XEtrade
Fraud And Identity Theft - How To Protect Yourself

This document contains very important information that can help you protect yourself against criminal activity on-line. For your own security, you are encouraged to read this page in its entirety.

The clients of a number of leading electronic commerce sites and financial institutions have recently been actively targeted for fraud and identity theft.

Criminals are using deception to gain confidential personal information, including login names, passwords, credit card numbers, and bank account details. This type of attack is sometimes called "phishing".

An example of a typical phishing attack is below:

  • A criminal sends a deceptive e-mail to the clients of a bank. The e-mail claims to be from the bank, looks exactly like a legitimate e-mail from the bank, and even contains the same fonts and graphics as the bank's web site. On appearance alone, it is impossible to determine that it is fraudulent.

  • The false e-mail claims that the client's account has supposedly been "suspended", and that the client must enter personal information to "re-activate" it. The client is prompted to provide (supposedly for "verification") information like login names, passwords, credit card numbers, account details, and other confidential information. Of course, the false e-mail just happens to helpfully include a deceptive form, link, or e-mail attachment that makes it easy for the user to "update their account".

  • If the client provides the information, it is not sent to the bank, but rather directly to the criminal. The criminal can then use it to log into the client's bank account.

  • NOTE: Some legitimate e-mails may contain links for your convenience.  The existence of a link in an e-mail is not indicative of a phishing attack, but you should exercise due caution and ensure you know the site in question before proceeding.

Similar scams can be run by telephone, where a representative claiming to be "from the bank" asks the client to provide confidential information over the phone, or to fax in confidential documents to a special fax number.

Scams like this can target any service or industry, whether Internet-related or not, at any time. It does not exploit technical vulnerabilities, but rather exploits the tendency of people to trust contact that appears to be valid.

How to Protect Yourself

There is only one sure way to protect yourself: be suspicious of all contact that you do not initiate yourself. In particular, never respond to unsolicited requests for confidential information, no matter how genuine they seem without taking the time to verify the validity of the source.

Every time you get any e-mail, phone call, fax, or letter that request information on behalf of a trusted entity, start from the assumption that the request is fraudulent. Never give out any confidential information until you are certain you are actually dealing with the party in question.

When using any secure on-line service, including XE Trade, please ensure that you follow these security procedures at all times:

  • Before following a link in an e-mail, be sure you know the source and the destination of the link.  If you are unsure, try going to the same page on the site directly without using the link.

  • The URL of the link should generally go directly to the site in question.  There are some exceptions to this, as some e-mail marketing tools will use tracking links to allow for better understanding of how the marketing is used.

    IMPORTANT:  From time to time you may receive e-mail marketing from XE.com which contain links to the domain "app.en25.com" or "now.eloqua.com" This domain is part of an industry leading marketing and e-mail management tool called "Eloqua" which we use to manage our mailouts.

  • When you initiate contact with an organization, always be sure that you are really dealing with that organization:

    • If you use a link within an e-mail, confirm that it takes you to the site you are expecting.  If you are not confident clicking the URL, you can always cut and paste the URL directly into your browser or navigate to the site for yourself.

    • If you are phoning in, confirm the number from the official website or other official sources.

    • If you are communicating via e-mail, be sure that the e-mail address is genuine.

    • Before you log in to any secure website, make sure you are on the "real" site. There is only one foolproof way to do this: by checking the security certificate. This is easy to do, and only takes a few seconds. We show you how to do this below.

  • If you are unsure of any communication, call the company in question using publically available contact information.

 

How to Verify Security Certificates

It is easy to verify the certificates of a secure site. For example, to check the security certificate of an XE.com secure site from within Microsoft Internet Explorer, perform the following steps:

1

Select the File menu at the top of the window, then select Properties. (If the window doesn't have a File menu at the top, you can right-click in the window and select Properties from the resulting pop-up menu.)

2

If the web page you are viewing is secure, there will be a Certificates button. Click on this button. A window providing information about the security certificate will be displayed.

Warning: If the "Connection" line does not mention encryption, and there is no Certificates button visible, then you are not on a secure site, and you should not provide any confidential information.

3

On the "General" tab (the default), check that the name to the right of "Issued to:" ends with ".xe.com".

4

Click on the "Details" tab at the top, highlight the "Subject" field from the displayed list, and ensure that the value to the right of "CN =" ends with ".xe.com" and that the value to the right of "O =" is "XE Corporation" This information is shown in the area below the list of fields.

You are Your Own Best Guardian

Remember, it always is your responsibility to ensure that you are dealing with who you think you are. In particular, when logging into any secure site, it is your responsibility to check the security certificate of the site to make sure that you are connected to the real site. No one can do this for you.

If you think you have been contacted fraudulently, or that you have provided confidential information under false pretenses, please let us know immediately by contacting us at:

  • By E-Mail: security@xe.com
  • Toll Free: 1-877-932-6640 (in the US and Canada)
  • Calling from Other Locations: +1 416 214-5606

 

For more information on how to protect yourself, please see:

 

 

© 2002-2013 XE Corporation. All rights reserved.