TIL: Canadian banks have differing e-transfer security standards (and scammers are taking advantage)

In late June, Reddit user u/ProfessionalDisk525 was negotiating the purchase of a computer on Facebook Marketplace. During these negotiations he made a post on Reddit, asking if it was normal for a seller to ask for an e-transfer prior to meeting.

Sending payment before meeting is unusual. The buyer was correctly concerned. But they weren’t totally sure if this was a scam or not.

Why?

Because in this case, the seller didn’t want the e-transfer password until after u/ProfessionalDisk525 took the computer.

The seller gave solid rationale. Waiting for the e-transfer on site “would take too long”. If the buyer wanted the computer after inspection, then they could provide the password.

A suspicious request, but it doesn’t seem risky. Without the password, the seller cannot access the money. If it was a scam, nobody could figure out how it worked… until user r/fkih (Rida F’kih) showed up.

He shared the following comment, which has received +712 "upvotes" as of this publishing:

“Yes. It’s probably a scam.

Once you send the first transfer, he’ll come up with some excuse for you to send a second, smaller transfer. He will claim it’s in order to test his account, cover a delivery charge, or to reimburse him for an "accidental transfer" he sent you, or a small transfer that he "was using to test his account", etc.

You send the second transfer, say for $1, and set the question and answer to something he knows.

Unbeknownst to you, you’ll have changed the question and answer for both transfers. He will then go deposit the first.

To clarify, when you set the question and answer for an Interac transfer, you’re setting it for the contact, not for the transfer, and thus the security question and answer is set for all pending transfers going to that person.

This scam takes advantage of the fact that most people do not know this, and it’s understandable given how moronically unintuitive it is.“

Now we had a plausible explanation. But it still didn’t make sense. I regularly send and receive e-transfers, and this isn’t how I understood them to work.

I tried to replicate the scam with my online bank account. No luck. Tried again with my “Big 5” bank account. Again, no luck. Determined, I reached out to r/fkih and shared the results of my experimenting. He attempted it with one of his bank accounts. He couldn’t replicate it either. Growing frustrated, he confided that maybe he "hallucinated" this whole thing.

But then, he found examples of past occurrences of the same phenomenon:

1. Warning: Lost $2,000 to a TD Bank Transfer Scam When Buying a Camera!

2. Scammed deposited an (sic) transfer without the password

3. Raising awareness for interac fraud

We had found the common thread – TD Bank was specifically mentioned in two of the three posts. On July 1st, we tested the method with TD Bank. Sure enough, we replicated the issue.

It appears that TD Bank does, in fact, assign a password per contact and not per transaction. I can’t say whether they are the only bank that does this, but of the four we tested, they were the only one who handles e-transfers in this manner.

Why am I telling this story?

First, to spread awareness. Canadians sent 1 billion e-transfers in 2022 (according to Interac), yet I haven’t seen mainstream coverage about these major differences in e-transfer security. If this post helps one person avoid losing money then it was worthwhile.

Second, while TD apparently discloses that this is how their e-transfers work, clearly not all their users are getting the memo. They could be doing a much better job handling security for their customers in this regard.

For example, TD’s “Intelliresponse” section on creating security e-transfers does not clearly explain how their security protocols are different from other banks. This seems like an oversight.

Conclusion

Scammers today are more organized and cleverer* than ever before. Canadians need to remain hyper vigilant when dealing with unfamiliar parties online. And we need to hold our institutions to higher standards.

If you are ever unsure about whether or not something is a scam, I highly recommend you ask for a second opinion from someone – whether that’s a trusted friend, advisor, or a social media site like Reddit. It could save you a ton of time, money, and grief.

That’s all for now. Thanks for reading!

Jason

*yes, that’s a word.