Cybersecurity and Fraud – Helping Clients Protect Themselves
Clients can fall victim to fraud and identity theft as a result of attacks from outside a financial organization. Often, a compromised client may not know that their personal or login information was stolen.
Cyber attackers and fraudsters seek to harm clients by using fraudulently obtained client information to conduct unauthorized transactions or steal information or assets from clients' accounts at a financial firm.
Types of incidents and attacks
These are some of the ways have seen compromised clients being attacked at financial firms:
Social engineering attacks
A malicious actor can deceive an advisor or an employee of a firm into sharing sensitive client information, transferring client funds, or conducting unauthorized trades in a client account by presenting themselves as the client or someone authorized to act on behalf of the client. These attacks can involve several different media including but not limited to email, phone calls, text messages and messenger services.
Fraudulent account openings and account intrusions
An attacker can use fraudulently obtained personal information about a client to:
- create an account for a client at the firm, and even fund the account from fraudulently obtained banking information in order to conduct unauthorized trades
- hack into an existing client's account at a firm and steal assets or conduct unauthorized trades in the account.
Online trading divisions and Order Execution Only (OEO) firms are generally on guard for such incidents. Given the increase in pandemic-related cybersecurity attacks and the significant increase in account openings since the pandemic began, OEO firms remain extra vigilant and cautious to such incidents.
This is a type of cyberattack where stolen login credentials are used to gain unauthorized access to client accounts through automated login requests against a firm's online applications. These login credentials were typically included in lists of usernames and passwords that were most likely stolen from a data breach that occurred elsewhere. Since many people tend to use the same combination of username and passwords across different websites and applications, these types of attacks can often be successfully used to hack into a client's account at their financial firms.
Clients should protect themselves from potential online fraud by implementing the following:
- do not share login credentials or personal identification information with anyone or any application or website unless they have personally and independently verified the request
- do not use public wireless networks
- set up multi-factor authentication for your computers
- create strong passwords
- notify their financial firm if they suspect they are a victim of identity theft or fraud
Helpful Links and Resources
- IIROC Brochure (pdf)
Covid-19 and Cybersecurity – Tips for Investors
- Learn about the potential risks of your online activities and how you can stay safe when you are connected.
- Get Cyber Safe is a national public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.
Get Cyber Safe
- The Canadian Centre for Cyber Security (Cyber Centre) is Canada's authority on cyber security. The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public.
Canadian Cyber Security Center
- CyberSecure Canada is a federal cyber certification program that aims to raise the cyber security baseline among small and medium enterprises (SMEs) in Canada , increase consumer confidence in the digital economy, promote international standardization and better positions SMEs to compete globally.
Cyber Secure Canada
- This includes ongoing and future efforts to protect Government of Canada systems, to extend our network of partnerships to help protect critical infrastructure, and to help Canadians to be safe online.
National Cyber Security Stragegy