Phishing - FAQ

  1. What is phishing?
  2. What is Desjardins doing to address phishing?
  3. Why am I constantly receiving this kind of e-mail?
  4. How can I tell that it's a fraudulent e-mail?
  5. Could I have visited a fraudulent site without first receiving an e-mail?
  6. The e-mail states that my AccèsD account is about to expire Is this possible?
  7. What should I do if I receive an e-mail I believe to be fraudulent?
  8. What should I do if I have responded to such an e-mail?
  9. Should I be concerned about the security of the personal information I've provided to my caisse or VISA Desjardins?
  10. Can I protect myself against phishing attempts?
  11. What can scam artists do with my personal information?
  12. Is Desjardins the only financial institution targeted?

1. What is phishing?

Phishing is the practice of sending fraudulent e-mail asking the persons who receive them, under various pretexts, to update their banking or personal information by clicking a link directing them to a phony Web site. Pirates then collect the information provided and use it to make fraudulent transactions. The phony Web sites, just like the e-mails, appear to be authentic, often because they are exact copies of institutions' or companies' Web sites.

After clicking on a link or attachment in the e-mail, users are taken to a dummy AccèsD logon page where fields were added to collect their personal information under false pretences (debit card number, AccèsD password, social insurance number, date of birth, etc.).

The term "phishing" is a variation on "fishing", in the sense it is being done at large with the hopes that someone will take the bait and supply the personal information requested. The term was inspired by the bad spelling of the first phishing attempts.

Back to top

2. What is Desjardins doing to address phishing?

Desjardins has implemented 24-hour active surveillance to ensure a quick reaction if fraudulent e-mail is detected.

Also, Desjardins scrutinizes each e-mail that you submit because of its fraudulent appearance.

Back to top

3. Why am I constantly receiving this kind of e-mail?

Scam artists may have obtained your e-mail address from a variety of sources:

  1. They may have used a spam mailing list on which your address is listed with or without your consent. (These lists are sometimes created from online contest entries. Always be sure to check out the legitimacy of a company before you enter their online contest.)
  2. They may have obtained your address via spyware installed without your knowledge on your PC. (Make sure your computer is protected against spyware.)
  3. They may have created hundreds of thousands of e-mail addresses randomly by combining first and last names and known domain names, one of which happens to be your personal e-mail address.

Once scam artists find an e-mail address that works, they may be tempted to send e-mails to that address over and over again.

Though phishing is generally associated with e-mail, some computer criminals use the phone as well. In this case, pirates call victims on the phone and pose as a financial institution employee, an investigator or a police officer.

Back to top

4. How can I tell that it's a fraudulent e-mail?

You must be extremely careful, because the scam artists use the colours and logos of legitimate sites to make the e-mails look real.

Don't assume that you'd be able to recognize a fraudulent e-mail right away. Earlier phishing attempts involved badly-written e-mails and amateur page layouts, but today's phony e-mails are much sleeker and professional-looking.

To differentiate a phishing e-mail from a legitimate one, pay specific attention to the content of the message, instead of to the attached security features. Most of the time, these logos, signatures, security elements and backgrounds are counterfeits that are identical to the originals.

Here are some characteristics of fraudulent e-mails:

  • The e-mails urge you to you act quickly under the pretext that:
    • You are a finalist or winner of an official Desjardins contest (e.g.: "Desjardins pays your taxes!" contest).
    • Your account may have been subject to unauthorized access (e.g.: a time and IP address may even be provided).
    • You must update your personal information or your account will be frozen or deleted.
    • Your account was used for fraud and you will be held accountable.
    • You must sign up for a Desjardins online security feature (e.g.: AccèsD Safe).
    • A simple accounting error has been made and corrected (in this case, you are not asked to do anything except click on a link to a phony Web site).
  • The e-mails contain a hyperlink leading to a phony AccèsD site.
  • The e-mails are often signed with the name or the logo of a security division.
  • Some of the e-mails contain attached files.

If you receive an e-mail that seems to come from Desjardins and features one or more of these characteristics, it is likely a fraudulent message and a phishing attempt.

Desjardins does not solicit members for personal and confidential information by e-mail. If you receive an e-mail like this, do not answer.

Desjardins does not penalize members for not answering e-mail.

Back to top

5. Could I have visited a fraudulent site without first receiving an e-mail?

In order for attempted phishing to be successful, fraud artists have to create a phony Web site on the Web.

If you use a recognized search engine (e.g.: Yahoo, Google, MSN, etc.), you may come across phony AccèsD Web sites in your search results.

Desjardins always takes immediate action to shut down these fraudulent sites but sometimes, a few minutes or a few hours may go by before the appropriate authorities and ISP providers can act.

Never go to AccèsD via a search engine. Always type www.desjardins.com in your address bar and click on the AccèsD link.

Back to top

6. The e-mail states that my account is about to expire. Is this possible?

No, your account and the AccèsD service on which you make online transactions does not have an end date and cannot expire. Only you can decide to close your account or stop using the service.

Back to top

7. What should I do if I receive an e-mail I believe to be fraudulent?

If you receive an e-mail asking you to update your personal information (debit card number, AccèsD password, social insurance numbers or date of birth) under the pretext that your AccèsD account is about to expire or for any other reason:

  • Do not respond to the e-mail, click on the link displayed or open any attachment;
  • Send us the e-mail and the site address to: phishing@desjardins.com. Please note that you will receive an automated response to e-mail sent to this address. Caution: do not include confidential information such as an account number or PIN. For assistance, contact an AccèsD service agent. Contact us.

Back to top

8. What should I do if I have responded to such an e-mail?

If you have responded or believe to have responded to such an e-mail, change your AccèsD password immediately by clicking on the File menu on AccèsD Internet. If you notice unfamiliar transactions in your account, immediately contact your caisse or call one of the following numbers:

Montreal area: 514-522-2373
Elsewhere in Canada and the U.S.: 1-800-224-7737

If it concerns your VISA account, contact VISA Desjardins customer service:

Montreal area: 514-397-4415
Canada and the U.S.: 1-800-363-3380
Other countries: Call collect: 514-397-4610 or contact VISA's Global Customer Assistance Service

Also contact credit agencies such as Equifax (1-800-465-7166 or 514-493-2314) and TransUnion (1-877-713-3393) or 514-335-0374), so they may add a note in your file alerting credit grantors that you have been the victim of fraudulent activity.

Back to top

9. Should I be concerned about the security of the personal information I've provided to my caisse or VISA Desjardins?

No. There are security measures in place to prevent scam artists from being able to access Desjardins computer systems. That's why they are attempting to obtain your access code, password, social insurance number, and birth date through phishing rather than through our systems. The Desjardins.com Web site is secure and your personal information will remain confidential.

Back to top

10. Can I protect myself against phishing attempts?

Unfortunately, it is likely that you may occasionally receive fraudulent e-mail appearing to have been sent by Desjardins or other financial institutions.

Your best protection is to stay vigilant:

  • Never respond to an e-mail requesting personal information, regardless of who the sender is.
  • Never click on a link inside an e-mail to log on to AccèsD or any other transactional site requiring an access code or password.
  • Never open e-mail attachments if you don't know the sender.
  • Always access the AccèsD or AccèsD Affaires log on page from your browser using the www.desjardins.com address.
  • Look for a closed padlock in your browser's status bar, ensuring you are in a secured online environment. Also make sure the address displayed has an "s" in "https". You should also be able to view the site's digital certificates by double-clicking on the little closed padlock in your browser's status bar.

Also ensure your personal computer is adequately protected.

Back to top

11. What can scam artists do with my personal information?

Once scam artists have your debit card number and password, they can access your account and make money transfers from either your account your VISA Desjardins credit card. The money is usually sent to an accomplice. If they also have your birth date and social insurance number, they can also steal your identity and use it request credit cards, loans or lines of credit in other financial institutions.

Back to top

12. Is Desjardins the only financial institution targeted?

Not at all. Phishing is being practiced increasingly throughout the world and principally at financial institutions.

Back to top

Money working for people

Les grands prix Québécois de la qualité - Grand Prix 2007