On February 2, 2024, an Ontario Provincial Police (OPP) member seconded to the Canadian Anti-Fraud Centre (CAFC) was notified by a CAFC Call Taker that a Canadian victim business reported a Spear Phishing fraud. The member subsequently contacted the United States Secret Service (USSS) representative regarding the fraud.
The USSS quickly contacted the US financial institution, which received the transfer and froze approximately $615,820 (CND) of the victim funds. As a result of the timely reporting to the CAFC, and the quick action of the members from each organization, the business is well positioned to recover the funds.
What is the Canadian Anti-Fraud Centre?
The CAFC is Canada’s central repository for data, intelligence and resource material that relates to fraud. CAFC does not conduct investigations but provides valuable assistance to law enforcement agencies all over the world. CAFC is jointly managed by the Royal Canadian Mounted Police, the Competition Bureau Canada and the Ontario Provincial Police (OPP). The CAFC was originally known as Phonebusters, which was created by the OPP.
What is Spear Phishing or Business Email Compromise fraud?
Spear phishing (Business Email Compromise) frauds represented $58.2 million in reported losses to the CAFC in 2023. Ontario victims reported losing over $21.3 million.
Fraudsters send messages to a targeted business or individual’s email account, often to the accounts payable department. Fraudsters will create an email address similar to the targeted company’s email address in order to appear as though the email is originating from a trusted source (a supplier or contractor). The fraudster will request an urgent payment to an alternate bank account for an invoice that is due.
In addition, fraudsters may send malware and if an employee clicks on it, a rule will be created to send copies of incoming emails to one of the fraudster’s email accounts. Fraudsters will take their time to collect information, study the language on their intended targets, and look for important contacts, payments, and dates so they can send convincing emails from a seemingly trusted source. Fraudsters launch their attack when an accounts payable invoice has been identified.
How to protect yourself
· Remain current on frauds targeting businesses and educate all employees by visiting the CAFC website
· Include fraud and cyber training as part of new employee’s orientation
· Avoid opening unsolicited emails or clicking on suspicious links or attachments
· Take a few seconds to hover over an email address or link and confirm that they are correct
· Restrict the amount of information shared publicly and show caution with regard to social media
· Create detailed payment procedures, including verbal authentication for any urgent requests or changes in payment details
· Create a verification step for unusual requests
· Establish fraud identifying, managing and reporting procedures
· Ensure to upgrade and update technical security software
Remember… if you become a victim of a fraud or know someone who has, contact your local police service to report the crime and report it to the CAFC at 1-888-495-8501 or online on the Fraud Reporting System (FRS), even if a financial loss did not occur.