Alysia Lok may be the creator of a brand of sweet snacks, but says she’s soured on how few protections can exist when e-transfers get hacked.
“I was just shocked and frustrated because I had no idea this could even happen,” said the Edmonton entrepreneur.
When an e-transfer she expected from a client last November got redirected by a fraudster, the client’s financial institution told Lok the money was gone for good — and not only that, it wasn’t responsible for reimbursing her.
“I started getting mad,” said Lok. “They say e-transfer is ‘fast, easy and secure.’ So we used it, thinking that that’s true.”
Lok is one of a growing number of Canadians behind a surge in e-transfer transactions during the pandemic — as more people hunker down and use less cash, with fewer face-to-face retail interactions.
New statistics obtained from Interac — the company, largely owned by Canadian banks and credit unions, behind e-transfers — show the use of e-transfer has been climbing since last April.
E-transfers hit an all-time high in December, with over 77 million transactions.
- Got a story? Contact Erica and the Go Public team
Go Public has reported on the problem of e-transfer fraud before. But the recent increase in digital financial transactions has created a fraudster’s paradise, according to the Canadian Anti-Fraud Centre, a joint effort by the Ontario Provincial Police, the RCMP and the Competition Bureau.
Senior RCMP intelligence analyst and spokesperson Jeff Thomson says last year fraudsters made off with nearly 1,800 e-transfers totalling almost $3 million in reported losses — up more than $400,000 from 2019. Thomson says those reports just represent the tip of the iceberg.
“With the pandemic, you have an increased pool of victims — more people at home looking to acquire day-to-day products and services that they can’t otherwise go out and get,” said Thomson. “It’s a ripe environment. And the pool of potential victims has increased.”
Lok increased her use of e-transfers last year as the pandemic swung into high gear and shut down the usual outlets for peddling her company’s snack food — farmer’s markets and pop-ups.
She focused on retail partnerships and says now, instead of cheques and bank drafts, 95 per cent of her payments are coming through e-transfers.
In November, Lok got an email saying a client had sent an e-transfer for $320. But when she clicked on that e-transfer three weeks later — within the 30-day limit to accept it — she got a notification saying it had already been deposited.
“I was like, ‘Did I deposit it previously and just not remember?’ But I went through my transaction history and there was no deposit,” she said. “So I thought, ‘That’s really strange. Maybe it’s just a glitch.'”
She soon learned it was no glitch. Her client’s financial institution — Servus Credit Union in Edmonton — said there must have been an email hack and the money had been redirected to someone else’s account at another bank.
She was out of luck. Lok says a Servus customer service rep told her that the credit union has no responsibility when e-transfers get hacked. That’s because Interac e-transfers involve email — and financial institutions have no control over people’s email security.
In a phone call with Servus, Lok says the service rep likened using e-transfer to a customer taking the money out of a financial institution, walking down the street and then getting robbed — an analogy that riles her.
“We’re not out on a street just flashing cash around and then getting mugged,” said Lok. “It’s a banking service that’s tied to their company … It doesn’t say that this is not secure.”
Lok — and dozens of other people who’ve contacted Go Public — say financial institutions need to do much more to warn Canadians about e-transfer fraud.
“I do think it’s a financial institution’s responsibility to educate and not blame the customer when we’re using your services,” said Lok.
On its website, Servus Credit Union tells customers that using e-transfer is “completely secure!” There is no mention of e-transfer fraud. It does suggest using a unique or difficult security question “to keep your transfer safe.”
“Banks need to be more transparent with the risks of using e-transfers,” said Lok. “Instead of advertising it to be so safe and secure until something happens and they take zero responsibility.”
In an email, Servus spokesperson Amanda LeNeve said people using Interac e-transfer have to “take appropriate precautions,” explaining that once money is sent “it goes beyond the bank or credit union’s bounds of security and protection.”
After Go Public contacted Servus, the credit union reimbursed Lok for the stolen $320.
Toronto lawyer Paige Backman is familiar with stories like Lok’s. The co-founder of Knowledgeflow Cybersafety Foundation, a non-profit aimed at educating the public about cybercrime, says she’s seen an increase in e-transfer issues since the pandemic — likely because so many people are making payments online instead of using cash.
“For some people it’s a lot of money that they’ve lost, and that’s a big deal,” she said. “This is … a real problem and it’s really hard to solve.”
Backman says the banks could play a much bigger role in preventing e-transfer issues for customers, without too much effort.
“There could be more information around things that people can do to protect themselves when they go on those [e-transfer] pages,” says Backman.
Backman argues, though, that it’s a two-way street — customers need to do their part to protect their money.
WATCH | The trouble with e-transfers amid pandemic spike:
Since fraudsters hack into the sender or recipient’s email to steal an e-transfer, Backman urges people to change their email passwords frequently.
E-transfers also require a security question, so make it a strong one, says Backman, not one that a fraudster could easily guess.
Richard Garner of Toronto admits the security question he asked when he sent his personal trainer an e-transfer in November wasn’t “Fort Knox level” but says that’s not the point.
“There might be some people who go, ‘Oh, it’s too bad … you should have been smarter,'” he says.
“The real matter — that shouldn’t be lost on anybody — is that the banks knew for a long time that e-transfer fraud was happening. Some banks chose giving people warnings about it … and other banks chose to do nothing. That’s the issue here.”
Garner was out $575 until he complained to a manager at his local branch of Meridian Credit Union, which eventually paid him back.
In an emailed response to Go Public, Meridian said it makes “continuous fraud education efforts” on its website and on social media and decided to reimburse Garner “because we acknowledge his experience was not optimal.”
After learning firsthand about the risks of e-transfer fraud, Garner turned on the “autodeposit” function for his account, which means money goes directly to a recipient’s account without the need for a security question to be answered.
WATCH | Backman explains how e-transfer fraud often happens:
But many security experts say the strongest protection against e-transfer fraud is two-factor authentication — a system that only allows a user to log onto an account once they’ve received a code on a separate device or an email at a different email address.
Despite two-factor authentication being mandatory for U.S. banks for 15 years and required for all financial institutions in the European Union since 2019, most financial institutions in Canada do not require it.
Go Public asked the Canadian Bankers Association why two-factor authentication is not mandatory — an email reply did not address our question.
CBA spokesperson Mathieu Labrèche wrote that banks spend a lot of money on security infrastructure but also said security is a shared responsibility, that “bank customers must take every precaution to ensure their accounts and their transactions are protected by using safe email, security, and password practices.”
Lok says it’s all a lesson learned, but worries people won’t take steps to protect themselves until financial institutions do more to alert the public about e-transfer fraud.
“The most frustrating part is that the financial institutions know this is happening,” said Lok. “But people don’t know about it until it happens. And by then it’s too late.”
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrongdoing, and hold the powers that be accountable.
If you have a story in the public interest, or if you’re an insider with information, contact email@example.com with your name, contact information and a brief summary.
All emails are confidential until you decide to Go Public. Follow @CBCGoPublic on Twitter.