CSS will never contact you and ask you to provide sensitive information such as your login credentials (login ID and password) to access your account on the myCSSPEN member portal.
For general information on the many types of scams employed by fraudsters, you may find The Little Black Book of Scams, published by the Competition Bureau of Canada, of interest. One of those scams is called phishing and it is described in detail below.
What is phishing?
Phishing is a type of online scam where a fraudster pretends to be a trustworthy source in an attempt to make unsuspecting victims give away sensitive personal information such as login details, Social Insurance Numbers and credit card details for the purpose of fraud or identity theft.
How do I recognize a phishing attempt?
Phishing attempts can be carried out through various means such as emails, text messages and telephone calls, among others. Below are some of the things to look out for in an email to determine the authenticity. Note that some of these tips also apply to other forms of phishing attempts.
Check the sender’s email address: most times, you may have to open the sender’s information to see the email address, depending on the device or email provider you are using. All email addresses used by CSS end with the URL @csspen.com. These are some of the specific emails you may receive from CSS from time to time:
Confirmation emails: you will receive emails from CSS to confirm an activity that you carried out on our website, such as registering for a workshop or myCSSPEN, or submitting online investment instructions. All confirmation emails and account notifications are sent from css@csspen.com.
E-Digest/E-Update: if you are subscribed to our email list, you’ll get emails from communications@csspen.com.
General information about the Plan: emails such as surveys and Plan updates that need to be sent to all members – including those who are not subscribed to our email lists - are sent from communications@csspen.com.
Account-specific emails: information about changes to your personal account are sent from the official email addresses of CSS employees and always end in @csspen.com. Such emails are often initiated by members who have contacted the Plan or specific CSS employees.
Check the content of the message: Phishing emails often give a sense of urgency and ask recipients to take a specific action ‘immediately’. Determine the purpose of the email. Is it providing information, educating you or asking you to take a specific action such as to reply with confidential information, download an attachment or click on a link to perform another action? If you had not performed an action on our website and were not expecting an email (e.g. a confirmation email), we recommend you not click on a link, download an attachment or respond with any personal information until you verify that the message is authentic.
Investigate the link: CSS only uses secure URLs with ‘https’ and the domain csspen.com. If the link in the email uses ‘http’, then it is not from CSS. What if a hyperlink (a word or phrase with a link embedded in it) or button is provided instead of a direct link? Use your mouse to hover over the hyperlink or button (on a computer). In most cases, this will reveal the link and you can check if it is a secure link and a trusted domain as shown in the image below. However, if you are accessing the email on a mobile device, you may not be able to see the link embedded in a hyperlink or a button. It is recommended that you avoid clicking on any suspicious hyperlinks or buttons until you can check on a computer. In all cases, if you are unsure if the message is authentic, contact our office for assistance.
If you determine that the email is suspicious, do not click on any links or download any attachments. Delete the email immediately and contact us to report all suspicious emails or phone calls.
What should you do if you mistakenly click on a suspicious link or provide sensitive information about your CSS account?
If you clicked on the link before realizing that it was a phishing attempt, contact us immediately and also inform your internal IT department if you are using a computer at work. If you believe that sensitive information about your CSS account may have been stolen or obtained by a fraudulent party either online, by telephone or through any other means, contact us immediately.
CSS has security measures in place to protect your pension and personal information. However, we all have a part to play in fighting cybercrime. The tips below are designed to assist you in playing your role.
Tips to protect yourself
Monitor your account: The best way to keep on top of your CSS account and detect any unusual activity is by registering for myCSSPEN. With your myCSSPEN account, you can conveniently and securely track your account, update your information, review emails registered for myCSSPEN access, download your annual statements*, change your investments and more. We send a confirmation email for many of the changes you initiate from your myCSSPEN account. If you receive a confirmation for a change you did not make, contact us immediately.
Create a secure password and change it if you believe it may have been compromised: the password for your myCSSPEN account should be known to you alone and made up of a variety of letters, numbers and symbols. It should be easy for you to remember but difficult for others to guess and unique to your myCSSPEN account.
Be wary of hoax emails: if you receive a suspicious email that appears to be from CSS, delete the email immediately and contact us. Such emails may be sent from an unfamiliar email address and request your personal information or contain harmful links or malicious attachments. Do not respond to the email, do not click on the link, and do not open the attachment. If you mistakenly do any of these, report to your internal IT department (if applicable) and contact us immediately.
Beware of unsolicited calls and SMS texts: fraudsters may attempt to obtain personal information and account information over the phone or text. CSS will never ask for your myCSSPEN account password. If you have a reason to doubt the authenticity of a call from a CSS employee, get the name of the employee and telephone extension number. Disconnect the call and call CSS at (306) 477-8500 or toll-free at 1-844-4CSSPEN (427-7736) to speak with the employee that had called you. If you mistakenly provided personal information over the phone or SMS, contact us immediately.
Protect your devices online: fraudsters have several techniques to access your personal information online. Here are some ways you can stay safe:
Avoid sharing your personal information in public forums or social networks
Regularly manage your cookies and delete your browsing history
Before providing personal information online, check that the browser address is secure (https and a closed padlock icon is in the URL bar)
Keep your mobile device secure
Set up auto-lock on your device
Sign out of websites after browsing
Use a strong secret passcode on your device’s lock screen
Keep your phone operating systems and apps up to date
Only install apps from official app stores, such as Google Play or Apple Store
Avoid installing apps from links received in emails, social media or websites that do not look genuine
Manage the permissions for each app. Many apps collect personal data, like your contacts or location
Check the name of an app publisher before downloading
Protect your device with up-to-date anti-virus software and the latest security updates
Avoid using public computers to log in to your CSS account and if you need to use a public computer, ensure you logout and delete the browser history