September 25, 2023
There’s a new scam on the web: Electronic Fund Transfer (EFT) scams. Most are familiar with established scams like phishing and ransomware and the damage they can cause. These and other types of fraud and cybercrime are rampant: reported fraud and cybercrime accounted for $530M in victim losses in 2022 and increased by nearly 40% over 2021 – “historic levels” – according to the Canadian Anti-Fraud Centre. And since only 5% to 10% of fraud is actually reported the numbers are most definitely much higher. The risks of EFT scams are equally great. Here’s a breakdown of the two EFT scams we’re seeing, the risks they entail and three tactics you can implement to help mitigate those risks.
The Scams
Two EFT scams we’re seeing a lot of (or variations of them) right now are:
1. The “Our Payment Information Has Changed” Scam
What happened? You do a big deal with a long-standing customer. As usual, you ship the product. And as usual, you emailed the invoice to your customer. But this time, your customer doesn’t pay. So, you call your customer contact … who tells you they paid the invoice weeks ago with an EFT according to the new payment instructions your CFO emailed to them. Except you don’t have new payment instructions. And your CFO never emailed out any new payment instructions.
How’d it Happen? A hacker got into your email system and lurked there, watching your email exchanges, waiting for an opportunity. When they saw your email exchanges about the big deal, they watched for you to email the invoice. Then they emailed the customer from your – legitimate – email address and told them the EFT payment instructions had changed, providing a new one so they received the payment. Or, in a variation on this, the hacker used a domain name (for example, finance@c0mpany.com) easily confused with yours (finance@company.com) to send the payment instruction changes so their email appears legitimate; the recipient doesn’t notice and misdirects the funds to the hacker.
2. The Online Banking System Scam
What happened? You make new banking arrangements with your long-time financial institution. At some point, you notice that large sums of money have been e-transferred from your account to a number of recipients. But you don’t know who they are. And you’ve never sent an EFT.
How’d it Happen? A hacker got into the CFO’s computer (perhaps via a phishing scam) and installed a “remote access trojan”. The hacker then logged into your online banking program – as if they were you sitting at your keyboard – and e-transferred the funds to someone. The two-factor authentication to confirm via email didn’t help: the hacker controlled the CFO’s email.
The Risks
There are both obvious and not so obvious risks to all sides in each of these EFT scams.
Financial Loss. This is the most obvious risk: the victim – whomever is out the money – loses it. And unless you figure it out and act fast enough, there’s a good chance it’s gone for good. And we’re often not talking small potatoes; the amounts can be significant, ranging from thousands to hundreds of thousands. And really, there’s no limit.
Litigation. Since it’s unlikely the victim – whomever is out of the money – will be able to recover the money from the hacker or recover it before it leaves the fraudulent account, they’ll have no alternative but to sue any others involved to try to recover their loss. That could be, for example, a customer, a supplier, or a financial institution. The lack of clear direction from the courts means that everyone involved has a risk of liability. But win or lose, it’s a time-consuming and costly process in terms of money, time and reputation.
Relationship Damage. If you sue a supplier or customer with which you have a long-standing, solid relationship, you’ll have to figure in the cost of damage to that relationship. For example, if you’re a supplier and you sue a good customer, chances are high that customer won’t be purchasing from you in the future.
Liability. If you’re the one getting sued, you’ll incur the time and cost of litigation regardless of the outcome – but if you lose, you’ll also incur liability for the financial loss.
The Risk Mitigation Tactics
It’s impossible to eliminate completely the risks of EFT scams. And you must ensure you have the necessary cyber-security and privacy systems and breach mitigation plans in place, and investigate with your insurer available insurance coverage for EFT fraud. But there are a few simple tactics you can implement to help mitigate the risks of EFT scams affecting your organization.
Stay Suspicious. Never, ever take an email about an EFT at face value. One – perhaps the main – reason these scams succeed is because the hackers are using an actual legitimate email address or one that appears legit. This distinguishes some of these scams from more routine phishing scams, where a quick glance at the email address and contents can give the scam away. But falling for a phishing email could give a hacker access into your computer system and lead to an EFT scan.
Communicate Clearly. If you receive EFTs, make it very clear to everyone that you will never change your payment instructions or your banking information by an email (and of course, don’t). You can give them this message verbally, and you can also regularly reinforce it with an alert to this effect on the bottom of all emails, your invoices, and on the form on which you provide your electronic payment information to another party. Put them all on notice that they should not act on any email purporting to change your banking information without additional diligence.
Verify by Phone. If you send EFTs, implement a policy to verify the banking information with a telephone call, ideally to a known contact at the recipient, before you hit send. Look up the business, call the main number – never the phone number in the email signature block – and ask to be transferred to the correct person. Similarly, second factor authentication for your bank accounts should never rely on the same means of communication or device that’s used to initiate an EFT. You want to be sure that even if a hacker can initiate the transfer from a hacked device, they can’t also confirm it.
Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss how you can mitigate the risks of EFT fraud.
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2023. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.
Oct 29, 2024
On September 9, 2024, a unanimous Federal Court of Appeal decided consent is to be determined on an objective standard. In an unusual move, in…
Aug 15, 2024
On June 21, 2024, the Supreme Court of Canada concluded – decisively - that the Canadian Charter of Rights and Freedoms applies to protect the…
Jul 16, 2024
The Canadian Security Intelligence Service (CSIS) has been looking for a new production order power; it’s on its way. The role of CSIS is to…
Jun 26, 2024
An increasing number of municipalities in Canada are using public video camera surveillance to promote public safety and help deter crimes like…
Jun 20, 2024
On April 30, 2024, the Ontario Divisional Court decided the victim of a serious cyber security incident was required to produce to privacy…
Apr 30, 2024
Bill C-63, if passed, will create the hotly anticipated Online Harms Act to regulate certain online platforms, create new Criminal Code of…
Mar 14, 2024
On March 1, 2024, the Supreme Court of Canada decided a police request for disclosure of an IP address is a “search” under section 8 of the…
Dec 15, 2023
Over four years after it began, the federal government still hasn’t finalized its overhaul of the private sector privacy law regime that both…
Jun 9, 2023
You arrive at the legendary Madison Square Garden to catch the Mariah Carey concert. It’s the big event of the trip – the reason you came to…
Apr 27, 2023
The benefits to employees, and often to employers, of remote work has made it a staple of today’s workplace. But the move to remote work…
Feb 1, 2023
On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings requiring companies using targeted…
Jan 26, 2023
In November 2022, the Ontario Court of Appeal definitively decided an organization whose information systems are breached by a malicious third…
Jul 20, 2022
There’s a new privacy law coming to Canada. In June, the federal government introduced a complete overhaul of the privacy law regime that both…
Jun 30, 2022
On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects…
May 2, 2022
On April 14, 2022, the New Brunswick Court of Appeal released its decision in Royal Bank of Canada v. Estate of Susan Lynn Williams, revisiting…
Dec 16, 2021
Updated October 7, 2024. The name of the game is to have a plan to mitigate the risk that a data breach will happen – but be ready when it…
Aug 5, 2021
On July 28, 2021, the Supreme Court of Canada issued a decision protecting the status of the Companies’ Creditors Arrangement Act (CCAA) as a…
Jan 26, 2021
Updated March 4, 2022. Privacy is critical to every business in every sector, including startups and growing businesses: to comply with the…
Nov 19, 2020
We updated this publication on June 30, 2022. NOTE: On June 16, 2022, the Government of Canada introduced Bill C-27: Digital Charter…
Oct 5, 2020
On October 2, 2020, the Supreme Court of Canada clarified the existence and application of the anti-deprivation rule in Canadian bankruptcy law.…
Jun 12, 2020
The financial technology (Fintech) industry uses technology to support and enhance financial and banking services.
May 11, 2020
The Supreme Court of Canada recently released a much-awaited decision regarding the Companies’ Creditors Arrangement Act (CCAA). The CCAA is…
Jun 26, 2019
Information disclosure is a key theme that emerges from Canada’s new cannabis regulatory regime: the government wants lots of information from…
May 21, 2019
Updated July 10, 2024. If you “own” a company incorporated under either the Canada Business Corporations Act or under the corporate…
Mar 28, 2019
Organizations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – those that collect, use or…
Feb 20, 2019
On February 14, 2019, the Supreme Court of Canada decided yet another criminal law decision that will likely have broader ramifications for…
Dec 19, 2018
On December 13, 2018, the Supreme Court of Canada confirmed that a third party can’t waive a person’s right to privacy or their rights under…
Aug 20, 2018
Updated July 8, 2024. Every organization subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA, soon to…
Aug 3, 2018
Updated June 28, 2024. As of November 1, 2018, organizations in Canada subject to the Personal Information Protection and Electronic…
Jun 13, 2018
Updated September 26, 2024. Businesspeople (and their legal counsel) are on the road more than ever before: according to Statistics Canada,…
Jan 12, 2018
Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to…
Dec 22, 2017
Blockchain technology has already been a transformative force in a number of sectors. Its most prominent use to date has been as the…
Oct 31, 2017
On October 27, 2017, the Supreme Court of Canada confirmed that a bank that pays out on a fraudulent cheque has the protection of section 20(5)…
Aug 28, 2017
Recently, the Federal Court of Appeal confirmed that a tax debtor’s bankruptcy does not extinguish the federal Crown’s priority to proceeds…
Aug 16, 2017
In the not-so-distant past, Canadian enforcement of its anti-corruption and anti-bribery legal regime has been relatively laid-back. But the…
Jun 28, 2017
On June 28, 2017, the Supreme Court of Canada confirmed a Canadian court can issue an interlocutory injunction (an order requiring an entity or…
Jun 23, 2017
On June 23, 2017, the Supreme Court of Canada decided that in a contest between the choice of forum clause in Facebook’s online terms of use…
Jun 7, 2017
On June 7, 2017, the federal government repealed the regulations that would have brought into effect the sections of Canada’s Anti Spam…
Apr 21, 2017
In three years (lightning speed in the law), medically assisted dying went from being illegal to being legal. A great deal has changed, a great…
Feb 24, 2017
Updated January 29, 2024. Most organizations (72%) store the personal information of customers. employees, suppliers, vendors or partners,…
Jan 25, 2017
Doing business with the public sector creates an often overlooked – but very real – risk that the confidential information a business…
Nov 22, 2016
On November 17, 2016 the Supreme Court of Canada decided a mortgagee has the mortgagor’s implied consent to disclose its discharge statement…
Jun 30, 2016
The condo real estate market, both retail and commercial, is hot. But condo developers and unit buyers need funding. Here’s the legal…
Mar 24, 2016
When a business responds to a public sector Request for Proposal or Expression of Interest (both of which we’ll refer to as an RFP for these…
Jan 27, 2016
On January 21, 2016, the Ontario Superior Court of Justice dramatically expanded the scope of legal privacy protection – and the liability…
Mar 30, 2015
Hindsight is 20/20. Lawyers can’t always predict the outcome of a legal claim. But when a dispute between an investment client and their…
Mar 25, 2015
On March 3, 2015 Canada’s Privacy Commissioner determined that Health Canada breached privacy laws by mailing letters to over 40,000 Marihuana…
Mar 6, 2015
On March 5, 2015, the Canadian Radio and Television Commission (the CRTC, the main agency charged with administering and enforcing most of CASL)…
Dec 11, 2014
On December 11, 2014 the Supreme Court of Canada continued its trend to recognize privacy rights – and develop the law to protect them –…
Dec 11, 2014
On January 15, 2015, the software provisions of Canada’s Anti-Spam Legislation (CASL) will take effect. CASL’s anti-spam sections, touted…
Dec 1, 2014
The construction industry - project owners, contractors, subcontractors and trades - might be relaxing, ignoring the hype around Canada’s…
Oct 14, 2014
CASL’s anti-spam sections came into force on July 1, 2014. Every organization that CASL affects should now be complying with it – and their…
Aug 1, 2014
Most Canadians have heard about Canada’s Anti-Spam Legislation (CASL): we’ve been bombarded with “CASL Compliant” emails asking us to…
Jun 16, 2014
On June 13, 2014 the Supreme Court of Canada decided that Canadians have a reasonable expectation of privacy in their online activities, and…
Jun 12, 2014
The countdown to CASL is almost over: there are only 13 business days until the anti-spam provisions of CASL – and most of the penalties for…
May 8, 2014
On July 1, 2014 – less than two months from now - the anti-spam sections of Canada’s Anti-Spam Legislation (CASL) take effect. Individuals…
Apr 29, 2014
Lenders are often faced with a situation where a customer (Borrower) approaches them for funds to complete an acquisition of the shares of a…
Apr 15, 2014
The countdown to CASL is on: on July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (“CASL”) take effect. Individuals…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) will take effect. CASL is: Broad. It applies…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) take effect. CASL will apply to just about every…
Nov 8, 2013
On November 7, 2013, the Supreme Court of Canda decided police require specific authorization in a search warrant to search the data in a…
Aug 28, 2013
Updated June 5, 2024. A general security agreement (GSA) is the most common form of personal property security to secure commercial loans and…
Nov 28, 2012
On October 19, 2012 the Supreme Court of Canada (SCC) decided a teacher criminally charged with possession of child pornography and unauthorized…
Subscribe to McInnes Cooper to stay current with our leading insights on legal updates, trends, news, events, and services.