Beware the live chat banking scam

If you shop online, chances are you’ve seen one of those “live chat” boxes appear when visiting your favourite store. These handy customer service tools let online businesses emulate some of that individualized attention we get at brick-and-mortar stores.

Unfortunately, they’re also the latest tactic for scammers phishing for your personal data when you bank online.  Here’s how it works:

You visit your bank’s website. You’re knowledgeable about phishing scams, so you went directly to the website and are assured that what you’re using is secure.

Suddenly, your session freezes up. A chat window then pops up with a warning message. According various reports, it looks something like this:

“The system couldn’t identify your PC. You will be contacted by a representative of bank to confirm your personality. Please pass the process of additional verification otherwise your account will be locked.”

The grammar leaves a lot to be desired — but crooks are counting on you to be a little panicked and not paying close attention. You might see an additional message asking you to wait for a representative who will be with you shortly. You can’t access your accounts, and your anxiety is increasing.

A helpful “bank employee” will then appear and walk you through the verification process to unlock your account. You may be asked for your personal information such as your account number, password or user ID — the information scammers need to hack into your account or make a purchase elsewhere.

No, your bank’s website hasn’t been hacked. The culprit is some malicious code sitting on your computer — a reiteration of the Shylock malware that keeps security experts on their toes. (The malware gets its curious name from “The Merchant of Venice” — creative hackers are known to insert lines from the play into their code.)  You think you’re talking to a bank representative, but instead you’re responding to an automated script that asks the right questions at the right time.

Online chat scams aren’t new, but the worst they used to do was send users to a phishing website. Now the phishing scheme comes directly to you via your internet browser. Crooks don’t need to worry about their fraudulent sites being shut down.

The scam has been around for a few months now — it was first identified by security service Trusteer back in February. So far it’s been limited to bank websites and targets business users, but experts worry that the strategy could be used in different contexts too. For example, there’s a related insurance scam recently making the rounds that uses the same tactic.

As outlined in a recent warning on, in this version you’ll see a pop-up window offering to sell you insurance. The message seems to be legitimate because it cites your bank account balance — making it seem like your bank is part of the deal. Next, the scammers send you an new account number and ask you to transfer a significant sum to activate your new insurance. We’re sure you can guess where your money will actually go.

So far, there’s no evidence these scams have made it to Canada — but successful tactics can cross borders as easily as computer viruses. We may never come across these scams, but it doesn’t hurt to be ready.

How can you avoid these scams?

– Use antivirus software on your computer and keep it updated.

– Avoid clicking on suspicious links or downloading files from questionable sources. Unfortunately, experts warn Shylock can get around some anti-virus programs, so your best defence is to avoid downloading the malware in the first place.

– Don’t respond to respond to any live chat messages on your bank’s website. If your bank does use live chats on its website, experts say to proceed with caution — watch out for grammar mistakes and requests for personal information or cash. Your bank already knows your account numbers and you should never be asked for your password or PIN number

– If you come across a questionable chat service, log off the website and shut down your browser. You’ll want to take steps to have the virus removed from your computer.

– If you think your information has been compromised, call your bank immediately. Be aware that if you wired or transferred cash, there’s little chance it can be traced.


Beware the ransomware scam
10 ways to stop the scammers
Why do people fall for scams?
Top phishing sites
Identity theft: What to do if you’re affected