How to protect your business against new types of online fraud

With 379 milion financial losses reported to the Canadian Anti-Fraud Centre (CAFC) last year, 2021 reached an all-time high for all types of fraud, seeing a 130% increase over the previous year. And the CAFC estimates that only 5% of fraud is reported! We discuss cyber fraud with Emeline Manson, a fraud prevention and cybersecurity trainer and author of YouTube vignettes on the subject.

Isarta News: In talking with various entrepreneurs, it seems that “president fraud” (using people in positions of responsibility to circumvent a company’s security) is becoming more sophisticated and difficult to perceive. Are you seeing this same phenomenon on your end?

Emeline Manson: I totally agree! President fraud is much more frequent and sophisticated than in the past. There are now applications like Anonymouse that can fake a colleague’s address when sending an email. This can be very confusing: it looks like the email is coming from a colleague, when in fact his or her email box has not been compromised.

How do hackers manage to personalize their attacks?
E. M.: The Internet is like a big online puzzle. Just think about the information on LinkedIn: it’s a walking organizational chart, you can find the president of a company, the VP, the accountant, the people in finance, etc. It makes life so much easier for criminals. Secondly, hackers have access to translation tools that are very powerful.

What types of fraudulent messages can we expect to receive in our email box?
E. M.: There are many. Right now, there are a lot of emails that replicate cloud-based document sharing notifications, such as “This person wants to share a document with you,” with an email like OneDrive, SharePoint or Google Drive. This is something that is becoming more and more common, with the growing use of collaborative tools.

Another ploy is to send a fake resume – which is clever, in the middle of a labour shortage (!). It looks like an attachment, but when you open it, it turns out to be an executable file and you end up with ransomware, a virus or a Trojan horse.

Finally, another common fraud is to ask an employee to buy gift cards for everyone, for an upcoming event, be it Christmas, Valentine’s Day or others.

Besides email fraud, are there other types of cyber frauds to be wary of?
E. M.: Social media is another important vector for phishing campaigns. A common scam on Facebook is the “look who’s dead” message inviting us to click on a link external to the platform. Just this morning, a client called me in a panic because she had clicked on this link and didn’t know what to do. I helped her secure her account, change her password, and notify the people (200-300 friends) her account had forwarded this message to.

On Instagram, scammers offer to help users get the blue account certification badge. However, once they gain access to the account, they take control of it and kick the owner out.

Another thing to watch out for is tech support fraud. Recently, a client of mine was caught in this type of fraud. Having problems with her printer, she did a Google search for technical support. She clicked on an ad that was a fraudulent website. The hacker scanned her computer, got access to her passwords and, on top of that, she paid for the service with her credit card!

What advice can you give to avoid cyber fraud?
E. M.: It is very difficult today to tell if a link is fraudulent or not. There is a false belief that HTTPS [Hypertext Transfer Protocol Secure] is always secure, when it is not. So basically, the first piece of advice I give is to never click on links that you receive by email, text message or on social media.

It’s best to go through another communication channel to validate requests, whether it’s through Teams, LinkedIn or even the phone. In short, always take a step back.