Frequently asked questions about phishing

Frequently asked questions about phishing

Q. What do I do if I’ve answered a fraudulent e-mail?

A. If you believe you may have responded to a fraudulent e-mail, change your AccèsD password immediately.

To do this, log on to AccèsD and click on User file in the upper right-hand corner of the AccèsD header, and then on Change password in the left-hand menu. If you notice any unfamiliar transactions in your account, contact your Caisse or call the following number immediately:

1-866-779 COOP (1-866-779-2667)

Monday – Friday: 4pm – 9pm
Saturday – Sunday: 8am – 8pm

If it concerns your MasterCard account, contact MasterCard customer service:

1-800-561-7849

Also contact credit agencies such as Equifax (1-800-465-7166 or 514-493-2314) and TransUnion (1-877-713-3393 or 514-335-0374), so they may add a note in your file alerting credit grantors that you may have been the victim of fraudulent activity.

Q. What is phishing?

A. Phishing is the practice of sending fraudulent e-mail asking the persons who receive them, under various pretexts, to update their banking or personal information by clicking a link directing them to a phony Website. Pirates then collect the information provided and use it to make fraudulent transactions. The phony Websites, just like the e-mails, appear to be authentic, often because they are exact copies of financial institutions’ or companies’ Websites.
For example, after clicking on a link or attachment in the e-mail, users are taken to a dummy AccèsD logon page where fields were added to collect their personal information under false pretences (debit card number, AccèsD password, social insurance number, date of birth, etc.).

The term “phishing” is a variation on “fishing”, in the sense it is done at large with the hopes that someone takes the bait and supplies the personal information requested. The term was inspired by the bad spelling of the first phishing attempts.

Q. What is my Caisse doing to prevent phishing?

A. Your Caisse has implemented an active surveillance to ensure a quick reaction if fraudulent e-mail is detected.

In addition, your Caisse scrutinizes each e-mail you submit because you believe it may be fraudulent.

Q. Why am I constantly receiving fraudulent e-mails?

A. Scam artists may have obtained your e-mail address from a variety of sources.

  • They may have used a spam mailing list on which your address is listed with or without your consent. (These lists are sometimes created from online contest entries. Always be sure to check out the legitimacy of a company before you enter their online contest.)
  • They may have obtained your address via spyware installed without your knowledge on your PC. (Make sure your computer is protected against spyware.)
  • They may have created hundreds of thousands of e-mail addresses randomly by combining first and last names and known domain names, one of which happens to be your personal e-mail address

Once scam artists find an e-mail address that works, they may be tempted to send e-mails to that address over and over again.

Though phishing is generally associated with e-mail, some computer criminals use the phone as well. In this case, pirates call victims on the phone and pose as a financial institution employee, an investigator or a police officer.

Q. How can I tell that an e-mail is fraudulent?

A. You must be extremely careful, because the scam artists use the colours and logos of legitimate sites to make the e-mails look real.

Don’t assume that you’d be able to recognize a fraudulent e-mail right away. Earlier phishing attempts involved badly-written e-mails and amateur page layouts, but today’s phony e-mails are much sleeker and professional-looking.

To differentiate a phishing e-mail from a legitimate one, pay specific attention to the content of the message, instead of to the attached security features. Most of the time, these logos, signatures, security elements and backgrounds are counterfeits that are identical to the originals.
Here are some characteristics of fraudulent e-mails:

  • The e-mails urge you to you act quickly under the pretext that:
    • You are a finalist or winner of an official contest (e.g.: “The Caisse pays your taxes!” contest).
    • Your account may have been subject to unauthorized access (e.g.: a time and IP address may even be provided).
    • You must update your personal information or your account will be frozen or deleted.
    • Your account was used for fraud and you will be held accountable.
    • You must sign up for a Caisse online security feature (e.g.: AccèsD Safe).
    • A simple accounting error has been made and corrected (in this case, you are not asked to do anything except click on a link to a phony Website).
  • The e-mails contain a hyperlink leading to a phony AccèsD site.
  • The e-mails are often signed with the name or the logo of a security division.
  • Some of the e-mails contain attached files.

Your Caisse will never contact you by e-mail for any of these reasons or with any of these elements. Your Caisse does not solicit members for personal and confidential information by e-mail. If you receive an e-mail like this, do not answer.

To send us information about an e-mail you’ve received and believe to be fraudulent, forward the e-mail and site address to us at phishing@desjardins.com. Please note that you will receive an automated response only to e-mail sent to this address. Caution: do not include confidential information such as an account number or PIN. For assistance, contact an AccèsD Services advisor at 1-866-779-COOP (1-866-779-2667), Monday to Friday, 4:00 p.m. to 9:00 p.m. and Saturday and Sunday, 8:00 a.m. to 8:00 p.m.

Q. Could I have visited a fraudulent site without first receiving an e-mail?

A. In order for attempted phishing to be successful, fraud artists have to create a phony Website on the Web.

If you use a recognized search engine (e.g.: Yahoo, Google, MSN, etc.), you may come across phony AccèsD Websites in your search results.

The Caisse always takes immediate action to shut down these fraudulent sites but sometimes, a few minutes or a few hours may go by before the appropriate authorities and ISP providers can act.

Never go to AccèsD via a search engine. Always type www.caissealliance.com in your address bar and click on the AccèsD link.

Q. The e-mail states that my AccèsD account is about to expire. Is this possible?

A. No, your account and the AccèsD service on which you make online transactions do not have an end date and cannot expire. Only you can decide to close your account or stop using the service.

Q. What should I do if I receive an e-mail I believe to be fraudulent?

A. If you receive an e-mail asking you to update your personal information (debit card number, AccèsD password, social insurance numbers or date of birth) under the pretext that your AccèsD account is about to expire or for any other reason, do not respond to the e-mail, click on the link displayed or open any attachment.

Send us the e-mail and site address to: phishing@desjardins.com. Please note that you will receive an automated response only to e-mail sent to this address. Caution: do not include confidential information such as an account number or PIN. For assistance, contact an AccèsD Services advisor at 1-866-779-COOP (1-866-779-2667), Monday to Friday, 4:00 p.m. to 9:00 p.m. and Saturday and Sunday, 8:00 a.m. to 8:00 p.m.

Q. Should I be concerned about the security of the personal information I’ve provided to my Caisse?

A. No. There are security measures in place to prevent scam artists from being able to access the Caisse computer systems. That’s why they are attempting to obtain your access code, password, social insurance number, and birth date through phishing rather than through our systems. The Caisse Website is secure and your personal information will remain confidential.

Q. Can I protect myself against phishing attempts?

A. Unfortunately, it is likely that you may occasionally receive fraudulent e-mail appearing to have been sent by Desjardins or other financial institutions.
Your best protection is to stay vigilant:

  • Never respond to an e-mail requesting personal information, regardless of who the sender is.
  • Never click on a link inside an e-mail to log on to AccèsD or any other transactional site requiring an access code or password.
  • Never open e-mail attachments if you don’t know the sender.
  • Always access the AccèsD or AccèsD Affaires log on page from your browser using the www.caissealliance.com address.
  • Look for a closed padlock in your browser’s status bar, ensuring you are in a secured online environment. Also make sure the address displayed has an “s” in “https”. You should also be able to view the site’s digital certificates by double-clicking on the little closed padlock in your browser’s status bar.

Also ensure your personal computer is adequately protected.

To find out more, see How to protect yourself.

Q. What can scam artists do with my personal information?

A. Once scam artists have your debit card number and password, they can access your account and make money transfers from your account. The money is usually sent to an accomplice. If they also have your birth date and social insurance number, they can also steal your identity and use it request credit cards, loans or lines of credit in other financial institutions.

Q. Is the Caisse the only financial institution targeted by phishing?

A. Not at all. Phishing is being practiced increasingly throughout the world and principally at financial institutions.

Q. How do I forward a fraudulent e-mail?

A. To ensure we get all the information we need about the fraudulent site, please forward both the e-mail and the site address in the following way:

  1. In the body of the e-mail, place your cursor over the link leading to the fraudulent site.
    example: https:caissealliance.com
  2. Click on the right button of your mouse and select “Copy shortcut” (wording may differ).
  3. From your e-mail software or site, click on “Forward”.
  4. In the top part of the message, click the right hand button of your mouse and click on “Paste”.
  5. Enter the address phishing@desjardins.com and send.

To find out more, see Online security.