Email fraud cases highlight need for best practices

The process may be routine among many Canadians, but it comes with substantial risk of losses

Email fraud cases highlight need for best practices

With the increasing availability of user-friendly technology, consumers and clients are increasingly using email to conduct financial transactions. But those who use email in their financial affairs must be aware of the risk of fraud. That was shown in a recent settlement agreement from the MFDA — and some customers of a Big Six bank are learning that very lesson.

An Ontario woman lost $1,734 to email fraud when she tried to use an e-transfer system to send money to a friend, reported CBC News. “I always use e-transfer,” Anne Hoover told the news outlet. “I thought it was a safe way to send money.”

According to the report, Hoover had just returned from a trip to Mexico when she used RBC’s Interac e-transfer system to reimburse her friend Fran Fearnley for expenses incurred during the trip. But when Fearnley opened the email and tried to accept the payment, she saw a message saying the e-transfer had already pushed through.

After calling RBC’s fraud department, the women found out that someone had intercepted the transaction. According to an RBC manager, an internal investigation revealed that Fearnley’s email account had been hacked; when Hoover sent the e-transfer, the fraudster was able to correctly answer the security question required to deposit the money, and redirected it to a TD bank account.

The security question posed by Hoover to Fearnley was: “Who is my favourite Beatle?” CBC News tested RBC’s Interac System, during which they were given four chances to answer the security question — enough for a hacker to guess which of the four Beatles Hoover was referring to.

While the bank manager maintained that the bank bore no responsibility for the loss, Hoover was eventually offered half the missing funds as a “gesture of goodwill.” A webpage about RBC’s digital banking security tells visitors that customers are “fully protected,” and will be reimbursed “for any unauthorized transactions.”

But bank officials reportedly told Hoover that customers who use weak passwords when transferring funds online are not protected. Customers can only see that disclaimer after following a few links from RBC’s “Security Guarantee” to a section called “Security,” where the clause is displayed in fine print.

“This idea of transferring money by email is much more risky than people realize,” Claudiu Popa, cybersecurity expert and author of The Canadian Cyberfraud Handbook, told CBC News. “Banks and financial institutions have made it very easy to transfer money via email. Unfortunately, with convenience, comes lack of security.”

Upon searching for Fearnley’s email address on a website that tracks data breaches, Popa determined that Fearnley’s email became compromised on two separate occasions when hackers attacked LinkedIn and To protect customers better, he said, financial firms should require two-factor authentication, basically telling the user to input a code sent to a separate email account or mobile number before a transaction can push through.

Hoover has escalated her case to the RBC Ombudsman in hopes that the bank will warn customers that they could be liable for losses even if they’re victims of fraud.


Follow WP on Facebook, LinkedIn and Twitter