A Toronto-area contractor says it was "pretty creepy" to discover someone had hacked into his email and impersonated him — convincing customers of his family-owned granite countertop business to send thousands of dollars via e-transfer.

The fraudsters then stole the payments.

"You can't think of something like this happening," said Sarmen Sinani, of Markham, Ont.

"They [fraudsters] were saying, 'Send me the money. And don't send a cheque. Just e-transfer it.'"

Sinani is one of more than 200 people Go Public has learned were recently targeted by fraudsters who stole tens of thousands of dollars, sent via Interac e-transfers, by breaking into email accounts and redirecting the money.

Been wronged and you're not the only one affected? Contact our Go Public team

It has some experts questioning why the popular electronic money transfer system involves email at all, when other jurisdictions have stronger security.

"Canadian customers deserve the best safety and security for their banking and e-transactions," said cybersecurity expert Claudiu Popa, who advises governments and companies. "Unfortunately, we are far from getting there."

Sinani was working on a customer's order when he emailed her in March, asking for a 50 per cent deposit. By May, he still hadn't received it, so he asked again.

To his surprise, his client said she had e-transferred it on March 15. Sinani searched through deleted emails and discovered a fraudster had impersonated him and told his client to e-transfer $2,775.

"The hacker would alter my conversation to them [his customer] and alter their conversation to me," said Sinani. "Basically they were taking full control of two people, just going back and forth. It's unbelievable."

Posing as Sinani, the fraudster told his client he had an out-of-town family emergency and instructed her not to stop by the store to drop off a cheque.

Instead, the fraudster told her to send an e-transfer to a new email that appeared similar to the actual email for Sinani's family business, Sinco Marble and Granite.

Then, the fraudster posed as Sinani's client and altered her emails, telling Sinani that she was dealing with a family emergency and couldn't come to the shop to pay the deposit.

"It was insane," said Sinani. "They played us good."

Sinani says it was 'insane' to discover someone had hacked into his email and was impersonating him with customers. (Mehrdad Nazarahari/CBC)

No help from Interac, CIBC

Sinani says when his customer contacted Interac, the company said its e-transfer system had worked — moving money from point A to point B — and that it was not going to investigate.

"They're just not being co-operative," he said. "I'm sure there's an easy way to see where the money went. But no one wants to work on it, I guess."

Interac declined an interview request with Go Public, but in a statement said each fraud case is "unique and customers should speak to their bank directly."

Interac would not address Sinani's — or other customers' — concerns. Interac is a private company and Canada's big banks and credit unions are among its shareholders.

Sinani's customer lost the money through her account at CIBC. The bank would not tell Go Public what — if anything — it was doing to help trace the money, but in a statement said funds sent "to an email impersonator are very difficult to recover."

York Regional Police are investigating.

'Turning into an arms race'

A cybercrime expert who specializes in password cracking says many people aren't aware of the underground community of fraudsters who buy and share email and password information, aimed at draining bank accounts.

"There's people doing offensive research to determine new ways of attacking," security systems, said Dustin Heywood, with IBM's X-Force Red.

"It's turning into an arms race."

Heywood estimates that the average person uses their email and password on about 300 sites — from the local library to pizza delivery — and any one of those databases can get hacked.

Dustin Heywood is part of IBM's X-Force Red, a global team of hackers hired to break into their systems and fix their security vulnerabilities. He specializes in cracking passwords. (Dave Rae/CBC)

"The problem is, not every site has the same level of security around their passwords," he said. "So if a weaker site gets hacked, then all of a sudden your password is being leaked out."

Heywood says hackers then use bots — custom software — that can lurk undetected on hundreds of thousands of computers.

"They could have something sitting there for months and when the right keywords come through" — such as "payment" or "deposit" and — "Bang! We've got ourselves a transfer."

So Interac's e-transfer system, he says, is only as secure as users' email and passwords.

Interac system 'unique'

On the heels of a Go Public story published last week about e-transfers, we heard from a number of people who have lived in other countries that use systems that allow people to electronically transfer funds directly from bank to bank.

"One does not have to worry about payments being intercepted," Andrew Dunning wrote, about e-transfers in the U.K.

"Everything is practically instantaneous, and it's all traced between the banks. It's shocking to me that the [Canadian] government has not mandated the implementation of this system."

Rajesh Vijayaraghavan of the University of British Columbia's Sauder School of Business, says Interac's e-transfer system is 'unique' because it relies on email, unlike in other developed countries. (Submitted by Rajesh Vijayaraghavan)

Rajesh Vijayaraghavan, who studies risk management in financial institutions, says Interac's system is "unique" because it relies on email, unlike most in other developed countries.

Vijayaraghavan, an assistant professor at the University of British Columbia's Sauder School of Business, says the U.S., Australia, New Zealand, India and other countries have had systems in place for years that allow e-transfers directly from bank to bank — using only a bank code and a person's account number.

"The rest of the world can't be wrong," he said. "It's the better system."

Two weeks ago, the European Union went a step further, requiring all financial institutions to offer two-factor authentication — a system which only allows a user to log on to an account once they've received a code on a separate device or an email at a different email address.

Vijayaraghavan says shifting away from an email-reliant system would require work.

"It's a legacy system," he said. "So this has to be a co-ordinated effort from all banks."

Claudiu Popa, a Toronto-based security expert who advises governments and companies, says online banking customers must demand reform in how e-transfers are authenticated. (John Badcock/CBC)

Popa, the cybersecurity expert, says the only way banks will improve security for e-transfers — and the auto-deposit option — is if the government forces them.

He says requirements for strong authentication are needed immediately, instead of the convenient, but less secure, system currently in place.

"No more secrecy and downplaying these issues," Popa said. "Canadians need to demand reform from their politicians."

Sinani the contractor, says he's no longer a fan of e-transfers, since he and his customer are now in a "stressful" dispute over who should cover the stolen $2,775.

But he says about 80 per cent of his customers want to pay using e-transfer because it's so convenient.

"Convenient is great, until something like this happens to you," he said. "Improving the system would be better."