CAFT website spoofing
Late on October 31st, 2023 we were advised by our payments partner that a Customer Automated Funds Transfer (CAFT) spoof website was discovered, which has the potential to put our members at risk of fraud if they clicked the fraudulent link. In an abundance of caution, we took immediate action to lock all CAFT accounts.
Steps to take
- If you have not yet called us on or after November 1st to reset your password, you will need to do so in order to access the CAFT account.
- Once logged in, we encourage you to review your recent transaction history. If anything looks suspicious, contact us right away.
- Website spoofing is when attackers set up a fraudulent website that looks nearly identical to a legitimate one to exploit users. Their goal is to redirect unsuspecting users to this spoofed website to capture their credentials, payment, or other personally identifiable information.
- Attackers will usually redirect traffic through email or text messages posing as a legitimate business, or by posting malicious advertisements on search engines. These messages contain links to the spoofed site.
- In this case, the spoofed site has the following URL caft-paymentsanytime.com. The legitimate CAFT site address is caft.paymentsanytime.com. Please note the key difference in the spoof site is the use of a "dash" between CAFT and payments (caft-payments). If a CAFT user logs into the spoof site, user ID and passwords may be compromised.
Recommendations to protect yourself
- Update your password regularly: A good practice is to update every 3 to 6 months. Do this for all users who have access to your originator
- Use a strong password: Create a unique and complex password with a mix of uppercase and lowercase letters, numbers, and avoid using easily guessable information like your name, birthdate, or common words
- Pay critical attention to URLs: Beyond the one spoof site, others may exist! Ensure you are using the correct URL: caft.paymentsanytime.com
- Never communicate or keep a copy of your CAFT User ID and password in your email account: A common way of gaining illegitimate access to a financial account is through the discovery of this kind of sensitive information within a compromised email account. Enable multi-factor authentication on your email account, if available: An example of MFA is when you must also enter a security code sent to your phone whenever you attempt to log in from a new device.
- Beware of phishing attempts: Be very cautious of unsolicited emails asking for your login credentials. Double-check the sender's email address and look for suspicious links or attachments. Even if an email appears to be coming from a legitimate sender, if it involves changes to banking information, attempt to verify via another communication method (e.g., phone call)
- Log out of shared devices: Always log out of your accounts when using public or shared computers or devices. If possible, avoid using public wi-fi for sensitive activities
For more information contact us at 1.800.728.6440 or visit Cyber Security CAFT User Guide
At this time, there is no indication that this is a CAFT system vulnerability issue. Cybersecurity is a responsibility we all share. Website spoofing, as well as email and text message fraud, is becoming increasingly common and sophisticated. We make every effort to monitor and track suspicious websites and, when discovered, we take all necessary steps to protect our members.
For your part, we recommend you:
- change your passwords often, and use strong passwords
- operate with extreme caution before clicking any link sent to you by email or text
- check the URL in your browser before you login to any site, and check it every time, to ensure you are on the correct website.
- consider bookmarking sites so that you know you are going to the same site every time
If you not have yet called us on or after November 1st to reset your password, you will need to do so in order to access the CAFT account.
• Activate features built into the CAFT system that help mitigate risk—such as establishing limits on transactions and file amounts and enabling dual authorization.
• Don’t click on a link that was provided in an unexpected email.
Our first step was to lock all CAFT accounts as a precautionary measure, and to require that members contact us to reset their passwords. This allows us to confirm each member’s identity before granting access.
Moving forward, we encourage members to protect themselves and we provide resources such as our Fraud Prevention Resource Centre and our Cyber Security CAFT user guide to share best practices and helpful tips our members can use.