March is fraud prevention month – let’s be careful out there

Let’s be careful out there.  We have all received fraudulent emails or phone calls.  To reduce the chances of being a victim, here is a Global News article on the Top 10 scams to watch out for this Fraud Prevention Month, and Tips to Protect Yourself from Fraud from the Competition Bureau.

MasterCard offers the following tips for credit card security:

Today 88% of face-to-face transactions in Canada are Chip & PIN or contactless, and thanks to the layers of security built into the MasterCard network, Chip & PIN and contactless are safe and fraud rates for Canadian face-to-face transactions have sharply declined.

While consumers should feel safe using their card all the time, they can further protect themselves by remaining diligent and taking precautions. Here are a few simple tips:

 1>     Don’t underestimate the strength of strong passwords. Make them complex with upper case, numbers and symbols and change them from time to time.  Use different passwords for different purposes and ensure you have a means to recover passwords, where applicable, such as a separate registered email address.

2>     Shop with confidence online and visit reliable websites. eCommerce makes shopping more convenient than ever, but consumers should do their homework. Look for the SecureCode symbol  from MasterCard at checkout, which adds a layer of security and ensures you are who you say you are online.

3>     Be skeptical of unsolicited phone calls, email, text messages, or social media messages if they request credit card data or personal information such as passwords, date of birth, social insurance number etc.

4>     Do not click hastily on links contained within emails or on any email attachments sent by an unknown or un-validated source no matter how harmless or familiar the title appears. Instead delete the message unless you can confirm the sender.

5>     If you followed an email link to a website (or a text message to a voice recording system) and provided card data that later seemed suspicious, contact your card issuer immediately so your account can be protected

6>     Always use Chip & PIN, and tap to pay where applicable. You should be the only one with knowledge of your PIN number, and shield it from sight at checkout.

7>     Keep an eye on your card statement. Sign up for online/e-statements and check regularly to make sure an unauthorized purchase was not processed. If you notice something, call your bank immediately. The number is always on the back of your credit card.

8>     Be informed; know the facts about the layers of security built into your card’s payment network.

Cross-posted to Slaw

October is Cyber Security Awareness Month

The goal of Cyber Security Awareness Month is to remind us to guard against cyber threats.  The Canadian Government getcybersafe website has resources to describe the risks and suggest ways to protect against things such as cyberbullying, scams and fraud.  It covers both personal and corporate risks for smartphones, social networking, online banking, online shopping, and more.  It also explains the differences between common threats such as pharming, phishing, and spoofing.

If you’ve ever wondered how many people actually fall for what appear to be blatant phishing attempts, take a look at this infographic that shows that even a very small percentage of phishing success translates into significant actual numbers.


Cross posted to Slaw 


Royalty fraudsters can’t hide behind ‘corporate veil’

For the London Free Press – March 31, 2014

Read this at

The British Columbia Court of Appeal recently held the owner of a company personally liable for a fraud his company perpetrated against a company it had licensed technology from.

It’s rare for courts to “pierce the corporate veil” and find personal liability for owners and employees or companies, but they will if fraud is involved.

In this case, Mr. Zhu was the controlling shareholder of a company called JingJing. JingJing signed a license agreement with a company called XY, where XY gave JIingJing the right to use XY technology related to animal genetics. The fee for using the technology was an ongoing royalty paid to XY based on how much money JingJing made from using the licensed technology.

XY relied on JingJing to report JingJing revenues and to pay the correct amounts. But JingJing, Mr. Zhu, and two other employees falsified the revenue records and significantly underpaid XY.

It was clear that JingJing breached the contract by doing the false reporting. But the court also found that Mr. Zhu and the two employees who participated in the false reporting committed the tort of deceit by falsifying the records with the intent to deceive XY and pay it less than was actually owed. Mr. Zhu, the two employees and JingJing were held jointly and severally liable for the payment of damages exceeding $8 million.

Though it may seem odd to have a contractual arrangement where the price is paid based on metrics that only the person paying knows, it is not that unusual.

Things such as software licences and reseller agreements, and the use of technology in general are often paid for based on what the buyer knows about the usage of the product. For example, fees can be based on things such as the number of sales, revenue from sales, numbers of employees, numbers of customers, or even the number of servers the technology runs on.

In these types of arrangements, the contracts typically require the buyer to report on the payment metrics along with payment. Sellers often include audit rights allowing them to inspect the buyer’s records or systems to confirm the reporting is accurate.

Depending on the nature of the technology being licensed, and the way the seller sets it up, it may in some cases be possible for the seller to be able to monitor the use metrics itself and avoid the risk of buyer fraud.

The facts and law in this case were very complex and dealt with many issues other than the reporting fraud, but lessons from this decision include:

  • Company owners and employees cannot do fraudulent acts and hide behind the corporate veil. Arguing that the fraud was in the course of their regular duties won’t save them.
  • Businesses that get paid for their products and services based on use metrics should try to deliver them in a way that allows them to monitor the use themselves.
  • Contracts that rely on reporting should contain an audit provision.

Avoiding internet scams

That’s the title of my Slaw post for today.  It reads as follows.

Dan wrote yesterday about what to do if hackers steal your online accounts.  As a companion to that, Yahoo!Canada has an article from Real Simple magazine entitled Scams Even you Could Fall For – And How to Avoid Them

It talks about things like phony gift card offers, mails that look like they come from your bank, sellers of fake items like event tickets, and fake charities. It also suggests some resources to use for checking to see if things are legit.  Sometimes just doing a Google or Bing search will ferret out if something is a common scam.

Fraudsters and malware distributors are always trying to stay 1 step ahead of spam filters, and often manage to get things through that look amazingly like legitimate messages from Facebook or other social networking sites.

Remember to be skeptical about communications that carry either really good news, really bad news, or that require some immediate action to avoid a dire consequence.  If, for example, you receive a message that purports to be from your bank – just call the bank at the number you have for them (not a number that thecommunication tells you.)  Instead of clicking on a link that says its to a facebook message, just log onto facebook in the normal way to see if there is a message there.

eBay not liable for fakes sold on site

For the London Free Press – May 17, 2010

Read this on Canoe

Court says popular site is not responsible for counterfeit items

We are all familiar with the sayings: “buyer beware,” “all that glitters is not gold” and “if it’s too good to be true, it probably is.” Case in point: On eBay, three out of every four items advertised as Tiffany’s jewelry are counterfeit products.

Nonetheless, the United States Court of Appeals has recently upheld the decision that eBay is not liable for trademark violations as against the jewelry retailer Tiffany. This decision is significant to retailers and the general public alike.

In 2004, after suspecting knockoffs of its jewelry were being sold on the eBay site, employees of Tiffany’s purchased hundreds of purported Tiffany’s products and tested them. Tiffany’s discovered three out of every four items were fake.

Based on this information, Tiffany sued eBay for trademark violations on its site. Tiffany alleged that eBay had general knowledge that the infringement was occurring.

As noted in the appeal decision, more than six million new listings are posted on eBay daily. And on any given day, it contains more than 100 million listings. eBay’s evidence at trial was that it spends as much as $20 million a year on tools to promote trust and safety on its website. In fact, eBay has an entire “trust and safety” department with more than 4,000 employees.

One of the tools that eBay cited in its defence is a rapid notice-and-takedown system called VeRO — the verified rights owner program.

This program allows eBay to respond very quickly to trademark complaints and, when necessary, to remove infringing content. Repeat offenders were suspended from selling their goods on eBay. EBay submitted that hundreds of thousands of infringing sellers were suspended each year.

The court has come to the right decision in this case. EBay itself is not the party selling counterfeit goods or violating trademarks. And it does deal with sellers making false claims when made aware of it.

If Tiffany had been successful, it would have likely resulted in over-policing of vendors by all online intermediary selling sites. (Other examples of such sites are Craigslist and Kijiji.) If these companies had to worry about trademark lawsuits and liability for every single sale that took place on their sites — and thus verify the authenticity of everything offered for sale on their sites — there would be a chill on e-commerce.

At the very least, there would certainly be much stricter guidelines for what could be sold on the site and who could sell it. Strict guidelines would undoubtedly result in higher costs and some legitimate sellers being excluded.

The ruling should be considered a win not only for the intermediary companies, but also for online sellers and consumers as well.

It should be noted, however, that eBay has not been so successful in other jurisdictions.

For example, in 2009 a French court found eBay responsible for brand counterfeiting and ordered them to pay the luxury group LVMH 80,000 euros in compensation for damages caused to famous perfume brands such as Christian Dior and Kenzo.

Scams haul in $450 million

For the London Free Press – April 28, 2008

Read this on Canoe

Fraud affects business as well as individuals.

An Environics survey commissioned for the Competition Bureau of Canada revealed that Canadians lost more than $450 million to mass-marketing frauds committed by mail, phone and Internet in 2007.

It’s estimated that 95 per cent of people who are victims of mass-marketing fraud do not report it.

The Canadian Competition Bureau recently launched the Fraud Awareness for Commercial Targets, or FACT, campaign. This is an outreach and educational initiative that provides businesses and not-for-profit groups with the tools to avoid becoming victims of fraud.

Information to help organizations recognize and prevent fraud can be found on the bureau’s website at

Examples of fraud vary. A common scam which targets many businesses is the issuance of fake invoices and fraudulent telemarketing pitches for office supplies. In other situations, office supplies that were never ordered are delivered or goods are paid for but never received.

By placing two to three strategic phone calls, fraudsters can glean enough information to make a business’s employee believe that a business relationship has been established. The merchandise delivered is usually poor quality and very expensive. Generally, there is no way to return the merchandise. Those who refuse to pay often get harassing calls from collection agencies and pay the bill to avoid damaging their business reputation.

Another common scam is the sending of an invoice for an appearance in a directory when applying for a trade-mark. It is done in a way that suggests it is part of the trademark application process. This is so common that the Canadian Intellectual Property Office includes a warning about it on their trademark approval invoices, along with a customer service number to confirm the legitimacy of the invoice.

The FACT Program urges employers to protect their organizations by training staff to offer responses like these:

– I need to see an offer in writing first.

– Send me a copy of our order.

– We only pay with evidence of a signed authorization.

– I need to consult my manager before making any decision.

– I cannot accept a shipment without written proof that we’ve ordered it.

– I’m not interested. Remove us from your contact list.

Businesses and consumers are encouraged not to make business arrangements over the phone and to hang up if the company soliciting business appears not to be legitimate.

This problem is not unique to Canada. At the international level, a Fraud Prevention Forum has been adopted. Thirty countries form ICPEN, the International Consumer Protection and Enforcement Network, which hosted Fraud Prevention Month activities.

Building on a previous co-operation agreement between Canada and the United States called the OECD (Organization for Economic Co-operation and Development), the competition bureau this month signed a co-operation arrangement with the U.S. Postal Inspection Service in Washington. The goal is to improve competition law enforcement to fight mass-marketing fraud and other deceptive marketing practices with a cross-border component.

Hannaford data breach – almost 2000 cases of fraud reported

Many sources are reporting on a data breach in the US Hannaford retail chain where customer credit and debit card numbers were exposed by some sort of intrusion into their computer systems. Unfortunately, this kind of report is all too common.

What I find interesting is the message to their customers by their CEO. He states in part:

Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.

We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.

So how are credit and debit card numbers not “personal information”?

Read a report on StorefronBacktalk

Read the Hannaford statement

Illicit trade-mark fee solicitations

I often get calls from clients I am registering trade-marks for asking me if an invoice they have received is legitimate. These are so common that CIPO (Canadian Intellectual Property Office) prints a warning on their trade-mark approval notices that says:


The sender of the “invoice” cuts out the advertisement of the recipient’s trade-mark from the trade-marks journal, and sends it along with an invoice that looks like this:


That is one we received here at Harrison Pensa when a mark we are registering for ourselves was advertised.

So if you get one of these – don’t pay it. If in doubt, contact your trade-mark agent/lawyer.

Reckless data handling & new identity theft law

itWorldCanada has an article today about the part of the proposed identity theft law that would make it a crime to be “reckless” about making personal information available to one who intends to use it for fraud. I am quoted in the article.

The exact wording of the section is:

Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing or believing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence

Food for thought: Is this a backdoor way to put some criminal teeth in the security requirements of PIPEDA? If an organization was to leave personal data where it is easily found and unprotected, would that “make it available”, and be reckless?

Read the itWorldCanada article

Identify theft legislation introduced

The Federal government just introduced proposed amendments to the criminal code to provide more tools to fight identity theft.

The summary of the bill says:

This enactment amends the Criminal Code to create a new offence of identity theft, of trafficking in identity information and of unlawful possession or trafficking in certain government-issued identity documents, to clarify and expand certain offences related to identity theft and identity fraud, to exempt certain persons from liability for certain forgery offences, and to allow for an order that the offender make restitution to a victim of identity theft or identity fraud for the expenses associated with rehabilitating their identity.

As David Fraser points out in his CTV interview, I pointed out in my last Free Press article, and the Canadian Privacy Commissioner pointed out in a recent blog post, the other problem is the alarming frequency of data leaks – despite privacy laws and the need for data security.

For more details on the proposed legislation, and a link to the draft bill, go to David Fraser’s site here and here. Take a look at the CTV interview video – David does a great job summarizing the issues.

Read my latest article on the subject.

Read the Privacy Commissioner’s blog entry.

UPDATE: See Michael Geists’ thoughts on the bill