it’s a shortened link, or if it’s full of special characters.
- Don’t take the message seriously if you are not expecting money or an email from someone – The message is most likely a fraud if it’s offering you something that’s too good to be true. However, if you know the person sending you the link (and you’ve been informed that they’ll send the message) but you’re still unsure about it, you can check it without clicking it. Right click on the link, copy it, then paste it on a service like CheckShortURL, Norton Safe Web, URLVoid, or ScanURL (How to test a suspicious link without clicking it, Andy O’Donnell, Lifewire). These sites may be able to tell you if the link is safe or not.
- Keep your personal information private – Don’t publish personal information such as your birth date on social media. Always be suspicious of emails or text messages asking you to update your information or passwords on online accounts. Ensure that your security questions and passwords are difficult to guess.
- Report it – I regret that I deleted the MB Hydro scam text message I received. What I should have done was forwarded it to my telecom provider or reported it to the Canadian Anti-Fraud Centre. If you receive a scam text message, report it right away. Doing this could prevent others from falling victim to the scam and help authorities stop such frauds from spreading.
Article updated 02/2020
Sources: Canada Revenue Agency warns of text message phishing scam, CTV news.ca; How to test a suspicious link without clicking it, Andy O’Donnell, Lifewire; How to protect yourself from telecom fraud, Bell; Text message fraud cost Canadians half a million dollars so far in 2016, Leslie Young, Global News, Nov. 15, 2016); and New scam uses your phone number to steal your online identity, Danton Unger, CTV News. Accessed October 23, 2017, updated February 20, 2020.
We'd love to hear from you!
Please login to tell us what you think.