It starts with what sounds like a promising phone call: For a one-time fee, you can lower the interest rate on your credit card.
But the person on the other end of the line isn't with your bank or credit card company: They're a fraudster, looking to cash in on a common frustration.
And what they're really after is your identity.
It's known as the low-interest or rate reduction scam, where a caller pitches you a limited-time offer to reduce your rate for a service charge of anywhere from $500 to $5,000.
To take advantage, you're asked to verify your personal information — just like you would with any financial institution: Name, date of birth and address. And if you accept that one-time fee, the so-called agent must also verify your credit card number, expiration date and security code.
While the Canadian Anti-Fraud Centre has received around 300 complaints about such scams in both 2016 and 2017, an investigation by Marketplace suggests the scope of the problem is much bigger.
Some of the sensitive information leaked to Marketplace included credit card numbers, social insurance numbers and addresses — even recent account balances. (CBC)
Through a leak from one illegal call centre in Pakistan, Marketplace obtained a comprehensive list of records for nearly 3,000 Canadians who've fallen victim to this scam.
It contained a wealth of sensitive personal information, including credit card numbers, social insurance numbers, addresses, maiden names, employer names and annual incomes. In some cases, even telephone-banking codes and recent account balances were listed.
It's valuable personal information that can be — and often is — bought and sold for as little as $1 in the shadowy underworld for stolen identities.
'It was unnerving'
Winnipeg resident Grace Johnston remembered getting such a call about three years ago and admits to giving up some of her information — just her name and her address — during the so-called verification process.
"It sounded very legitimate. It sounded like it was trusting," she said. "That was enough to … start this ball rolling for me."
The agent wanted $500 to reduce her interest rate, which she ultimately declined.
Not long after, she received a letter from Royal Bank, asking for her to come pick up her new credit card. She hadn't applied for one.
- Could a credit freeze more effectively combat the problem of identity theft? Read Part 2 of Marketplace's investigation.
"They had all my information: My birthday, my address, my phone number, my mother's maiden name," Johnston said. "It was a violation of my privacy. It was unnerving because you've got all this information out there."
Her personal information — including her new credit card number — also ended up on the list of Canadian identities obtained by Marketplace.
Johnston still has no clue how the scammers got so much additional information. She thought she had protected herself by changing her credit card and signing up for credit monitoring and fraud alerts with Equifax.
"My credit information is out there and it keeps coming back to haunt me," she said, noting that the scammers continue to call her at work. "It's just overwhelming to know that it's out there like that and it can affect like so many different aspects of my life."
Listen to a scam in action through audio leaked to Marketplace from one call centre:
This is how the fraudsters convince victims to share their valuable personal information. 1:00
The leak to Marketplace perhaps provides one clue: In addition to the roughly 3,000 names, Marketplace also obtained close to 200 phone-recordings of the fraud playing out on American victims. In some calls, the phoney agents have sold a rate reduction. In others, it sounds as if they're attempting to access bank accounts by telephone by impersonating the victims.
"Canada has always been the most favourable market for low-interest scams," said Muhammad Yousfi, a former call centre operator turned whistleblower in Pakistan who now does fraud prevention.
"The majority of the people who actually fall for this are already ... indebted to their necks … so they're looking for a way out," he said.
Muhammed Yousfi is a former call-centre operator turned whistleblower. He now works in fraud prevention, trying to protect consumers and to expose these illegal operations. (CBC)
The personal information obtained through the phone scam is critical to committing all sorts of other fraud, said Yousfi, setting off a "perpetual cycle."
"It could be used to go ahead and apply for new credit cards. We have actually gone as far as refinancing ... a person's mortgage," said Yousfi, who claimed to have made thousands of dollars a month while working in the call centres.
"We can pretty much redefine their lives by having that information," he said. "You can actually keep on using this information, reselling this information online to other call centers, to hackers, to criminal syndicates — the whole nine yards."
Marketplace wanted to find out how widely the stolen information might be distributed.
With Johnston's permission, Marketplace provided her information to Terbium Labs, a Baltimore-based cybersecurity company that specializes in monitoring online platforms for stolen data, including the dark web.
The dark web is an unindexed part of the internet that is difficult for everyday users to access. Not visible on common search engines like Google, that element of anonymity has made the dark web an online haven for the sale of illicit material.
The lab found what's believed to be Johnston's credit card information — along with that of hundreds of other Canadians — for sale for about $30 on a website that specializes in selling stolen credit cards.
The posting, from late 2018, has since been taken down.
Emily Wilson is vice-president of research for Terbium Labs, a Baltimore-based cybersecurity company that specializes in monitoring online platforms for stolen data. (John Lesavage/CBC)
"The fact that it's no longer there means that someone has probably bought it already, which means that she may be at risk for even more compromise," said Emily Wilson, vice-president of research for Terbium Labs.
Once someone's personal information is out there, Wilson said it's likely going to be available to exploit for decades.
Marketplace came across several dark-web markets that sold everything from stolen personal information to narcotics. The websites are laid out just like any traditional online shopping site, such as Amazon or eBay.
Canada 'failing' in fight against cybercrime, hacking
A search for "Canada" on one of the biggest underground marketplaces, Dream Market, brought up dozens of pages of stolen identities, offering everything from Quebec profiles to Canadian bank logins.
One ad offered more than 1,000 full profiles, which included names, addresses, credit card numbers, dates of birth, social insurance numbers and driver's licences. While the purchase of one profile cost $100, if you bought in bulk, the price would drop to $20 apiece.
Another showed a sample profile from Quebec, featuring someone's full name, address, date of birth and a social insurance number. It was for sale for about $10.
A search for 'Canada' on one of the biggest underground marketplaces, Dream Market, brought up dozens of pages of stolen identities. (Screenshot)
The sellers, much like a vendor on Amazon, had profiles with star ratings to rank their credibility. Some sellers had thousands of sales.
Marketplace reached out to several top sellers from these marketplaces and other known carding sites, which deal exclusively in stolen credit card information. Some responded on the condition their usernames not be mentioned.
Multiple sellers told Marketplace their primary way of getting personal information was through leaks, phishing scams and hacks. One seller said they could make up to $10,000 a month.
'They knew everything about me': How latest credit card scam tricks victims
Pushy calls and a low-interest scam: Why this St. John's man is warning consumers
New Report: Unknown Data Scraper Breach
Another seller provided a photo of what appeared to a mailbox full of debit cards from a Canadian bank after hacking numerous accounts. That same seller even provided the full credit history of a Quebec resident.
Part of their reason for doing this? It's anonymous.
As one seller said: "You sell Canadian profiles, you don't do jail, or not much."
Identity theft is big business
According to the Canadian Anti-Fraud Centre, Canadians reported nearly $20 million lost to identity fraud in 2018. But the federal agency warns that figure could be much higher due to under-reporting.
The U.S. Department of Justice, by contrast, indicted 36 people last year in one transnational criminal operation, responsible for more than $530 million in losses from cybercrime, which included selling stolen identities.
"Personal information is currency," said Claudiu Popa, author of The Canadian Cyberfraud Handbook and a cybersecurity expert who advises government and companies.
"We live in the information age, but we're also made up of information — so all of those facets of information add up to real money for the wrong people."
Once someone's personal information is put out there, cybersecurity expert Claudiu Popa says there's little that can be done to make it disappear. (Jenny Cowley/CBC)
And once someone's information is out there, Popa says there's little that can be done to make it disappear.
"I think it's the sad reality of many Canadians ... who are finding out that maybe some of the data breaches that they may suffered in the past was not devoid of impact," he said. "And in fact, it could impact our lives for years to come."
If you're worried your identity has been compromised, Popa recommends changing as many identity elements as possible: Credit cards, bank accounts, passwords, answers to security questions — even email addresses.
And signing up for credit monitoring and fraud alerts, while not perfect, is worth considering, he says.
"All we can do is have a plan — and have a plan for reacting as quickly as possible."
Credit freezes are one easy way to protect against identity fraud — but they're not available in Canada