Protecting Your Data, Privacy and Personal Information
Safeguarding customer data is a fundamental priority for banks. Banks are recognized for their leading cyber security practices and their strong investments in technology and security measures.
Banks in Canada take the issue of fraud, cyber security and data protection very seriously and they are working around the clock to safeguard your money and your personal information.
In the unlikely event of a breach of their security safeguards, banks in Canada are obligated to notify the Office of the Privacy Commissioner, any impacted individuals, and any other organization or government institution that may be able to mitigate harm or reduce the risk of harm from the incident.
The financial system is part of Canada's critical infrastructure; as such, banks work closely with each other and with regulators, law enforcement and all levels of government to continuously share best practices and information to address the growing challenges posed by cyber crime.
There are also simple steps that you can take to better recognize fraud and protect yourself.
Protect Your Computer and Mobile Devices
- Protect your devices against malicious software by installing anti-virus, anti-spyware and Internet firewall tools on all your devices. Make sure that you keep these programs active and updated to keep your information protected.
- Be cautious when using free public WiFi to conduct financial transactions. Criminals may be able to access your information
- Only download banking apps directly from your bank or a reputable app store that your bank directs you to. Criminals can create legitimate-looking banking apps that can steal your personal and financial information.
Use Unique Passwords and Passphrases
- Choose secure passwords or passphrases. And don’t reuse passwords on multiple websites. Why? Cyber criminals are counting on using your stolen passwords to access other sites in a technique known as “credential stuffing.” When customer data is stolen in a cyber security breach or theft, information including usernames and passwords can be leaked or sold to other hackers.
- Credential stuffing occurs when cyber criminals “stuff” stolen login credentials into a program that attempts to fraudulently log in to other sites, including your bank account. And if you’re using the same login credentials across several websites, this increases the chances that fraudsters will be successful in accessing your accounts.
- The best way to protect against credential stuffing is to develop a unique password or passphrase for each of your online accounts, especially sensitive accounts like your bank account and your main email account. A security breach at one site means your password could be handed to criminals who may try to use it at other sites where you’ve used the same login.
"Phishing" emails are fraudulent email messages and websites that look like they are from a legitimate organization, such as a bank, credit card company, online retailer or government agency. The email you receive may look real, with company logos and branding, but are attempts to steal your personal and financial information.
There are four red flags of a phishing scam:
- Demands and threats: Is the information request legitimate? Your bank will never send you a threatening email,
or call you on the phone, demanding information like your password, credit or debit card number, or your mother’s maiden name.
- Warnings: Warnings that your account will be closed or your access limited if you don’t reply is a telltale sign of a phishing scam.
- Suspicious senders: Check the "from" address. If you hover your curser over the name, you can see the actual electronic email address. Some phishing attempts use a sender email address that looks legitimate but isn’t – one red flag is when the email domain doesn’t match the organization that the sender says they are from.
- Suspicious links or attachments: Phishing emails often include embedded links that look valid, but if you hover over them, you can usually see the real hyperlink. If the hyperlinked address isn’t the same as what appears in the email, it’s probably a phishing attempt. Does the email include an attachment that you weren’t expecting? Never open suspicious attachments.
Here are some simple steps that consumers can take to protect themselves:
- Be skeptical. Fraudulent emails can look like they come from a real bank email address. If you have any doubts about whether an email is from your bank or a reputable organization, contact them before responding to ensure that it is legitimate.
- Never send or confirm your personal or financial information by email.
- Always enter your bank’s website using the website address (URL) that you know is accurate. Contact your bank to get the correct website address if you’re unsure.
- Check the domain name shown as the link in the email. When you click the link, if it does not match the name that appears in the browser at the top of the screen, then it may be a fraudulent website.
- Regularly review your bank and credit card statements to ensure that all transactions were made by you.
- Check your credit report at least once a year by contacting credit reporting agencies Equifax Canada or TransUnion Canada.
The CBA website has four short videos on the common red flags of a phishing scam. You can watch them at: cba.ca/how-to-spot-a-phishing-scam.
You can test your knowledge of phishing and how to spot a fraudulent email, text or phone call at the CBA’s phishing quiz site at cbacybersafety.ca/.
Credit and Debit Card Fraud
Banks and credit card companies take significant steps to protect customers and minimize fraud as much as possible. For example, did you know that:
- Banks’ systems can automatically detect unusual activity in a customer’s account? This means that steps can be taken to prevent fraud from occurring.
- Visa, MasterCard, American Express and Interac have zero liability policies in the case of unauthorized transactions? This means if you are a victim of fraud, you won’t be held responsible.
There are steps you can take to protect yourself, including:
- Report a lost or stolen card as soon as you notice it is gone.
- Regularly check your transactions online or on your monthly statement. If there are any transactions that you didn’t make, report them to your bank or card issuer right away.
- Never give out your card number over the phone or online unless you know you are dealing with a reputable company.
- Scammers will try to trick people into revealing information about their credit cards either over the phone or through email. It’s important to know that your bank or credit card company would never call or email to ask for personal information like your credit card number, expiry date, PIN, or the security number on the back of your card.
With a cyber hygiene checklist and tips on how to spot common scams, the CBA’s Cyber Security Toolkit can help you protect against online financial fraud. Download a copy at
The CBA’s Fraud Prevention Toolkit for Older Adults created in collaboration with the Government of Canada’s Get Cyber Safe campaign, includes a fraud prevention checklist and tips to avoid phone fraud. The toolkit also provides recommendations on how to choose strong passwords and offers information on how to recognize and prevent financial abuse.
With checklists and a printable poster for employees on how to spot common scams, the CBA’s Small Business Cyber Security Toolkit, created in partnership with Get Cyber Safe, can help you protect your small business from cyber threats.