Fraudster targets financial institution employees and then customers to obtain personal information

Incident Summary #13

February 18, 2016

Lessons Learned

  • It is important that organizations make their front-line employees aware of deceptive impersonation techniques used by individuals trying to obtain the personal information of others. In case of doubt, employees should check with a supervisor before any personal information is disclosed to an unknown party.
  • Individuals should be cautious when asked to give out their personal information, especially sensitive financial information, over the phone, even to someone purporting to represent their financial institution.  In such situations, individuals should not hesitate to take steps such as making direct contact with a representative they know at that institution.

Incident

A Canadian financial institution reported to the Office of the Privacy Commissioner of Canada in January 2016 that an unknown individual had used deceptive impersonation techniques to convince customer service centre employees to provide him with the contact information of recent callers to the centre. The financial institution estimated that the contact information of approximately 100 customers was disclosed.

The individual then contacted some of these customers and was successful in extracting additional personal information directly from them, including sensitive information which could make them vulnerable to identity theft.

Outcome

After becoming aware of the incident, the financial institution:

  • alerted our Office of the breach of customer personal information;
  • conducted an investigation to determine the incident’s scope and to reduce the risk of any recurrence;
  • contacted all individuals who could have been affected and offered them complimentary third-party credit protection monitoring;
  • advised those individuals on how to ward off any attempted fraud, including how they can determine if a caller is impersonating a bank employee. At the same time, individuals were also strictly advised not to disclose any personal information to callers;
  • introduced enhanced controls to mitigate recurrence risk; and
  • conducted additional staff training to prevent recurrence.

According to the financial institution, despite the risk of fraud and identity theft posed, it had received no reports of any fraud occurring related to these clients’ credit or debit cards as a result of the incident.

Date modified: