Perspectives: How to avoid the latest online scams

Stephen Meurice: I'm going to give you a scenario. And unfortunately, it’s not that uncommon. It might even happen to a loved one or a parent. They’re minding their own business, browsing on their computer. Say, looking up the right mix of oil and gas to use in their chainsaw, as one does.

Louise Dandonneau: As one does, because it's a real-life example. I know someone that it’s happened to, right?

SM: That’s our guest today, cybersecurity expert, Louise Dandonneau.  
   
LD: So, off happily browsing and boom, here comes that big splash on the computer. You've been infected. 

SM: Luckily, there’s a phone number — a support line for a big, reputable tech company they recognize. They call and the person on the line is polite and calm.  

LD: That’s right. They're kind and helpful until they're not. 

SM: That’s because the computer isn’t actually infected and you’re not actually talking to who you think you are. It’s a scam. Soon the so-called ‘tech support expert’ says they can fix the computer remotely. For a price.

LD: Yep. And they're going to ask you to go purchase gift cards and read the number. 

SM: The fraudster might even stay on the line while their victim goes to a local drug store to buy the cards. Next thing you know, your parent or loved one might be out hundreds of dollars. And it's not their fault. Scammers are getting increasingly sophisticated.  

LD: They’ve gotten good and they’re getting better. What’s new? AI. 

SM: Louise is the Vice President of Cybersecurity Operations at Scotiabank. She’s here this episode to run down the latest in cyber fraud, including the gift card scam. Because for many folks they not only need to remain vigilant to protect themselves, they’re also looking out for a parent and maybe even kids who are just starting to get online. Louise will help us brush up on the latest scams as well as give some tips to protect your loved ones from becoming victims. I’m Stephen Meurice and this is Perspectives. 

Louise, welcome to the show. Thanks for coming.

LD: Thank you for having me.

SM: So today we are going to talk about cyber scams and maybe some ways to avoid them. But can you maybe give us a quick lay of the land? It seems like cyber scams are on the rise, or at least they're getting more sophisticated. Can you give us a quick snapshot of what the landscape looks like?

LD: Yep, anything that you can do with a computer is basically what falls under the whole mandate or mantra of cybercrime. So that's really today's topic about how we can defend or how people can spot and defend against those kinds of things. So phishing, it's a big one. The one that comes through email, the one that the famous coffee chains send you, free gift cards or free money. 

SM: Trying to get you to click on a link.

LD: Absolutely. Absolutely. It's all of those things. Like click on a link and then send you to a site that looks really, really, really legitimate. And so that's the big one. I think IBM had some statistics that said something in the neighbourhood of like 40% of all cybercrimes right now, at least up until 2024, fit into that category. So it's the most common. It's the easiest. And quite frankly, for the bad guys, it's the cheapest one to do as well with the highest return. So the goal there is a couple of things. They're either going to get you to enter your information into a website and steal it. So in the banking space, this is where the actors are going to try and steal your login credentials in order to essentially move money out of your account. There's also the possibility of delivering malware or malicious software onto your computer. And that, the possibilities are endless. They're going to try and encrypt your data, which is basically they're going to try and scramble it so that you can't access it anymore. And then from there, you're basically going to have to pay an extortion or a fee to get your data back. So, think about your pictures. How many of us have pictures on our computers now that you don't keep in a photo album in the basement? All gone.

SM: So you hear about those types of scams, sort of extortion scams essentially, where they're blocking you from being able to access your own data. But the big cases that you hear even like things like companies, municipalities get hit with those. Are individuals being targeted for that kind of thing as well? People being extorted on an individual basis.

LD: Yeah, it's both. But the one that I think is common when it comes to the scam front is your browsing. You’re minding your own business. You're looking up the gas and oil mix for your chainsaw.

SM: [laughs] As one does.

LD: As one does, because it's a real-life example. I know someone that it’s happened to, right. So off happily browsing and boom, here comes that big splash on the computer. You've been infected. Call Microsoft.

SM: So those are pop up ads that would just come onto screen as you’re browsing.

LD: That they're just like random drive bys. 
 
SM: And let me guess, that number is not actually for Microsoft, it’s a scammer.

LD: Yep. And they're going to ask you to go purchase gift cards and read the number.

SM: So this is a type of scam I’ve heard a lot about where the scammers who sound very convincing say something like, “Okay you’ve been infected, we can clear this off your system. You owe us X amount and can you please pay us in gift cards?” 

LD: Yep. 

SM: Like Google gift cards or Apple gift cards from the grocery store. And sometimes they actually stay on the line while you go and buy them. 

LD: Yeah that’s right. 

SM: So general rule of thumb — if anyone ever asks you to buy gift cards, that’s a good time to hang up. 

LD: Absolutely.

SM: Like nobody legit is ever going to ask you to buy go buy gift cards.

LD: Well, no. Your outstanding balance on a bill is not going to be with gift cards. It's just not.

SM: Don't do it.

LD: Don't do it.

SM: Okay. And so is there anything out there that's that you hear about that is surprising you now? Are there new approaches to this kind of fraud that you hear about, or do they tend to be the same ones that come up over and over again?

LD: They've gotten good and they're getting better. What's new? AI. Once upon a time with those emails, it's like, ‘Hi, insert name.’ And I'm like, ‘Well, I'm not an insert name haha.’ But now AI is able to write really convincing emails for people. And also now what's happening is that people are getting phone calls saying that, you know, perhaps one of their loved ones has been taken.

SM: Right.

LD: Pay us money.

SM: Right. And increasingly they use AI or machine generated voices to duplicate the voice of a grandchild or have a picture or whatever. Using available, again, stuff that people put online. 

LD: Yeah.

SM: Yeah. You talked about sort of the phishing scams and the online scams, but the phone scams are pretty prevalent as well. 

LD: Yeah. And they're still huge. Yeah. You know, and the categories: phishing – email. Smishing - SMS or text messaging. The phone companies or the phones are doing a good job at detecting incoming spam and sending it to an area that you don't see, which is really great. But you're still getting those phone calls and not all of them say spam. So we say, ‘Oh don't forget, you know, like if you get a call from your bank, don't forget to hang up and call them back at the number that's on the back of the card. 
 
SM: Right. And there’s another type of scam called spear phishing. What's that?  

LD: Ooh. Spear phishing is direct. So, spear phishing is someone who's going to look at your Facebook, your LinkedIn, look at all of the data that you've put on there. Like, so say I go on vacation and I've posted all over Facebook where I've been, where I’m at, what's going on. Next thing you know, I'm starting to get these emails, ‘Hi, Louise, it was so nice to see you at blank resort that you were just at. Remember me? We met in the coffee line at X resort and this and that.’ And that's all based on data that I've put out there on my own.

SM: Right.

LD: And so, they’ve become really, really, really specific with the data because they just use the information that's on Instagram and Facebook.

SM: Right. So instead of casting a super wide net, like the phishing people would, they're looking for people that they can target individually. 

LD: Yeah. Yeah, that's right.

SM: Okay. I think probably a lot of people listening to us today, maybe they have older parents who they're worried about, you know, in terms of what they're doing online and potential victims of scams, but also kids who are always online themselves and can be targeted for a variety of reasons. Let's look at both of those separately. In what ways are older people specifically targeted for cyber fraud? And then after that, we can talk about how do you help them avoid it? What should you be telling your older parents?

LD: Yeah, I'd say three main ways from an older population point of view that's happening. So specific traditional phish, they're getting an email. The thing with the email is that there's like an immediate sense of urgency. There's danger that's associated to it, do this or else. There's the phone calls. They're getting a lot of phone calls. It's happening at a time when they're perhaps alone and they're very, very convincing. Like they're kind and helpful until they're not. And then they start to apply pressure and start to really lean into that level of urgency and pushy-ness. And then the third one really is like they're being extorted through either phone or email to say that one of their loved ones is in danger and has been taken and that they need to do something immediately. 
 
SM: Right. If you've got an eighty-year-old mother who's a widow and she's at home, you know, would seem to be a prime target for this type of thing. What do you tell her or how do you help her avoid these kind of scams?

LD: I think the biggest piece of advice is that there's no shame. There's no shame in asking a question. I think a lot of people that fall victim to these types of circumstances are afraid to ask for help or are afraid to second guess. They doubt their ability with the technology. I've heard it from my own family, right, ‘I know nothing about computers.’ Well you know enough to question. And there's no shame in questioning. There's no problem with questioning. You know, I think anyone who's a family member would rather that you did question. Like, ‘Hey, you know, I got this email. It seems too good to be true.’ Or, ‘Hey, I got this and it seems threatening. What would you do?’ And the other is like, if you don't want to ask, just take a minute. Walk away. Pause before you reply or before you click on the link.

SM: Yeah. So it seems mostly about like, slow things down. 

LD: Yeah. 

SM: Like people might try and pressure you, but just say, ‘I'm going to go look up that number and I'll call you back at, you know, whatever company you purport to be from.’

LD: Yep, exactly.

SM: From the CRA or as you say from the bank, call the number back on the back of the card or whatever. So slow down. Ask somebody for help is one thing. And I've heard about in terms of like the phone scams, you know, the machine generated voice duplicating things, a suggestion that families should have like a safe word or something that they could use to help identify whether that is the real person that they say they are on the other end of the line.

LD: It's kind of like back to the old days, right? You know, when you used to have people go pick up kids at school and you were like, ‘Unless they gave you the safe word, you know, don't go with person X.’ We're kind of back to that. But in an online kind of way.

SM: So we were talking about kids as being used to help target elderly folks. But younger people, I imagine, are targeted as well. Maybe not always for exactly the same reasons. But, you know, online safety is a huge issue for parents in terms of their own children. In what ways do you see kids targeted? And again, how do you give yourself some peace of mind around that?

LD: So, look, [in joking voice] get rid of social media everywhere. And I would be happy or turn off the Internet also. 

SM: [laughs]

LD: And then reality of life, right? Like that social media driver is a really big challenge. And I think one of the things that we don't talk enough about is educating people on what the settings are on some of those platforms. How many people do you know that have kids that are online and they're no longer on like kids YouTube version anymore. Or it's just more convenient to let them browse on the other side because you're forever putting in the parental pin or whatever, right? The reality is, is that the generation that's out there now is the generation that's had a device in their hands since the beginning. So they're really, really good at it. But we don't talk about things that they could do to restrict certain capabilities, make their profiles private, what it means when it's private, what it means when it's not. What it means when you have people that message you. And in some ways, it's like just going right back to the basics, right? So, I think there is really about conversations, about informing yourself, monitoring, being open about what kind of online usage there is. But kids aren't being scammed so much, right. They're not having to go to Shoppers or wherever to buy gift cards.

SM: Yeah, I mean, as a rule, kids don't have a whole lot of money, so maybe not for financial purposes, maybe not the best targets. Although like, I guess, I mean, with gaming and so on, I don't know, maybe their parents do provide them access to a credit card because there's in-app purchases that they can make.

LD: Yep, sometimes.

SM: So there probably are some financial ways in which kids are targeted. What kind of advice do you give? Is it again, really, it's just about monitoring and educating yourself about what the risks are?

LD: It's discussion, right? Like, I don't like the idea of over monitoring, but like, you can’t be blind about it. You can't be willfully blind to it.

SM: All right. Can you sum it up in one sentence? What should people be thinking about to avoid becoming a victim of a scam?

LD: Stop, think, pause.

SM: Right. It’s always, ‘slow things down.’

LD: Just slow down. Just slow down and ask questions.

SM: We'll leave it there. Louise, thank you so much for coming on the show. Really appreciate it.

LD: It's my pleasure. Thank you for having me.

SM: I’ve been speaking with Louise Dandonneau, the Vice President of Cybersecurity Operations at Scotiabank.