Cyber fraud no surprise, but scammers targeting PayBC an unusual tactic: Experts
"It's definitely a play to authority ... 'Hey, this is the government, pay some money'"— Brandon Laur, CEO The White Hatter
Article content
Online phishing scams are routine, but cybercrime experts say the recent scam involving the province’s PayBC site is a new workflow.
PayBC is a secure web page that allows residents to pay provincial fees, such as for traffic violations. But in this case scammers built an identical fake website to collect personal and credit card information from unsuspecting victims.
“It’s definitely a play to authority, so using that authority figure to say ‘hey, this is the government, pay some money,'” Brandon Laur, CEO of the cybersecurity education company The White Hatter, said about the scheme.
The province on Monday issued a warning statement about the scam, in which residents received text messages that reported they’d been caught speeding.
That text directs recipients to a website link where they’re told they can pay the ticket to avoid going to court, but that link takes them to the fraudulent website.
A statement from the Ministry of Finance said the province has never used an automated speeding system, and neither the province nor ICBC sends texts to notify motorists of violation tickets or request payment.
Ministry staff said the province has heard from “a small number of people” who received the texts and advises people to simply delete them, but “further action will be taken as needed.”
While it is common advice to never respond directly to any text that requests payment, Laur said he isn’t surprised.
“What I find interesting about this is that they’re using a less commonly known system or workflow that people aren’t used to,” Laur said.
While scams that impersonate a specific bank or telecom provider can be more transparent because people are more familiar with those websites, Laur said people aren’t necessarily familiar with this payment option.
The Canadian Anti Fraud Centre counted 106,000 reports of online fraud that bilked Canadians out of $379 million in 2021, the latest year for which figures are available.
The province, in a statement, said the fake website — which has since been removed — looked identical to PayBC, but with a different website address. The legitimate URL for PayBC site is pay.gov.bc.ca.
Setting up scams, however, is “relatively simple,” Laur said. Scammers can obtain internet phone numbers by using fake information, then buy lists of cellphone numbers to text that have either been leaked from data breaches or the databases of other hackers.
“There’s tons of ways (to get numbers), sometimes there are marketing agencies who just sell lists of numbers because that’s the world we live in,” Laur said.
It also wouldn’t be difficult to simply use a random-number generator using B.C.’s known area codes and three-digit exchange prefixes, said Arron Ferguson, a faculty instructor in web development at the B.C. Institute of Technology.
Ferguson said creating fake websites can be as simple as copying the source code of the legitimate website from their browser and pasting it into their own document.
“The format of web is such that it’s open,” Ferguson said. “So you can see any sort of source code for styling, any source code for the scripts, so you can download those and save them.”
Then Ferguson said it is easy and cheap to buy and register a domain name for a fake website online with one of the domain registries to start a fraud.
He added that domain registries have portals to report fake sites and are good about taking them down quickly, but it is “a game of cat and mouse” to stay ahead of new frauds as they are established.
Laur said fraudsters can also easily check potential names against the databases of domain registries and pick available URL addresses that can hide a real-looking domain name within a foreign web address.
Ferguson said the frauds prey on people who are busy and catch them off guard, so “the most effective way to combat this is through education, helping people remember that SMS messages, the text messages we get, we should be checking those.”
With files from The Canadian Press
Bookmark our website and support our journalism: Don’t miss the news you need to know — add VancouverSun.com and TheProvince.com to your bookmarks and sign up for our newsletters here.
You can also support our journalism by becoming a digital subscriber: For just $14 a month, you can get unlimited access to The Vancouver Sun, The Province, National Post and 13 other Canadian news sites. Support us by subscribing today: The Vancouver Sun | The Province.
Postmedia is committed to maintaining a lively but civil forum for discussion. Please keep comments relevant and respectful. Comments may take up to an hour to appear on the site. You will receive an email if there is a reply to your comment, an update to a thread you follow or if a user you follow comments. Visit our Community Guidelines for more information.