Banks tell dozens of customers they're to blame for thousands of dollars lost to e-transfer fraudsters
Cybercrime detective says banks must do better job informing customers of risk
A Manitoba man says marketing that claims people are protected when they e-transfer money is misleading, after fraudsters stole $3,000 and TD Bank said he was to blame.
Rene Trudeau e-transferred the maximum his bank allowed — $3,000 — to a contractor who installed a new front door on his home in February. He then e-transferred the remaining $300 owed and texted the contractor to let him know he'd been paid in full.
The contractor texted back, saying he didn't get the e-transfers and hadn't seen a dime.
"I kind of panic," Trudeau told Go Public from his home in Île-des-Chênes, just outside Winnipeg. "Because at this point, all $3,300 is gone from my account."
Trudeau is one of dozens of people who contacted Go Public after a recent story about e-transfer fraud — all describing frustrating battles with their banks and questioning why exemptions that leave them on the hook when fraudsters strike are buried in the fine print of electronic banking agreements.
Been wronged and you're not the only one affected? Contact the Go Public team
A police detective with Toronto's cybercrime unit says because e-transfer fraud is on the rise, financial institutions need to do a better job of informing customers about risks and how they can better protect themselves.
"They [banks] want to be good corporate citizens," said Det. Const. Kenrick Bagnall. "They should … be more proactive."
As soon as Trudeau realized something was wrong, he contacted TD Bank and an employee was able to stop the $300 e-transfer from leaving his account. But the earlier $3,000 was gone.
That was the beginning of a seven-month battle with TD, to try to track his money and get it back.
"When I asked where the money went, or how did this happen, they seemed more interested in absolving themselves of the responsibility for this fraud," said Trudeau. "Customer service was atrocious."
He says it took three weeks before someone in TD's Customer Care department told him his money had been redirected to another chartered bank — which TD wouldn't name — and more than 10 weeks for TD to provide the RCMP with the financial information necessary to investigate.
Protection requirements in fine print
TD said the fraud occurred after a someone hacked into the contractor's email and correctly answered Trudeau's security question, which was "What is your wife's name?"
Because it wasn't hard for the fraudster to figure out the answer — the contractor named his wife on his Facebook page — TD said Trudeau was to blame, pointing to a clause on page four of the bank's electronic financial terms and conditions.
The agreement is similar to those in place at all the big banks and says customers must use tough security questions with answers only the sender and recipient can guess.
The system is not as secure as they say.— Rene Trudeau, e-transfer fraud victim
Trudeau admits his security question was weak, but says TD's marketing claims that customers who use e-transfer are "protected" and their money is "secure," so it hadn't occurred to him that fraudsters could hack emails and redirect an e-transfer.
"They [banks] should be acknowledging that the system is not as secure as they say it is," Trudeau said.
Most customers not reimbursed
Dozens of other people have recently contacted Go Public, describing how they, too, felt misled by their financial institutions after fraudsters diverted their e-transfer funds.
They point to how financial institutions market the convenience of e-transfers and make claims in bold print that the system is safe.
In smaller print — or, buried in online agreements — banks and credit unions outline a list of requirements a customer must meet in order to actually be protected, should something happen to their money.
"They don't want to scare people away from using the service — which has a significant payoff for them," said Trudeau. "It's quite frustrating."
All told, Go Public has learned about fraudsters using e-transfer to steal almost $64,000 from 56 people with accounts at TD, CIBC, Royal Bank, Scotiabank, Tangerine, Simplii, HSBC, Assiniboine Credit Union and Kawartha Credit Union.
Customers did not get their money back in almost three-quarters of the cases:
- Neil Joshi, a Toronto teacher, lost $2,790 after he e-transferred a payment to his HVAC contractor, but it was intercepted by a fraudster. Neither his nor the intended recipient's bank will reimburse the stolen funds. "What I find remarkable is that none of these banks seem to be taking any measures to address this type of security issue," wrote Joshi to Go Public. "Their attitude was, 'As long as we're not on the hook for the funds … it's not our problem.'"
- Tim Smith of Fort St. John, B.C., wrote to say that he lost over $5,300 after his e-transfer to his carpenter was intercepted, and his bank blamed weak email security. "They [banks] hold immense amounts of money in trust for the public and if their protocol is no better than that, they don't deserve to be in business."
- Contractor Jeff Harney of North Vancouver was supposed to receive a $1,500 e-transfer from a client, but his email was hacked and his bank refused to compensate for the loss. "My disappointment with the system is that the BIG PRINT says ZERO LIABILITY and RISK-FREE but the small print negates them of all responsibility," he wrote.
Watch: Are e-transfers a safe way to send money?
Banks require gag orders
After Go Public contacted TD Bank earlier this month about Trudeau, the bank reached out to him again.
Trudeau says they have now come to a "satisfactory agreement," but he's not allowed to share details, because TD required him to sign a confidentiality agreement.
TD declined to address Go Public's questions about where Trudeau's $3,000 e-transfer went, or why it took seven months to resolve the problem.
In an emailed statement to Go Public, TD's manager of corporate and public affairs Carla Hindman wrote: "We have co-operated with the police investigation and have resolved this concern with our customer."
- After Go Public contacted TD Bank about Trudeau's complaint, the bank published tips on preventing e-transfer fraud
In another e-transfer dispute, CIBC required a gag order before offering customer Charlotte Mustard $1,000 as a "gesture of goodwill" after $3,000 she transferred to pay for a new furnace in her Peterborough, Ont., home was stolen.
"That is the part that really got me," says Mustard. "It was like they [CIBC] were saying, 'Here, take this money and go away and be quiet and don't bother us anymore.' Where's the goodwill in that? And where is the justice?"
She refused to sign the confidentiality agreement and contacted Go Public. "It's very important for me to be heard — as a woman, as a senior. And I was not heard by the CIBC at all. As a matter of fact, I felt very, very discounted."
CIBC's senior consultant for public affairs, Crystal Jongeward, told Go Public in an email, "We're continuing to work with the bank that received the funds to resolve the matter for our client." The theft occurred last January.
Frauds reported 'tip of the iceberg'
Go Public requested an interview with the Canadian Bankers Association (CBA) to discuss why banks don't do more to educate customers about the importance of strong email security to protect against e-transfer fraud.
CBA spokesperson Mathieu Labrèche declined to be interviewed but said in a statement that banks widely publish information and tips about scams and provide electronic access agreements "wherein customers commit to using passwords and security questions that are unique and cannot be easily guessed or obtained by others."
Bagnall, the Toronto detective, says Canada's banks need to do much more to warn customers about potential risks when using e-transfers, because the frauds being reported are "the tip of the iceberg."
He said financial institutions may not be reporting fraud because it can cause "reputational harm."
"If customers start leaving … that could very much affect their business," said Bagnall. "Damage to the brand is a huge reason why organizations are not reporting cybercrime to the police."
Bagnall says there's also no requirement for the banks to report e-transfer crime to the police.
"They're so large that there's not really a reason that they need to be transparent, because they can do their own internal investigations," he said. "They really only need to report to the privacy commissioner."
Trudeau says the battle with his bank was exhausting, frustrating and has changed his online banking habits.
He says he'll never again e-transfer a large amount of money — $20 is now his limit.
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrong-doing, and hold the powers that be accountable.
If you have a story in the public interest, or if you're an insider with information, contact GoPublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.
Follow @CBCGoPublic on Twitter.
With files from Enza Uda