First in a two-part series
The voice recording could reasonably rattle any unsuspecting person, especially when the call comes from a number legitimately belonging to the Canada Revenue Agency.
“We have registered a criminal case against your name concerning tax evasion and tax fraud,” a computerized voice commonly says. “If we don’t receive a call from you, you will be arrested and will be forced to face the legal consequences.”
Call back the number given in the recording and a person on the other end of the line will tell you the matter is time-sensitive and very serious; unless you act now, the CRA will put a lien on your house, your car and your wages, and police will show up to take you into custody. In case you’re not convinced, the person will say they’re getting the police to call you and the next call you receive will come from a legitimate law enforcement phone number. The calls are legitimate, they’ll tell you. Unless you want to be arrested, pay at least part of the money you owe. Sometimes you will be directed to wire the money to a specific name and postal code; many times you’ll be advised to convert cash to virtual currency and send it that way.
It’s one of the most common scams in the country and the one Royal Newfoundland Constabulary cyber crimes investigators see the most.
“These people know exactly what they’re doing and how to manipulate victims into giving up their money,” says RNC Const. Terry Follett, a computer forensic examiner who investigates cyber crimes.
CRA scams, extortion scams, romance scams, phishing emails — between February and September of this year, the RNC in the St. John’s area alone had 32 cyber scam cases, involving local people between the ages of 20 and 76 who had been conned out of amounts ranging from $250 to $80,000. The total amount lost between them was $363,844. It’s fair to say each of the victims was devastated.
“That $250 could mean as much to one person as $80,000 could mean to another,” Follett said. “A lot of them are embarrassed that they’re out this money, they’re ashamed and they don’t want their family members to know. They sometimes think people would think they’re stupid to fall for something like that, but unless it happens to you and you’re put in a position where these threat actors are on the phone and they’re threatening the police will come to your house and arrest you, you don’t know what you’d do in a situation like that.”
The scammers don’t have to operate by phone to be intimidating. One St. John’s woman told The Telegram she was terrified when she received an extortion email late one night from an unknown address, threatening to kill her and leave her child — who was named in the email — motherless unless she sent Bitcoin to a specific virtual wallet.
“Yes, they knew my child’s name. They knew other personal information, too. You can imagine how frightening that was, getting an email that threatened my life with enough personal details in it to make me think it might be legit.”
The woman didn’t send any money. Instead, she did a search on Google and learned the email was a common extortion scam perpetrated by fraudsters who are good at research. She immediately checked the privacy settings on her social media accounts and realized she had posted photos publicly that contained the information the scammers had used, either in her captions, in the comments her friends had posted, or in the images.
“I never, ever would have thought scammers would do that. How would they find me and target me? I have no idea,” the woman said.
If you’re involved in a lucrative fraud scheme as a full-time job, you do your homework, Follett explained.
“These scammers are good at what they do. They research. If they’re going to target Newfoundland, for example, they will know what government and police numbers they’re going to use and they’ll spoof those numbers to look legitimate. They will go to places like dating sites specifically for (older people), thinking they’ll have more success dealing with an elderly individual than a 20-year-old. These trolls will sit down and go through Facebook and Instagram and social media and they will try to target individuals they think will fall victim to whatever they’re trying to do.”
“Spoofing”phone numbers involves deliberately falsifying the information sent through caller ID display as a disguise, and fraudsters can do it with computer software, Follett said. Many times they’ll use the software to choose random local numbers in an effort to convince recipients to answer the call; it doesn’t mean they have access to the personal information of the people who really own the numbers.
A common extortion email scam, Follett said, involves an anonymous email purporting to be from a hacker who has gained access to the recipient’s phone or computer and has seen intimate videos, web history or emails. They threaten to expose the files online unless the person pays up.
Romance scams often involve a fraudster using a fake identity to meet and chat with an unsuspecting person on an online dating site, earning trust before asking them to help them through a tough financial time.
Phishing emails can look almost legitimate, appearing to come from a well-known company or organization and asking the recipient to click on a link and update their password or payment information.
“Humiliated, that’s what I was,” a St. John’s man told The Telegram of the time he received an email that appeared to be from Netflix, asking him to update his credit card information.
Coincidentally, the credit card he had on file with Netflix at the time had just expired and he had yet to provide the new card, so he thought the email seemed reasonable.
“When I clicked the link and put in the information I realized it didn’t look like a regular process,” he said. "I immediately went into my Netflix account and changed the password and called the credit card company."
A $250 transaction had already been made on his account: a booking for a hotel in Indonesia. The credit card company stopped a second booking from going through after he called and reported the scam and cancelled his card.
The man then went through the process of contacting credit bureaus and putting flags on his files, setting up a password for any future credit requests. He didn’t contact police, he said, since the credit card company refunded the fraudulent charge.
“I felt so embarrassed,” he said. “You always think it can’t happen to you, always someone else. It was the last thing I thought could happen, especially related to Netflix.”
Scammers will disguise themselves as anyone and exploit any situation they feel might work, Follett said. Fraudsters have been known to send emails and text informing recipients of a Canada Emergency Response Benefit (CERB) scam. COVID-19 scams alone have conned almost 4,000 Canadians out of a total of $6.2 million between March and September of this year, according to the Canadian Anti-Fraud Centre.
As of Sept. 30, the total amount lost to fraud in Canada this year was $67.2 million.
Follett predicts cyber scams will get worse, especially as the popularity of virtual currency like bitcoin grows.
The chances of a person getting their money back after they’ve been scammed is uncertain, he said. Right now he’s working with the National Cybercrime Co-ordination Unit in Ottawa — a national police service that works with law enforcement and other partners to reduce the threat, impact and victimization of cyber crime — to determine the next steps in a number of his cases. He has traced the scammers in two cases, tracking one to an organized crime group in Cameroon and another to an individual in India.
The Canadian government has issued warnings and advice on the CRA scam, stressing that CRA employees will never demand immediate payment by e-transfer, bitcoin, prepaid credit cards or gift cards, nor would they leave threatening voicemails, ask for passport, health card or driver’s licence information, or send an email with a link asking for personal information.
“The police are not involved in that type of behaviour,” Follett said. “No legitimate business or company or organization will threaten you like that. Just hang up the phone. If you engage with them, they have a script prepared and will have an answer for everything. If they don’t get any traction from you, they’ll move on.”
Anyone victimized by these scams should report it to police, whether their credit card company refunds them or not. Investigators use the information to learn how fraudsters are operating and the techniques they use, so they can better protect the public.
“We’re not here to judge you,” Follett said. “When you’re coming to the police you’re vulnerable, you’re upset, you’re very embarrassed about what happened to you. We’re here to help you and we’ll do whatever we can to try and identify these individuals that are preying on you.”
Protect yourself from cyber scams — tips from the RNC:
- Do not open emails or attachments from unknown senders.
- Monitor your bank accounts regularly and your credit report at least once a year.
- Do not store sensitive or personal files online or on your mobile device.
- Use strong passwords of at least eight characters and a combination of uppercase and lowercase letters, numbers and symbols. Do not use the same password for mutiple sites.
- Never provide personal information via email.
- Ensure privacy and security settings for social media accounts are set at the highest level.
- Verify the web address of legitimate websites.
- Check to see if your email address has been compromised in a data breach by visiting haveibeenpwned.com.
In Monday's Telegram: what is Bitcoin and how can you prevent a scammer from gaining access to your Smart device?