Canadian Anti-fraud Centre Name Used In Phishing Campaign

Share post:

The name of the Canadian Anti-fraud Centre, a clearing house for police for fraud reports of all types, is being used for a phishing scam.

The centre (CAFC), run by the RCMP, the federal Competition Bureau and the Ontario Provincial Police, discovered earlier this week that a threat actor is sending out emails, claiming to be from the agency, warning that it has received a complaint about the recipient. To see details the recipient is asked to click on a link.

What’s worrisome is that the sender’s email appears to be a legitimate CAFC address. However, people smart enough to read the header information would see the real sender is not from the CFAC.

In addition, the link in the message goes to a site called “mountainbuffalo,” clearly not a CFAC or Canadian government website.

screenshot of phishing letter impersonating the Canadian Anti-fraud Centre
Screenshot of phishing message pretending to be from the Canadian Anti-fraud Centre

The CFAC quickly sent out a tweet warning people not to fall for the scam. The centre never includes links in email messages.

“Unfortunately, everyone is at risk of being spoofed, whether by phone [in call display] or by email,” Jeff Horncastle, the CAFC’s acting communications and client outreach officer, said in a Friday morning interview.

The centre isn’t an investigative agency, so it can’t say what happens when a victim clicks on the link in the fake email.

However, usually scams like this are after personal information that can be used later for identity fraud. A victim might be asked for their date of birth or Social Insurance number to confirm their identity. Then that information might be used to make counterfeit ID.

It’s not hard for scammers to spoof a company or person’s email address, Horncastle said, which is why it’s important for people to turn on the ability of their email system to display the full header information of senders.

Sometimes the fraudster will only spoof the name of the sender (for example, John Widget), but the email address in the angled brackets following the name will give away that it’s a fake (for example “John Widget <f34349@oxnard.re>” would be suspicious).

In this case The “no-reply[at]antifraudcentre[dot]ca” is one of the CAFC’s real email addresses. However, looking at the header information would reveal the message didn’t really come from the centre.

Header information, which shows who really sent an email, can be accessed in a number of ways. In Gmail, open a message. click on the three vertical dots beside the Reply arrow and choose “Show original.” On Outlook.com, find three horizontal dots and choose “View message source.”

Screen shot of Gmail showing three dots for accessing a special menu
Find and click on the three dots beside the Reply arrow ….
Screen shot of Gmail menu
… and click on “Show original”

In the desktop version of Outlook, the process is different: Here’s how to do it.

You should also find a way in any email application to enable — if it isn’t there already — a drop-down arrow or menu beside or beneath the sender’s name that will show more detailed information about the real sender’s address.

Screen shot showing arrow that will lead to real message sender's address
Clicking on the arrow will also show message header information

Email users should regularly check the headers of all senders, not just those in messages that look suspicious, said Horncastle, particularly if the messages contain links. As an extra step, call to confirm the person really has sent that message — but don’t use the email address or the phone number in a message you’re suspicious about.

If the link in the message isn’t detailed, as the one in the CFAC phony message is, hover your mouse under the link and the full URL will show at the bottom of the browser.

So far the centre has received fewer than 10 reports about this fraudulent message, he said.

The post Canadian Anti-fraud Centre name used in phishing campaign first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

London hospitals cancel over 800 operations after ransomware attack

NHS England disclosed today that a recent ransomware attack on Synnovis has led to the cancellation of hundreds...

Microsoft cancels universal Recall release in favor of Windows Insider preview

Microsoft has decided to cancel the wide release of Recall, the controversial tool for Copilot+ PCs, and instead...

Cyber Security Today, Week in Review for week ending Friday, June 14, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, June 14th,...

Cyber Security Today, June 14, 2024 – Employee downloaded a file that led to hospital chain’s ransomware attack

An employee downloaded a file that led to hospital chain's ransomware attack Welcome to Cyber Security Today. It's Friday...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways