What is phishing?

Phishing is a variation of fishing – when scammers try to lure their victims using bait. In this case the bait is when someone contacts you via email or text to lure you into sharing personal information. They may pretend to be with a legitimate business like a parcel delivery service or a government department.

Phishing can happen to anyone. You could be contacted by email, mobile phone or land line. The message may ask you to download an attachment or click on a link to get to your personal information.

Scammers move quickly to come up with new ways to convince you to share information. They will use current events and trends in their scams. A scam could include sending you a text message with a link. The link could take you to a website that looks legitimate. The site may ask you to input personal details. Remember that government agencies would not normally contact you by text message. Do not click on links in text messages.

Examples of phishing scams can include:

• License plate sticker refund scam

• Canada Revenue Agency scam

• Package delivery scam

How is phishing used in investment scams?

Phishing is often the front end of investment scams. Getting you to click on a link is the first step to drawing you in. Once you have clicked on the phish bait, it opens the door to many other things. The scammer may convince you to share personal information and then aggressively try to get you to put money into fraudulent investment opportunities. The scammer may share links to fraudulent websites or online platforms — that look legitimate. They may direct you to online places to “learn” how to trade that are part of the scam. 

You may be totally unaware of what’s happening and think your investment is legitimate. Often scammers will ask you for a small initial investment, like $250. You’ll see amount grow quickly and be lured into investing more in the fraudulent account. The scammer may also highlight the impressive exponential growth of your investment to aggressively encourage you to invest more. All of this can start with a simple click from the initial phishing attempt.

What do fraudsters do with your personal information?

If you are a victim of phishing, scammers may use information about you for identity theft. Your personal details could be used by scammers in many ways. They could access your bank account or open a new one. They may also apply for a loan or new credit cards under your name. They could also try to get government benefits using your identity or they may even attempt to fraudulently sell your home.

Keep your financial information safe to avoid financial fraud and identity theft:

Checklist to protect your financial information.

What are the types of phishing scams?

Phishing can happen in many formats, including:

• Email phishing: when you receive an email impersonating a legitimate source. Your email is the most popular place for scammers to send phishing attempts.
• Spear phishing: very targeted phishing — sometimes it happens after a successful preliminary email phishing attempt. Spear phishing emails may have your name and appear to be from a sender who you know. They will try to convince you to send money to someone you think is a legitimate business or person. Or the attempt could seem like it’s from your workplace asking you to click on a link to get more digital file storage space.
• Spoofing: part of phishing expeditions is to convince you that the person contacting you is real. Spoofing happens when the sender’s email address looks like the actual email address of the person or business they are imitating.
• Whaling: for scammers, a whale is a “big fish” in a phishingPhishing A type of fraud where a stranger poses as a trustworthy person or business to…+ read full definition scheme. Senior executives in a company could be targeted in a whaling phishing attack.
• Smishing: when you are contacted via text message with a request to click on a link that appears to come from a company or person you trustTrust An account set up to hold assets for a beneficiary. A trustee manages the assets…+ read full definition.
• Vishing: when you are contacted by telephone by someone pretending to be with a reputable organization asking you for personal information.
• Angler phishing: happens on social media. These phishing attempts try to get you to click on a fraudulent corporate social media accountAccount An agreement you make with a financial institution to handle your money. You can set…+ read full definition. Many companies have social media accounts to connect with customers. The angler phishing versions look very similar to the legitimate accounts and may ask you to click to get a discountDiscount When something sells for less than its normal price.+ read full definition on the company product or other ruse.
• Approval phishing: tricks people into granting control over their cryptocurrencyCryptocurrency See Digital Coins.+ read full definition wallets to scammers. You may be sent a fake request to “approve” access to your wallet that appears to come from a trusted source. When you click on the approval, you unknowingly hand over control of your crypto wallets to the scammer. They can then empty your crypto wallet by moving the crypto to a separate wallet. This tactic is often used for online investmentInvestment An item of value you buy to get income or to grow in value.+ read full definition fraud. Sometimes it is part of a long-haul scam often referred to as “pig butchering,” to lure people into handing over ever-increasing amounts to scammers. Learn more about the red flags of crypto fraud.

There are no limits to who phishing scammers will pretend to be.

The Canadian Anti-Fraud Centre (CAFC) sent out a warning after they received reports of phishing emails impersonating their organization. The emails looked like automated emails the CAFC sends when it receives files through their Fraud Reporting System. The email asked people to click on a link to view their report. The CAFC warned people not to click on the link. It said it does not provide links to submitted reports.

Ransomware warning:

Some email phishing campaigns ask you to click on an attachment. The attachment could be a file that — if you click on it — loads malware onto your computer. Malware is like having a spy in your system. You might not know it’s there, and then one day your files are locked, and you are told to send money to unlock them.

How can you spot and stop phishing attempts?

There are many types of phishing, but don’t take the bait. To help you avoid being lured by phishing scams consider these tips:

• Be on alert if you receive any text, call or email that rushes you into making a decision or asks you to shareShare A piece of ownership in a company. A share does not give you direct control…+ read full definition or confirm personal or sensitive information.
• If you get a text from any person, or organization, pause and ask yourself: Why would they have and use your cell phone number? Why would they text you for important information?
• Think twice before clicking on anything in an unsolicited email or text. Don’t click on a link or an attachment unless you are certain it is safe. When in doubt, don’t click.
• Verify URLs before approving any transactions. Always double-check the website and transactionTransaction The process where one person or party buys goods or services from another for money.…+ read full definition details. Phishing scammers try to trick you into granting access to your accounts.
• Look for spelling mistakes in texts and emails. Fraudsters often misspell words or use strange grammar.
• Use multi-factor authentication on your accounts.This adds an extra layer of security against unauthorized access.
• Regularly monitor all your financial accounts so you will notice irregularities.

Remember: Fraudsters often pose as legitimate financial advisors or companies, or as a potential friend or romantic partner.

What do you do if you’ve been scammed?

If you suspect you had money taken in a phishing scamScam When someone tries to make money by misleading or tricking another person.+ read full definition, there are a few things you can do, including:

• Stop communicating with the scammer. Do not respond to calls, emails, or messages from those involved in the scam. They may try to convince you to send more funds or share additional personal information.
• Act quickly. Particularly in cryptocurrency scams, timing is critical in tracking and recovering lost funds.Change passwords for your wallet, crypto trading platforms, and email accounts. Enable two-factor authentication (2FA) and revoke unauthorized token approvals.
• Check for unauthorized transactions. Review your bank statements. In the case of a crypto scam, check your wallet activity and report suspicious transactions to your crypto trading platform or wallet provider.
• Notify your financial institution. If bank accounts were used to fund fraudulent transactions, report them to your financial institution and ask about potential reversals.
• Watch out for recovery scams. Be cautious any person or service promising to get your stolen funds or crypto for a fee. Many of these offers are fraudulent. 
• Report the fraud. Contact your local regulator or law enforcement agency. Find our more about what to do if you have had money taken in a scam.