Cybercrime is on the rise in Canada. In fact, the Royal Canadian Mounted Police reported a 40% increase in business losses from fraud last year.
- 70,000+ fraud reports filed, totaling $530 million in business losses
- $150 million increase in fraud losses from 2021 to 2022
- Nearly 30% of reports were made by victims of identity fraud
Here are some ways to decrease your chances of falling victim to cybercrime and protect your customers—and your business—from fraud. And be sure to download our 10 tips to fight fraud infographic.
Educate your team
When your employees know what to look for, they’re more likely to spot fraudulent activity. In fact, according to a recent Scotiabank Youth Fraud poll, 63% of young Canadians have not been educated about financial fraud or how to protect themselves from scammers.
The poll also found that three out of four young Canadians have been targeted or fallen victim to various financial fraud scams via email, phone, text and social media.
Create a fraud awareness training program
You can lower your chances of a cyberattack by teaching your employees how to recognize and report suspicious activity. Create an internal fraud awareness training program and make sure all of your employees are trained and know what to do in case of fraudulent activity or communication.
Bot fraud. Also known as botnet fraud or bot-driven fraud, this fraudulent activity happens through automated software programs called ‘bots.’ Bots are computer programs that can perform automated tasks and often mimic human behavior online.
Malicious attackers use bots to engage in various fraudulent activities for financial gain or to exploit vulnerabilities or disrupt services. Common examples of bot fraud include account takeovers and click fraud. Financial institutions, ecommerce platforms and online retailers are especially vulnerable to bot fraud, which is constantly adapting and evolving, making it an ongoing challenge.
Fraudulent card testing. Fraudsters test stolen credit or debit card information by making small, unauthorized transactions or inquiries to see if the card is valid and usable. Card testing typically occurs online, where attackers use automated tools or manual processes to validate a stolen card's details, such as a card number, expiration date and Card Verification Value (CVV).
Identity fraud. Identity theft (or identity fraud) is the unauthorized use of an individual’s personal information by third parties. The identity thief uses a person’s name, date of birth, address, social insurance number (SIN), credit card number or other personal information for criminal purposes or financial gain.
Phishing and personal information scams. Phishing (and all of its variations listed below) involves the fraudulent use of communication, typically through email, text or websites. The goal is to trick victims into disclosing confidential information, such as credit card numbers, which can then be exploited for financial gain or unauthorized access. Eight in 10 Canadian organizations experienced at least one successful email-based phishing attack last year.
Last year, the most reported types of fraud in Canada were refund fraud, fraudulent card testing, phishing and bots.
Common types of phishing:
- Smishing (SMS phishing) involves using SMS (Short Message Service) or text messages to trick an individual into providing sensitive information or clicking on a malicious link. The attacker may send a text claiming to be from a reputable organization or asking for personal information or directing a user to a fake website.
- Whaling is a targeted phishing attack that focuses on high-profile individuals within an organization, such as executives or senior management. The goal is to trick these people into revealing sensitive company information, financial data or login credentials.
- Angler phishing involves exploiting a legitimate website or service's existing trust and reputation to deceive users. Attackers compromise or "angle" a trusted platform to host phishing pages or distribute malicious content. Users may be redirected to these pages through deceptive links.
- Vishing (Voice phishing) is using phone calls or voice messages to deceive individuals into revealing sensitive information or performing certain actions. Attackers may impersonate legitimate organizations or financial institutions to trick victims into sharing account details, passwords or other confidential information.
- Spear phishing is a targeted attack where the fraudster customizes the phishing message for a specific individual, organization or group. The attacker gathers information about the target to make the phishing attempt more convincing and increase the likelihood of success.
- Clone phishing is when a scammer creates a nearly identical copy of a legitimate email, often from a trusted source. The attacker alters certain details or includes malicious links or attachments in the cloned email to trick recipients into revealing sensitive information.
Did you know that 8 in 10 Canadian organizations experienced at least one successful email-based phishing attack last year?
POS malware. POS malware is malicious software designed to steal your customer's personal information through your POS devices. The malware collects payment card data, including debit and credit card numbers, expiration dates and CVV codes.
This data breach happens in real time while the transaction is being processed by your POS terminal, typically in the retail and hospitality industries. The stolen data can then be used for identity theft or fraudulent purchases.
POS malware is spread by email, web addresses and through infected networks or USB devices connected to your POS terminal. POS malware can have a negative impact on your business, including financial and reputational loss. A recent study found that in the first eight months of 2022, the number of unique devices affected by POS malware grew by 19% compared to only 4% the year before. Updating your POS software and restricting user access can help lower your chances of POS malware attacks.
POS malware can have a negative impact on your business, including financial and reputational loss. A recent study found that in the first eight months of 2022, the number of unique devices affected by POS malware grew by 19% compared to only 4% in 2021.
Refund fraud. Refund scams deceive a company, government or financial institution into issuing a refund or reimbursement. Refund fraud can occur in chargebacks, insurance reimbursement, tax refunds and more. Make sure you require a way to identify a customer’s purchase prior to issuing a refund. And have fraud protection like 3D Secure 2 (3DS2) and encryption in place: These security features provide an extra layer of protection, making it harder for fraudsters to access customer data.
Return fraud. Return fraud happens when fraudsters manipulate a return process to obtain a refund in exchange for products or services they didn’t legitimately purchase. A clear return policy well-communicated on your website can reduce return fraud.
Protect your customers—and your business
Educating your employees is only half the battle against fraud. From a business perspective, PCI compliance, Strong Customer Authentication (SCA), 3D Secure 2 (3DS2), encryption, password security and tokenization have important roles in fraud and cybercrime prevention. They enhance the security of digital transactions, protect sensitive data and verify user identities.
- 3DS2—3DS2 relies on biometrics (and other methods) for a quick, smooth authentication on any device. And it’s the only card authentication method that meets the European Union (EU)’s SCA regulations. According to Visa, 3DS2 even reduces cart abandonment by 70% and checkout times by 85%, while improving security and speeding up the checkout process.
- Encryption—Encryption secures sensitive information and communication by making it difficult for unauthorized users to access or understand the original data without the appropriate decryption key.
- Password security—Implementing strong password security is crucial in preventing unauthorized access, fraud and theft. Multifactor or biometric authentication can make your payments more secure.
- PCI compliance—Cardholder data needs to be properly handled and stored in accordance with Payment Card Industry Data Security Standard (PCI DSS) requirements.
- SCA—If you’re selling in the European Union, your payments need to meet SCA regulations through the Payment Services Directive 2 (PSD2).
- Tokenization—Tokenization replaces sensitive data, such as credit card numbers or personal identification numbers (PINs), with unique identifiers called tokens. Tokens hide sensitive information so hackers can’t access it.
For a more detailed discussion on PCI compliance and password security, check out our articles, Four security questions to ask your payment partner and How to protect your customers from fraud.
Do your part to fight fraud
Our team can support your business by providing security tools to automate and detect fraudulent transactions. We’re also experts in PCI compliance. Contact us today to get started. Or visit our help centre for more fraud prevention and security resources.
The Canadian Bankers Association also offers a free cybersecurity toolkit for small businesses that can help you get started with a fraud awareness program. And the Government of Canada provides common scam alerts with examples of recent Canadian scams that you can share with your employees.