This document contains very important information that can help you protect yourself against criminal activity on-line. For your own security, you are encouraged to read this page in its entirety.

The clients of a number of leading electronic commerce sites and financial institutions have recently been actively targeted for fraud and identity theft.

Criminals are using deception to gain confidential personal information, including login names, passwords, credit card numbers, and bank account details. This type of attack is sometimes called "phishing".

An example of a typical phishing attack is below:

• A criminal sends a deceptive e-mail to the clients of a bank. The e-mail claims to be from the bank, looks exactly like a legitimate e-mail from the bank, and even contains the same fonts and graphics as the bank's web site. On appearance alone, it is impossible to determine that it is fraudulent.

• The false e-mail claims that the client's account has supposedly been "suspended", and that the client must enter personal information to "re-activate" it. The client is prompted to provide (supposedly for "verification") information like login names, passwords, credit card numbers, account details, and other confidential information. Of course, the false e-mail just happens to helpfully include a deceptive form, link, or e-mail attachment that makes it easy for the user to "update their account".

• If the client provides the information, it is not sent to the bank, but rather directly to the criminal. The criminal can then use it to log into the client's bank account.

Similar scams can be run by telephone, where a representative claiming to be "from the bank" asks the client to provide confidential information over the phone, or to fax in confidential documents to a special fax number.

Scams like this can target any service or industry, whether Internet-related or not, at any time. It does not exploit technical vulnerabilities, but rather exploits the tendency of people to trust unsolicited contact that appears to be valid.

How to Protect Yourself

There is only one sure way to protect yourself: be suspicious of all contact that you do not initiate yourself. In particular, never respond to unsolicited requests for confidential information, no matter how genuine they seem.

Every time you get any e-mail, phone call, fax, or letter that request information on behalf of a trusted entity, start from the assumption that the request is fraudulent. Never give out any confidential information until you are certain you are actually dealing with the party in question.

When using any secure on-line service, including XEtrade, please ensure that you follow these security procedures at all times:

• Only provide confidential information when you have initiated contact with the organization. If you get an unsolicited, unscheduled, or unexpected e-mail, letter, or phone call that requests confidential information, then no matter how genuine it appears, do not respond directly. Instead, you should initiate contact with the organization through trusted channels.

• When you initiate contact with an organization, always be sure that you are really dealing with that organization. If you are phoning in, confirm the number from the official website or other official sources. If you are communicating via e-mail, be sure that the e-mail address is genuine. Before you log in to any secure website, make sure you are on the "real" site. There is only one foolproof way to do this: by checking the security certificate. This is easy to do, and only takes a few seconds. We show you how to do this below.

How to Verify Security Certificates

It is easy to verify the certificates of a secure site. For example, to check the security certificate of an XE.com secure site from within Microsoft Internet Explorer, perform the following steps:

1

Select the File menu at the top of the window, then select Properties. (If the window doesn't have a File menu at the top, you can right-click in the window and select Properties from the resulting pop-up menu.)

2

If the web page you are viewing is secure, there will be a Certificates button. Click on this button. A window providing information about the security certificate will be displayed. Warning: If the "Connection" line does not mention encryption, and there is no Certificates button visible, then you are not on a secure site, and you should not provide any confidential information.

3

On the "General" tab (the default), check that the name to the right of "Issued to:" ends with ".xe.com".

4

Click on the "Details" tab at the top, highlight the "Subject" field from the displayed list, and ensure that the value to the right of "CN =" ends with ".xe.com" and that the value to the right of "O =" is "XE Corporation" This information is shown in the area below the list of fields.

Your are Your Own Best Guardian

Remember, it always is your responsibility to ensure that you are dealing with who you think you are. In particular, when logging into any secure site, it is your responsibility to check the security certificate of the site to make sure that you are connected to the real site. No one can do this for you.

If you think you have been contacted fraudulently, or that you have provided confidential information under false pretenses, please let us know immediately by contacting us at:

• By E-Mail: security@xe.com
• Toll Free: 1-877-932-6640 (in the US and Canada)
• Calling from Other Locations: +1 416 214-5606

For more information on how to protect yourself, please see:

• Federal Trade Commission - ID Theft Information
• National Consumers League - Phishing Info
• Anti-Phishing Working Group