How crooks are getting better at imitating texts, emails from banks

As criminals use emails and texts tophish for people's personal informationin hopes of robbing bank accounts, it's becoming increasingly difficult for the average customer to know what is legitimate communication from their bank and what is not.

"They [scammers] are much better at targeting their audiences now and doing a lot better job of making it look realistic and it becomes very confusing for people," said Sgt. Royce MacRae with the RCMP's Tech Crime Unit in Nova Scotia.

Crooks mimic messages from bank

Brenda and Fernando Afonso learned the hard way how sophisticated these scammers are.

The couple had been using Scotiabank's InfoAlerts service, which sends a text or email to an account holder every time their debit or credit card is used. It's a way to make sure all transactions are legitimate and keep track of any unauthorized use.

Then fraudsterssent messages that looked like they were from InfoAlertsto get into their bank account.

"We were out one day and my husband got a text message saying his bank card had been used and he hadn't used it so he became concerned," Brenda Afonsotold CBC News.

"He logged in to check his account and when he did he was actually logging into a bogus account and they got all of his information."

The fraudsters used the information they had obtained to clean out the $3,000in the Afonsos'bank account.

The Afonsosthought bank insurance would cover their loss,but theywere told Scotiabank would not be replacing the money because they had willingly given out their banking information.

"Who would log into something like that if they knew?" Brenda Afonso asked.

"No person would do that. We did it because we thought it was this bank app that we had been using all along."

Phishingon the rise

Scotiabank spokesman Rick Roth acknowledges phishing is an ongoing problem.

"The number and sophistication level of phishing attacks has increased globally," he told CBC News.

• First there was phishing, now we have 'smishing': Spammers are now texting us

Scotiabank has a highlighted message on the login page of its online banking website stating:

"Scotiabank does not send text messages or emails that ask you for your password for online and mobile banking, Personal Identification Number (PIN) for either your ScotiaCard or credit cards, account numbers for any type of account, answers to your security questions, or access code for adding payees."

Passwordrequest sent to SCENE members

But the situation getsfuzzyfor consumersin light of a recentemailsent toScotiabankcustomers.

The bank is a partner ofSCENE, a program where customers can earn points toward free movies and meals by using their Scotiabank cards.

SCENE sent out an email to its members on March 1, asking them to reset their password to access their account (acopy of the emailis below). The message included a link to reset the password.

A CBC viewer who received the emailwas uncertain whether it was real, so she called the bank and was told it was a scam. However, it turns out the emailwas real.

Whether to click or not click?

Halifax marketing professor Ed McHugh calls it an interesting conundrum for consumers.

"It almost turns into a bit of a double-standard and people don't know whether to click or not click and [wonder] 'What should I do here?'"McHugh said.

• Bank pays up after student scammed out of $3K twice

McHugh says it's easy for consumers to be confused because some of the phishing emails look quite legitimate, with corporate logos and email addresses that appear to be official.

"So you think it looks good and there's their logo. So it will pull some in," he said.

"Fortunately in this case, with Scotiabank, it was a legitimate email from their partner.But if consumers get into that habit of clicking on every mail that looks legit, at some point they're going toget bitten."

'A convenience for members'

Scotiabank sent our inquiry about what McHugh called a "double standard" to SCENE, which defended its email.

"SCENE proactively sent an email to its member base with a suggestion to update passwords online at scene.ca... to help our members keep their accounts safe."

• Credit card scam targets sleepy Canadians with early morning calls

Spokesman Matthew Seagrim said the link to update passwords was included "as a convenience for members," adding response to the email has been encouraging with people commenting they were pleasedwith the suggested password change.

He points out while SCENE was created jointly by Scotiabank and Cineplex, it operates as a separate organization.

Contact bank first before clicking

As for those confused by emails and texts that seem to come from their bank, MacRae's advice is not to respond to anything you receive online before first contacting your bank.

Marketing professor Ed McHugh has a message for the banks.

"Be clear. If you say you'll only send info through your website, don't send it via other means."

And Brenda Afonso has a message for consumers too.

"Don't use a lot of those apps unless you really need to.Go back to basic banking as much as you can and know your account is not insured [when this happens]."