The name of the Canadian Anti-fraud Centre, a clearing house for police for fraud reports of all types, is being used for a phishing scam.
The centre (CAFC), run by the RCMP, the federal Competition Bureau and the Ontario Provincial Police, discovered earlier this week that a threat actor is sending out emails, claiming to be from the agency, warning that it has received a complaint about the recipient. To see details the recipient is asked to click on a link.
What’s worrisome is that the sender’s email appears to be a legitimate CAFC address. However, people smart enough to read the header information would see the real sender is not from the CFAC.
In addition, the link in the message goes to a site called “mountainbuffalo,” clearly not a CFAC or Canadian government website.
The CFAC quickly sent out a tweet warning people not to fall for the scam. The centre never includes links in email messages.
“Unfortunately, everyone is at risk of being spoofed, whether by phone [in call display] or by email,” Jeff Horncastle, the CAFC’s acting communications and client outreach officer, said in a Friday morning interview.
The centre isn’t an investigative agency, so it can’t say what happens when a victim clicks on the link in the fake email.
However, usually scams like this are after personal information that can be used later for identity fraud. A victim might be asked for their date of birth or Social Insurance number to confirm their identity. Then that information might be used to make counterfeit ID.
It’s not hard for scammers to spoof a company or person’s email address, Horncastle said, which is why it’s important for people to turn on the ability of their email system to display the full header information of senders.
Sometimes the fraudster will only spoof the name of the sender (for example, John Widget), but the email address in the angled brackets following the name will give away that it’s a fake (for example “John Widget <f34349@oxnard.re>” would be suspicious).
In this case The “no-reply[at]antifraudcentre[dot]ca” is one of the CAFC’s real email addresses. However, looking at the header information would reveal the message didn’t really come from the centre.
Header information, which shows who really sent an email, can be accessed in a number of ways. In Gmail, open a message. click on the three vertical dots beside the Reply arrow and choose “Show original.” On Outlook.com, find three horizontal dots and choose “View message source.”
In the desktop version of Outlook, the process is different: Here’s how to do it.
You should also find a way in any email application to enable — if it isn’t there already — a drop-down arrow or menu beside or beneath the sender’s name that will show more detailed information about the real sender’s address.
Email users should regularly check the headers of all senders, not just those in messages that look suspicious, said Horncastle, particularly if the messages contain links. As an extra step, call to confirm the person really has sent that message — but don’t use the email address or the phone number in a message you’re suspicious about.
If the link in the message isn’t detailed, as the one in the CFAC phony message is, hover your mouse under the link and the full URL will show at the bottom of the browser.
So far the centre has received fewer than 10 reports about this fraudulent message, he said.