CRA-5.8.11F
(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of client request or action. Examples of such client actions include verification links for client onboarding, payment links for client-initiated transactions etc;
(b) Refrain from using shortened links in communication with clients;
(c) Implement measures to allow clients to verify the legitimacy of the links which may include:
(i) clear instructions on the licensee’s website/app where the link is sent as a result of client action on the licensee’s website/app;
(ii) communication with client such as a phone call informing the client to expect a link from the licensee ;
(iii) provision of transaction details such as the transaction amount and merchant name in the message sent to the client with the link;
(iv) use of other verification measures like OTP, password or biometric authentication; and
(d) Create client awareness campaigns to educate their clients on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to clients that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result client request or action. Licensees may also train their clients by sending fake phishing messages.
Added: April 2023