Open an account

Qtrade Direct Investing

Share

What is “phishing” and how to defend against it

At Qtrade Direct Investing, your security is our top priority. With the evolving threat of cybercrime, we take every measure to keep your account secure and safeguard your confidential information. However, you play a vital role in preventing and reporting unauthorized account activity. If you suspect you’ve interacted with a fake website or received a suspicious message:

  1. Change your password immediately.
  2. Contact us at :1.877.787.2330

What is phishing?

Phishing is an online crime where victims are deceived into giving sensitive information – such as a username, password, personal information, or banking details – to a disguised attacker. Phishing can also be used to trick victims into downloading malware to enable cyberattacks, using links or attachments in authentic-looking emails, text messages or direct messages on any social media.

How does phishing work?

Deception and fraud through social engineering are the core components of any phishing attack. Because the attacker assumes an identity that you might trust, you are more likely to succumb to their requests. Social engineering principles allow phishing attackers to manipulate a victim’s decision-making. The driving factors of this deception are three-fold:

  1. Trust: By posing as legitimate individuals and organizations, cybercriminals lower their target’s skepticism. Emails, texts and social messaging services, as more personal communication channels, also naturally lower a person’s defenses against threats.
  2. Context: Using a situation that could be relevant to targets allows an attacker to build an effective disguise. The message feels personalized, which helps it override any suspicion that it might be spam.
  3. Emotion: By heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.
Sign up to receive trading tips, service updates and offers by email
Sign up today

Types of phishing attacks

Each phishing attack uses similar methods, while the presentation may vary significantly. Attackers can use a wide variety of identities and premises to keep these attacks unpredictable and difficult to spot. Here are some common premises of smishing attacks:

Financial services phishing

Financial services smishing attacks are masked as notifications from financial institutions. Nearly everyone uses banking and credit card services, making them susceptible to both generic and institution-specific messages. Loans and investing are also common premises in this category. An attacker might pose as a bank or other financial institution for an ideal disguise to commit financial fraud. Features of a financial services smishing scam may include an urgent request to unlock your account, being asked to verify suspicious account activity, and more.

Fraudulent delivery notifications

As online ordering is so commonplace, fraudsters often use receipts or notifications for pending deliveries to encourage you to click a link. The messages may appear to be from a recent purchase, and prompt you to click for tracking information, which could turn out to be malware.

Government impersonation

Criminals use phishing to leverage the reputation of trusted institutions (including banks as noted above) like government organizations. They send phishing messages from what look like the Canada Revenue Agency, RCMP or Canada Border Services Agency to victims to get them to share personal information or click on a link.

How to protect yourself from phishing attacks

Once you’re aware of how phishing works, you can protect yourself against many of these attacks. You can keep yourself safe by doing nothing at all – an attack can only do damage if you take the bait. However, many emails and text messaging are legitimate means to reach you. Not all messages should be ignored, but you should act safely regardless.

There are a few things to keep in mind that will help you protect yourself against these attacks.

  • Do not respond. Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can refuse to engage.
  • Slow down if a message appears urgent. You should approach urgent account updates and limited time offers as caution signs of possible phishing. Remain skeptical and proceed carefully.
  • Call your bank or merchant directly if doubtful. Legitimate institutions don’t request account updates or login info via text. Furthermore, any urgent notices can be verified directly on your online accounts or via an official phone helpline.
  • Avoid using any links or contact info in the email or message that make you uncomfortable. Go directly to official contact channels when you can.
  • Opt to never keep credit card numbers on your phone. The best way to keep financial information from being stolen from a digital wallet is to never put it there.
  • Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification. MFA’s most common variant is two-factor authentication, which often uses a text message verification code. Stronger variants include using a dedicated app for verification (like Google Authenticator) are available.
  • Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.

Remember, phishing is a crime of trickery — it depends on fooling the victim into cooperating by clicking a link or providing information. The simplest protection against these attacks is to do nothing at all. If you don’t respond, a malicious message cannot do anything.

A friendly reminder from Qtrade Direct Investing

At this time, Qtrade will only send you a text message for two-factor authentication (2FA) when logging into your account. We will never send you an email or SMS asking for your account details or password.

Remember that Qtrade will never:

  • Ask for your password via email, text or on the phone. When you login to the Qtrade website and input your password, we will text your two-factor authentication (2FA) for input.
  • Ask you to transfer money to us or to a third party.
  • Recommend or promote specific stocks, securities, or cryptocurrency.
  • Ask for sensitive personal or financial details by email or text message.

Read more about Qtrade’s security guarantee and find out how we safeguard your personal and financial information.

Want to know more about account security?
Learn more

Online brokerage services are offered through Qtrade Direct Investing, a division of Aviso Financial Inc. Qtrade and Qtrade Direct Investing are trade names or trademarks of Aviso Wealth Inc. and/or its affiliates.

Aviso Wealth Inc. ('Aviso') is a wholly owned subsidiary of Aviso Wealth LP, which in turn is owned 50% by Desjardins Financial Holding Inc. and 50% by a limited partnership owned by the five Provincial Credit Union Centrals and The CUMIS Group Limited. The following entities are subsidiaries of Aviso: Aviso Financial Inc. (including divisions Aviso Wealth, Qtrade Direct Investing, Qtrade Guided Portfolios, Aviso Correspondent Partners), and Northwest & Ethical Investments L.P.

The information contained in this article was obtained from sources believed to be reliable; however, we cannot guarantee that it is accurate or complete. This material is for informational and educational purposes, and it is not intended to provide specific advice including, without limitation, investment, financial, tax or similar matters. Information, figures, and charts are summarized for illustrative purposes only and are subject to change without notice. All investments are subject to risk, including the possible loss of principal.

Read next