BMO, Simplii attack: Canadians describe illicit Interac e-transfers out of Simplii accounts

Click to play video: 'How to protect yourself following BMO, Simplii attack'
How to protect yourself following BMO, Simplii attack
WATCH ABOVE: How to protect yourself following BMO, Simplii banking attack – May 29, 2018

BMO and Simplii Financial, which is CIBC’s direct banking brand, warned of a possible client data breach on Monday.

BMO said “fraudsters” contacted it on Sunday, May 27, claiming to have gained access to the personal and financial information of “a limited number of customers.” The bank said it believes the attack originated from outside the country.

The warning from BMO follows a similar alert from Simplii, which said fraudsters may have electronically accessed data from 40,000 client accounts.

READ MORE: Attack on Canadian banks: BMO, CIBC’s Simplii warn of similar possible client data breach

Canadians who claim to be Simplii customers report fraudulent e-transfer withdrawals

Neither bank has confirmed whether customers suffered financial losses as a result of the potential attack. However, several social media users who claim to be Simplii clients reported online that their accounts were hacked and money stolen over the weekend. Global News reached out to a few of them but has not been able to verify whether that alleged fraudulent activity is linked to the broader potential attacked flagged by the bank.

Story continues below advertisement

READ MORE: CIBC sees bumpy transition of PC Financial accounts to Simplii

Jennifer Gaudet, in Ottawa, said a total of $2,899 was taken out of her account without her knowledge over the weekend through two Interac e-transfers. The alleged withdrawal was just under her $3,000 limit for electronic transfers, she noted.

“I have a home insurance coming up tomorrow,” Gaudet told Global News, adding that she had been frantically trying to set up an alternate payment system with her insurer so that her bills would not go unpaid.

Financial news and insights delivered to your email every Saturday.
Get expert insights, Q&A on markets, housing, inflation, and personal finance information delivered to you every Saturday.

Get weekly money news

Get expert insights, Q&A on markets, housing, inflation, and personal finance information delivered to you every Saturday.
By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy.

Gaudet said she started suspecting fraud when she wasn’t able to log into her bank account on Saturday and noticed her security questions had been changed. When she called Simplii to flag the issue, however, she claims she was simply offered a password reset.

Story continues below advertisement

On Sunday, however, she was reportedly once again locked out of her account. And once again Simplii offered to reset her password, she said. It wasn’t until Gaudet expressed concern about suspicious activity that she was told someone had transferred $2,889 out of her account, she told Global News. Although the transfer went to one of Gaudet’s pre-approved Interac recipients, someone had changed that recipient’s email, she added. A previous illicit transfer had withdrawn $10, she also said.

READ MORE: GDPR is the EU data privacy and protection law that could change the Internet — even for Canadians

Gaudet said Simplii put a stop order on the transactions, but that the money hasn’t made it back into her account yet. She also added that the bank never proactively contacted her about the transfers and that she’s been told it could take seven to 10 days to receive a reimbursement.

Global News spoke to two other alleged Simplii customers who described similar fraudulent activity.

Jeff Steinman in Kitchener, Ont., said he lost access to his online banking account on Saturday, when Simplii alerted him of unusual activity and froze his bank card. He later found out of several unauthorized e-transfers between his account and that of one of his existing Interac payees, he told Global News.

Steinman said he’s out several hundreds of dollars but has been told he’ll receive a reimbursement in one to two business days.

Story continues below advertisement

READ MORE: Not just Facebook: How retailers and the payments industry can track, profile you

“The transaction showed multiple [Interac] email transfer attempts. The contact that was listed was one of our existing transfer contacts which we wouldn’t use again and was a friend of ours,” Steinman said. “We contacted her and she saw numerous transfers and stop payments.”

Another man said fraudsters recently took $660 out of his chequing account via a Interac. Global News is seeking more information on this alleged illicit transfer.

Several social media users said that they had been told they would receive a refund within up to two business days. While some said they had already been made whole.

CIBC and Simplii did not respond to repeated requests for comment about the possible data hack and alleged client reports of fraudulent e-transfers.

Global News did not see any reports of BMO bank clients reporting suspect activity over the weekend.

READ MORE: Can you trust your bank? Here’s what to watch for based on a new financial watchdog report

Additional security measures 

Simplii said it has implemented additional online security measures as it continues to investigate. The changes include enhanced online fraud monitoring and online banking security measures.

Story continues below advertisement

BMO said it is “confident” that “exposures identified related to customer data have been closed off.”

Both banks said they are reaching out to clients and advised those who notice any unusual activity to get in touch.

A message appearing on the Simplii app on Monday says that “fraudsters may send messages asking for personal information.” The bank said to send any suspicious correspondence to

There is no indication that clients who bank through CIBC have been affected, the bank said.

With files from the Canadian Press

Sponsored content