Put up your hand if you think e transferring money is easy, secure and foolproof. I did. I still think it’s easy but I recently learned that it’s not as secure or as foolproof as you might think.
A few weeks ago, I received an email from a small publisher asking if I would accept my royalty payment by e transfer. I don’t have this fellow set up on automatic deposit but I trusted him and his business practices so I said yes. A few minutes later I received a subsequent email saying the money had been sent. In his second email he also included the answer to the security question. I was surprised because if there’s one thing that’s been drilled into me it’s this: never send the answer to the security question in an email. I didn’t say anything, however, and if I have one regret, that’s it. Had I been thinking I would have quickly emailed him back and asked him to kill the transaction. But I didn’t.
I waited for the official notification that would allow me to claim the money. It didn’t come. I knew Bank of Montreal was having some on line issues that afternoon so I figured things were slower than usual. However, by the next morning when the money hadn’t arrived, I began to get concerned. My first thought was that perhaps the publisher had inadvertently forgotten to complete the transaction. I’d made that mistake once myself. So, I emailed him a brief inquiry. His reply was swift: the money had been sent and I had accepted it. It had been withdrawn from his bank account. He quickly provided an e statement from his bank to prove it.
My response was equally fast: I’d never received even a notification, so I hadn’t had the opportunity to claim the money. He stood by his initial statement: he’d paid me and he couldn’t afford to pay me twice.
As sympathetic as I was to his position, I also like to eat and I’d been counting on that royalty payment to help in that regard. I told him I was worried, especially since he’d included the answer to the security question in his email. He responded by saying that his security was good, his email was encrypted so there were no issues on his end but he wondered about mine. Was I using an unsecure browser? he asked. No, I told him, a secure network only, and my security was also top notch, and up to date.
We called our respective banks (the same bank – BMO – but different branches). He was told the problem rested with me and I needed to start an investigation. My branch said they couldn’t start an investigation because there was nothing to investigate; I’d never received notification of an e transfer so there was nowhere to go with a search.
Several hours and multiple phone calls later, the publisher learned that the money he’d sent to me had been claimed by a third party. We had a name. Surely this would be enough to resolve things, to claim/find/refund the money. But unfortunately for us, it was the Friday before a long weekend and nothing would happen now until Tuesday.
I spent part of that weekend checking for malware on my machines, checking again that my security was completely up to date (it was) and changing every single password to every single account (personal or professional, financial or otherwise) I had. Coincidentally when I was at the bank and seeing a teller, I mentioned what had happened and why I was changing the security number on my bank card. She responded by saying that whenever she returns from a trip, she routinely changes all her banking passwords.
I’d been in Winnipeg less than a week earlier. While I hadn’t done any on line banking during my time away, I had regularly checked my email. Was it possible someone had infiltrated my system? I didn’t see signs of it – scans of my laptop and cell phone had turned up nothing suspicious – but something was amiss somewhere so who knows. From now on I’ll take that bank teller’s advice and change my passwords after any trip, including my email password.
I still don’t have my royalty payment. The publisher still hasn’t been refunded the money either, but he has initiated a bank investigation and we’re both hoping for a positive resolution.
In the meantime, here are some things to remember when sending or receiving bank e transfers.
Never, ever, put the answer to a security question in an email or even in a text. Just don’t do it. If necessary, call the recipient to give them the answer.
When you conceive of a security question, make it difficult. Don’t, for instance, ask your payee who their favorite Beatle is. Someone in Ontario did exactly that when she was reimbursing a friend $1,700 for trip expenses. The money never arrived. With only four possible answers to that question, it’s easy for a fraudster to nail the answer in just a few tries.
If you’re active on social media, avoid security questions that could be answered by skimming your feed. Don’t use the name of your pet, your favorite color or flower, your current hobby, or the location of your last vacation. Too easy to source via Twitter or Facebook.
Do not assume because you use a Mac, have excellent security or your email is encrypted that breaches can’t happen. There are people who are dedicated to intercepting e transfers. It’s their full-time job. My daughter works for a reputable company with encrypted email and high security. They lost 30K on an intercepted e transfer.
Double and triple check the email address you’re sending to. Double and triple check the email address you’re accepting money from. One common scam involves a single keystroke of difference. Also watch for errors in the text of the notification. Another favored trap is the $ sign appearing after the amount instead of before it.
Do not store account passwords in your web browser or on a mobile app. You don’t want someone being able to access your account with the click of a button.
Never respond to requests from Interac or your bank that require you to send information over email or text. If you receive a message from Interac that a transfer you initiated was not completed, review the transfer from your bank account to see if you typed in the wrong address.
Never provide personal or account information in response to an unsolicited email or text. Note that neither Interac nor your bank will request your account number, your personal identification number or any other personal information in an email. They already have it.
If you weren’t expecting the deposit or money request notification, contact the sender through a different channel to confirm that it’s real. If it’s someone you don’t know or money from a source you don’t expect, do NOT respond to their email address.
Finally, if you’re on the receiving end and you haven’t received notification of your expected e transfer within two hours, and the transfer is between Canadian banks, call Certapay at 1-888-238-6433. As soon as a payment is initiated, they are the organization coordinating all transfers in Canada, and they are able to quickly determine the status of the transaction.