Phishing is a type of scheme that uses fraudulent email, web pages and text messages to gather personal, financial and sensitive information for the purpose of identity theft. Most commonly, users receive spam email (mass email messaging), text messages and pop-up windows that appear to come from legitimate businesses. People have been tricked by these deceptive solicitations into sharing passwords, social insurance, credit card and bank account numbers.
How phishing works
Phishing emails and text messages are often sent out as spam to numerous recipients and appear to come from legitimate businesses, sometimes even duplicating legitimate logos and text. Within a phishing email, you may be requested to click on a link that takes you to a fraudulent site or pop-up window where you are asked to submit personal and financial information. A phishing text message may request that you send personal information back to the sender through text message or call a phone number.
In order to increase the chances of a response, messages may imply a sense of urgency or an immediate risk to bank accounts or credit cards if you fail to answer. Special offers and prizes may also be promoted as incentives.
What phishers do with your personal information
Phishers can access your accounts using your passwords and other information to withdraw money or make purchases. Personal information can also be used by phishers to open new bank or credit card accounts in your name.
What to look for in a valid message from CIBC
The message below illustrates some of the email components that are acceptable in an email coming from CIBC. CIBC will never send you an email or text message asking you for personal or financial information.
A valid CIBC message:
Signs that your message may be a phishing email
The message below illustrates some of the email components that are not acceptable in a CIBC email. In this example, phishers used a valid email name "CIBC Thanks you", but the actual email address did not belong to CIBC.
You can verify email addresses by viewing the properties of the address.
Your email application will often show the actual address in brackets in the "From" field. For example, with this email address: CIBC Thanks You < email@example.com >, the actual email is from abc.org and not CIBC.
Alternatively, you can right click on the address and select "Properties" to determine the actual address of the sender.
CIBC is continuously working to ensure your security against phishing schemes.
Any unsolicited email that appears to be from CIBC or any organization with which you do business including a request that you click a link and re-enter your personal information or password, should prompt you to contact the company directly. Type www.cibc.com or the business' website address directly into your browser instead of using the link in the email. If you are unsure of the authenticity of an email, please delete it.
If you receive a text message that appears to be from CIBC with any requests to you send personal information, do not respond to it. Instead forward it to firstname.lastname@example.org.
At CIBC, we go to great lengths to protect your personal information and ensure CIBC Online Banking® is secure. If you ever doubt the legitimacy of any email or text message claiming to originate from CIBC, call CIBC Online Banking at 1-888-872-2422.
CIBC email and text message best practices
- Solicited messages that respond to client's requests
- One-time verification codes used to complete online banking transactions
- Online banking alerts that clients have subscribed to
- Welcome messages
- Messages that have live links to other CIBC marketing content, but only written URLs (non-live links) to a website
- Debit and credit card fraud alerts
CIBC does not send emails:
- Unsolicited messages asking clients to provide, confirm or update personal records
- From a third-party address or link to a third-party site
- Without information about why a client is receiving the email
- Needing an urgent response
Canada's Department of Public Safety and Emergency Preparedness and the United States Department of Justice recommend these 3 steps to defend against phishing schemes: Recognize it. Report it. Stop it.
Find out more