Go directly to content

How Desjardins didn't react well to its data theft

How Desjardins didn't react well to its data theft

With the announcement of the theft of the data of 2.9 million members, we would've thought that Desjardins would've done everything in its power to make sure all its members are well aware of the situation and what to do next. Sadly, they skipped a couple of important details that might prevent lots of people of getting access to important information on the subject.

Frauds will take advantage of the situation

When a problem like this occurs, it becomes the perfect occasion for frauds. There are already rumours about frauds that are already trying to take advantage of the situation and are communicating with people by pretending they're Desjardins.

You have to be twice as vigilant when problems like this happen and you get an e-mail from the company implicated in the breach. In most fraudulent e-mails, you can detect them by watching for the following :

  • Links don't point to a real domain name and they look "weird";
  • E-mails aren't addressed to you specifically;
  • There are sometimes grammar problems and missing images in the e-mail.

Sadly enough, in the latest communication we got from Desjardins, they didn't pay attention to this, which means that lots of persons won't see the important information contained on their website.

Their links don't seem trustable 

When a problem like that happens, it's important to make sure you do everything to keep and regain your members' confidence. In the current case, the e-mail Desjardins sent didn't pay attention to these basic anti-phishing rules. As you can see in our printscreens, the links in the e-mail don't seem to come from a trustable source. Eventhough it is officially a Desjardins domain name, the fact that the domain name is « dsf-dfs.com », which really looks like a made-up domain name, and that there are a bunch of numbers and weird codes after really don't inspire confidence to click on it. 

Since what happened is so important, they should've made sure they use the « desjardins.com » domain name to guarantee that the website is trustable.

The e-mail isn't addressed to us specifically

Another thing they forgot is to include a « Greetings Firstname Lastname » in the beginning of their e-mail. Most fraudulent e-mails don't have access to know what's the name of the person linked to a specific e-mail, but Desjardins does! That added to the fact that normally, when they write us, they make sure to include our full name in the e-mail, which in this case, they haven't : 

As mentionned time and time again, it's important for everybody to be careful and watch for phishing, but one important point that we often forget, is the responsability that companies have to make sure they do everything in their power to send e-mails that give their customers confidence they can open.

/ 394