Nova Scotia·CONSUMER WATCHDOG

How crooks are getting better at imitating texts, emails from banks

One Nova Scotia couple lost $3,000 after fraudsters mimicked Scotiabank's InfoAlerts text message service.

Nova Scotia couple lose $3,000 after fraudsters mimic Scotiabank's InfoAlerts text messages

Brenda and Fernando Afonso lost $3,000 when crooks used a copy of a bank app to clean out their account. (Jesse Afonso)

As criminals use emails and texts to phish for people's personal information in hopes of robbing bank accounts, it's becoming increasingly difficult for the average customer to know what is legitimate communication from their bank and what is not.

"They [scammers] are much better at targeting their audiences now and doing a lot better job of making it look realistic and it becomes very confusing for people," said Sgt. Royce MacRae with the RCMP's Tech Crime Unit in Nova Scotia.

Crooks mimic messages from bank

Brenda and Fernando Afonso learned the hard way how sophisticated these scammers are.

The couple had been using Scotiabank's InfoAlerts service, which sends a text or email to an account holder every time their debit or credit card is used. It's a way to make sure all transactions are legitimate and keep track of any unauthorized use. 

Then fraudsters sent messages that looked like they were from InfoAlerts to get into their bank account. 

"We were out one day and my husband got a text message saying his bank card had been used and he hadn't used it so he became concerned," Brenda Afonso told CBC News. 

"He logged in to check his account and when he did he was actually logging into a bogus account and they got all of his information." 

One of the text messages sent by criminals phishing for customer's account information. (CBC)

The fraudsters used the information they had obtained to clean out the $3,000 in the Afonsos' bank account.

The Afonsos thought bank insurance would cover their loss, but they were told Scotiabank would not be replacing the money because they had willingly given out their banking information.

"Who would log into something like that if they knew?" Brenda Afonso asked.

"No person would do that. We did it because we thought it was this bank app that we had been using all along."

Phishing on the rise

Scotiabank spokesman Rick Roth acknowledges phishing is an ongoing problem.

"The number and sophistication level of phishing attacks has increased globally," he told CBC News.

Scotiabank has a highlighted message on the login page of its online banking website stating:

"Scotiabank does not send text messages or emails that ask you for your password for online and mobile banking, Personal Identification Number (PIN) for either your ScotiaCard or credit cards, account numbers for any type of account, answers to your security questions, or access code for adding payees."

Password request sent to SCENE members

But the situation gets fuzzy for consumers in light of a recent email sent to Scotiabank customers.

The bank is a partner of SCENE, a program where customers can earn points toward free movies and meals by using their Scotiabank cards.

SCENE sent out an email to its members on March 1, asking them to reset their password to access their account (a copy of the email is below). The message included a link to reset the password.

A CBC viewer who received the email was uncertain whether it was real, so she called the bank and was told it was a scam. However, it turns out the email was real.

Whether to click or not click?

Halifax marketing professor Ed McHugh calls it an interesting conundrum for consumers.

"It almost turns into a bit of a double-standard and people don't know whether to click or not click and [wonder] 'What should I do here?'" McHugh said.

McHugh says it's easy for consumers to be confused because some of the phishing emails look quite legitimate, with corporate logos and email addresses that appear to be official.

"So you think it looks good and there's their logo. So it will pull some in," he said. 

"Fortunately in this case, with Scotiabank, it was a legitimate email from their partner. But if consumers get into that habit of clicking on every mail that looks legit, at some point they're going to get bitten." 

'A convenience for members'

Scotiabank sent our inquiry about what McHugh called a "double standard" to SCENE, which defended its email.  

"SCENE proactively sent an email to its member base with a suggestion to update passwords online at scene.ca... to help our members keep their accounts safe."

Spokesman Matthew Seagrim said the link to update passwords was included "as a convenience for members," adding response to the email has been encouraging with people commenting they were pleased with the suggested password change.

He points out while SCENE was created jointly by Scotiabank and Cineplex, it operates as a separate organization.

Contact bank first before clicking

As for those confused by emails and texts that seem to come from their bank, MacRae's advice is not to respond to anything you receive online before first contacting your bank.

Marketing professor Ed McHugh has a message for the banks.

"Be clear. If you say you'll only send info through your website, don't send it via other means."

And Brenda Afonso has a message for consumers too. 

"Don't use a lot of those apps unless you really need to. Go back to basic banking as much as you can and know your account is not insured [when this happens]."

ABOUT THE AUTHOR

Yvonne Colbert

Consumer Watchdog

Yvonne Colbert has been a journalist for nearly 35 years, covering everything from human interest stories to the provincial legislature. These days she helps consumers navigate an increasingly complex marketplace and avoid getting ripped off. She invites story ideas at [email protected]