Skip to main content

Phishing & Website Fraud

Common Schemes & Scams Online

The following are common scams used to gain access to personal and financial data.

Phishing

Phishing is a common online scam designed to trick you into disclosing your personal or financial information for the purpose of financial fraud or identity theft.

Phishing Information Table

Here's how it works:


You receive an unsolicited email appearing to be from a legitimate company. A typical phishing email will give you a phoney reason, such as a security breach or contest, to trick you into providing your personal information. 		The email will often include a reason that urges you to click on a link that takes you to a fake website. That fake website will look authentic by copying the brand name and logo of the real company. This phoney site will ask you for personal information such as credit card numbers, account numbers, passwords, date of birth, driver's license number, and social insurance or social security numbers. While you may think you are giving your information to a valid company, instead you are providing it to a fraudster!

Why did I receive a phishing email?


You received a phishing email simply because your email address has ended up in the hands of a fraudster. 		Email addresses are easily obtained and shared on the Internet – just like phone numbers and mailing addresses. But, other than having your email address, it is unlikely the fraudster knows anything else about you – not even your name.

So, these fraudsters need to do three things to be successful:
  • Target companies with large numbers of customers...the more, the better!
  • Send thousands of phishing emails in an effort to reach as many of these customers as possible (many of the emails are also received by non-customers).
  • Write the email messages in such a way as to trick people into revealing their confidential information.

How to protect yourself


Phishing emails are becoming more sophisticated and can be tricky to spot. Being able to recognize phishing emails can help prevent you from becoming a victim.

Follow these tips to help you avoid falling victim to phishing scams:
  • Never provide your confidential or financial information over the Internet in response to unsolicited emails.
  • Play it safe! If you don't know the source of an email or if it looks suspicious, do not open it.
  • Ensure the address in your browser's address bar begins with "https" when entering personal information. That means your information is being secured. If the address begins with only "http" do not enter any information.
  • Also be wary of security alerts or unusual pop-up messages requiring input while you are on a website.
  • Be cautious! Even if you recognize a sender's email address, do not rely on that alone because addresses may be faked. Pay attention to the contents of the email and be careful of any embedded links.
  • Never click on a link in an email that you suspect may be fake.
  • Be sure! If you are unsure whether you are on a legitimate website, reopen your internet browser and type the company URL in the address bar yourself.
  • Before you enter confidential or financial information online, check for the lock icon on your browser. Ensure the URL in the browser address bar starts with "https."
  • Be alert! Just because an email or website appears to be from a legitimate company doesn't mean it is. Phishing schemes are designed to look real to trick users into divulging personal information for the purpose of financial fraud or identity theft.

If you are unsure if the website is a valid RBC company site play it safe. Do not sign in or enter any personal information. Instead, contact us.

If you've been a victim


If you believe your confidential information may have been stolen or obtained by a fraudulent party either online, by telephone or through any other means, call your local branch or client contact centre immediately. 		For phishing emails, please notify us by forwarding the suspicious email to phishing@rbc.com for analysis. Please note that phishing@rbc.com is an automated mailbox for reporting phishing and website fraud only – we are unable to provide responses from this mailbox. If you require a response, please direct your question through the phone numbers listed below. To report fake websites masquerading as RBC company websites, send an email to phishing@rbc.com with the subject "Fake RBC website." Remember to copy the full URL (website address) into the body of the email.

Skimming

Skimming is the act of obtaining information from a debit or credit card. Most of this data is obtained with a card reader device when the card is used. The PIN is often obtained separately, usually by someone who is watching or by hidden cameras or sophisticated devices that may be attached to the machine used. Once the magnetic strip data and PIN are obtained, a counterfeit card is produced and then used.

What to do about skimming table

How to protect yourself


 Always shield the keypad when you enter your PIN at an ATM or point-of-sale terminal. Do not use an ATM that you suspect may have been tampered with. Keep track of your account balance and debits, and report any fraudulent or missing activity immediately. Beware of unauthorized persons asking for your PIN. No law-abiding employee, police officer, financial advisor or lawyer will ever ask you for your PIN. This is strictly confidential information that provides access to the funds in your account. If you are contacted and asked for your PIN, do not respond, either by phone or email. Check that all your cards are in your possession and report any loss immediately. Even if your cards are in your possession, contact the institution the caller is claiming to be from and report the incident.

If you've been a victim


If you believe your confidential information may have been stolen or obtained by a fraudulent party either online, by telephone or through any other means, call your local branch or client contact centre immediately. 		For phishing emails, please notify us by forwarding the suspicious email to phishing@rbc.com for analysis. Please note that phishing@rbc.com is an automated mailbox for reporting phishing and website fraud only – we are unable to provide responses from this mailbox. If you require a response, please direct your question through the phone numbers listed below. To report fake websites masquerading as RBC company websites, send an email to phishing@rbc.com with the subject "Fake RBC website." Remember to copy the full URL (website address) into the body of the email.

Business Email Compromise

Business Email Compromise is described as one of the largest emerging threats on the payment fraud landscape. This scam occurs generally when a criminal lies about a situation in order to convince you (or your employees) to send money through a payment or transfer of some kind.

Business Email Compromise table

Here's how it works:


 Say you’re the business owner or CEO/ CFO of a business, accountant (basically, someone with authority to send large amounts of money). A fraudster would get their hands on your email or other online credentials, then posing as you, send instructions to someone in your company to send a payment to a particular account.

What are Some Common Variations?

 Business Email Compromise takes a few different forms. Here are a few examples: Owner/CEO Fraud This is where a fraudster either hacks into the email of an owner, CEO or other high-ranking executive, or duplicates a domain so it appears an email is coming from the company’s highest ranks. They then send a fake email to request a financial transaction while the executive is travelling for business, typically asking to change routing information for an account or to make an out-of-the-ordinary deposit or transfer. They will also include reasons for not following standard policy or for keeping a request secret: “I plan to make an announcement in the morning. Until then, please don’t tell anyone.”

A Request for Payment from a Vendor

A fraudster posing as a vendor will email someone in accounts payable and tell them that their account details have changed — and can they please send payment to this new account number instead? Even if your company’s systems aren’t hacked, if your vendor’s email is compromised, a fraudulent request for redirection of funds can appear legitimate.

What Types of Businesses Are at Risk?

Businesses of all sizes have been targeted by Business Email Compromise, and it’s a scam that’s been reported in 80 most countries.

While businesses working with foreign suppliers or those that regularly send wire transfers are the most vulnerable, fraudsters are flexible and can adjust their tactics to use other payment methods. So every business needs to treat email requests for funds with caution.

How to protect yourself
  • Business Email Compromise — or other variations of payments fraud — are often caused by human error as well as online systems and accounts that are hacked. There are strategies to boost your online security that can be easily implemented — but the most effective way to safeguard your business may be to train your staff/employees.
  • If a transfer request arrives via email, use a phone number you already have on file to verify the sender. Any changes in contact phone numbers should not be accepted by e-mail and be verified by phone.
  • It is also recommended to avoid using generic email accounts and invest in an email account that provides stronger authentication methods.. Businesses using generic and free email accounts are commonly targeted and hacked by fraudsters to be able to send out legitimate emails from the email address unsuspecting to the business.

If you've been a victim:

If you believe your confidential information may have been stolen or obtained by a fraudulent party either online, by telephone, text message or through any other means, call your local branch or client contact centre immediately.

For phishing emails, please notify us by forwarding the suspicious email to phishing@rbc.com for analysis. Please note that phishing@rbc.com is an automated mailbox for reporting phishing and website fraud only – we are unable to provide responses from this mailbox. If you require a response, please direct your question through the phone numbers listed below.

Investment Scams

If it sounds too good to be true it probably is. Investment and Crypto scams are on the rise. Fraudsters pretend to be legitimate services, tricking victims into providing personal information via different channels. Avoid being a victim of investment scams! RBC will not ask for personal information via WhatsApp, unverified attachments or suspicious links.

Investment Scams table

Here's how it works:


 Fraudsters pretend to be legitimate investment firms or blockchain and crypto services, tricking victims into investing in get rich quick schemes or connecting their cryptocurrency wallets to malicious platforms. Once permission is granted, the scammers drain all the funds from the wallet. High-yield investment scams, which promise unrealistically high returns (and operate as Ponzi schemes), remain prevalent.

How to spot investment / crypto scams
  • Send money to get more money: The scammer asks you to send money upfront to protect the money you’ve invested or unlock the proceeds you’ve earned.
  • Celebrity endorsement: Crypto scammers often use celebrities and/or influencers to recommend a cryptocurrency – but that does not mean that person is knowledgeable or endorses the company.
  • High rates of return with no risk: This is not realistic and a clear sign it is a fake investment opportunity.
  • Legitimate investment companies will never contact you via WhatsApp.

How to protect yourself

 Avoid being a victim of investment and crypto scams! Here are 5 ways to protect yourself and your savings.
  • Be mindful of the promise of high or quick returns
  • Be skeptical of ‘no risk’ promises
  • Beware of unsolicited contact
  • Be wary of investing with a third party
  • Take the time to do your research

If you've been a victim:

 Contact your branch or call us immediately if you believe you may have been a victim of an investment / crypto scam

Romance Scams

In romance scams, a criminal uses a fake online identity to gain a victim's affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.

Business Email Compromise table

Here's how it works:


 The scammer wants to establish a relationship as quickly as possible, endear themselves to the victim, and gain trust. Scammers may propose marriage and make plans to meet in person, but that will never happen. Eventually, they will ask for money. The criminals who carry out romance scams are experts at what they do and will seem genuine, caring, and believable. Con artists are present on most dating and social media sites.

How to spot a romance scam

 Scam artists often say they live or are engaged in projects overseas which makes it easier to avoid meeting in person—and more plausible when they ask for money for a medical emergency or unexpected legal fee.

If someone you meet online needs your bank account information to deposit money, they are most likely using your account to carry out other theft and fraud schemes.

Here are some red flags to watch out for:
  • Someone looks too perfect – their profile picture resembles a model more than a regular person or their profile picture is an extreme close-up or just a partial photo – this suggests they want to hide their “identity”
  • The individual you’re chatting with showers you with over-the-top affection and compliments early in the relationship – this is a sign a scammer is trying to win you over quickly.
  • Soon after connecting, they want to leave the dating site and ask to communicate directly – dating sites now have tools that can detect romance scams, so taking a conversation offline increases a scammer’s chance at success.
  • They claim their job makes them unable to connect in person – i.e., they are in the military, work on an oil rig, or work in an undisclosed branch of government. They promise to meet in person but always make an excuse why they can’t – if you haven’t met the person after a few months, there is reason to be suspicious
  • They ask for money – this is a bright red flag that someone is trying to scam you.

How to protect yourself

 While romance scams continue to cheat people out of money, love and trust, it is possible to avoid being a financial or emotional victim. Navigating online dating platforms armed with your own tactics and defenses can help you fend off fraudsters and find people with a similar objective – to find someone real to connect with.
  • Use online searches, like Google’s reverse image search, to research the person’s photo and profile and see if they have been used elsewhere
  • Ask questions about specific experiences – i.e., “Can you walk me through your trip to Italy? What cities did you visit?”
  • Ask about their local area, such as their favourite local restaurant
  • If you’re on a video call, ask to see something in the room they’re in – such as the view out their window or a pet they claim to own. Asking for the person to move around can help reveal AI-generated/enhanced personas

If you've been a victim

If you believe your confidential information may have been stolen or obtained by a fraudulent party either online, by telephone or through any other means, call your local branch or client contact centre immediately.

For phishing emails, please notify us by forwarding the suspicious email to phishing@rbc.com for analysis. Please note that phishing@rbc.com is an automated mailbox for reporting phishing and website fraud only – we are unable to provide responses from this mailbox. If you require a response, please direct your question through the phone numbers listed below. To report fake websites masquerading as RBC company websites, send an email to phishing@rbc.comwith the subject "Fake RBC website." Remember to copy the full URL (website address) into the body of the email.

Job Scams

Advertising of opportunities to make extra money, earn money from home or make a career move have never been greater. Unfortunately, not all employment advertisements are legitimate. These specific type of scam targets job seekers. Victims will receive direct messages from false recruiters with very attractive job opportunities, via LinkedIn or Facebook.

What to do about job scams table

How to protect yourself


 The scammer posts an ad or contacts you by spam email or other means and offers a great job or business opportunity. Sometimes, the scam is presented as an opportunity to make lots of money working from home. Many of these scams are fronts for illegal money laundering or pyramid schemes.

You may be instructed to keep a small percentage of the money being transferred as payment. Fraudsters may request a job applicant's bank account information in order to set up a direct-deposit payment schedule, or they may transfer the funds themselves without the applicant's knowledge. Fraudsters may steal company names and corporate logos to make their ad or email more convincing. They may also scan for resumes that job seekers have posted online and then contact them directly.

How to spot a Job Scam

 The scammer promises or guarantees a lot of income for little or no effort. There are many different types of job scams. For example, the scammer may:
  • Claim to guarantee you either a job or a certain level of income.
  • Say the job involves using your bank account to receive and pass on payments for a foreign company, and they promise you a commission for each payment you pass on.
  • Offer you a job as a “secret shopper” to test the services of a company that cashes cheques or transfers money.
  • Offer you a job that requires you to pay an upfront fee for a business plan, start up materials, or software, or that requires you to recruit other people.

Say they’ll send you a cheque now as an incentive or signing bonus, but you need to transfer part of the amount using a money-transfer service. After you do this, the bank reverses the deposit because the cheque is fraudulent

How to protect yourself
  • Beware of any claims of guaranteed income. Remember: There are no shortcuts to wealth.
  • Don’t make a decision without carefully researching the offer and getting independent advice.
  • Never send your banking or credit card details to someone you don’t know and trust.
  • Don’t agree to cash a cheque. No legitimate business will send you a cheque upfront and tell you that you need to transfer some of the money to them. If you cash a fraudulent cheque, your bank could make you pay back the money lost.
  • Get all the details in writing before paying for something or signing any documents.
Always ensure any potential employers and requests are legitimate. Be aware of this type of scam. If you transfer money that has been stolen or is being laundered you could be an accomplice to the crime, under the law.

Fake Charities

If you receive an unsolicited call, asking you to donate to a charitable cause, don't give your credit card number over the phone or agree to have someone collect a cheque in person.

Fake Charities table

How to protect yourself


 Do not return the phone call until you independently verify that the phone number is legitimate.

Card Switching and Shoulder Surfing

While at an ATM, be aware of anyone who tells you that you've dropped something or offers to help you enter your PIN. As you stoop to retrieve a dropped item, they may exchange your Client Card for another card. Then, working together, another person standing nearby will attempt to observe you as you enter your PIN so that both your card and your PIN are in their possession.

Card Switching and Shoulder Surfing table

How to protect yourself


 Never let anyone help you enter your PIN. Before you put your card back in your wallet, check the name to ensure it is your card. If it is not, report the incident immediately. Do not use an ATM that looks like it has been tampered with.

Telemarketing Scams

These scams occur when you are contacted by a supposed telemarketing firm, claiming that you have won a prize or a trip, but asking for your credit card number, requesting that you purchase a promotional item, or that you pay the taxes for that prize or trip, in order to collect your winnings.

Telemarketing Scams table

How to protect yourself


 Be highly suspicious when receiving voicemail messages directing you to call and provide credit card or bank numbers. These types of scams are called "Vishing". Rather than provide any information, we advise you to discontinue the call and contact your bank or credit card company directly to verify the validity of the message or the prize. If you think that you may be involved in a telemarketing scam, contact the authorities.

Unusual Requests That Are "Too Good to be True"

Be suspicious if you are contacted by phone, mail, email or fax and told that you've won, inherited or been included in a business venture involving large sums of money. Also be alerted to another scam, if you are selling personal property (e.g. a car or other goods). A fraudulent person may pose as an interested buyer, pay for the goods with a cheque that's substantially greater than the asking price, and then call you to request that you return the overpayment. In many cases, the original cheque is stolen, counterfeit or altered and is not returned to RBC until a much later date. You won't discover there is a problem with the cheque until you have returned the so-called "overpayment."

What to do about unusual requests table

How to protect yourself


 Be careful about sending any funds back by cheque or wire transfer. If you are sending a payment via wire, ensure that you are comfortable with your transaction and that you are fully aware of to whom you are sending the funds. If an individual or third party asks you to make a deposit or open an account on their behalf, ensure you are confident of their identity and the validity of their reasons for the request before you do so. Be extremely wary of this kind of request.

Advance-Fee Scams

Posing as a reputable financial institution by copying its brand and logo, fraudsters promote supposed pre-approved loans and mortgages or unusually high interest rates for investment products. Business is solicited on the strength of the reputation of the financial institution, and money is requested up front to secure the approved credit or high-return investment product.

What to do about advance-fee scams table

How to protect yourself


 Always ensure that the institution and offer is legitimate. If you are uncertain, call the institution to verify the offer using the institution's legitimate phone number that you have independently obtained, not the phone number printed on the suspicious offer.

Package Delivery Scams

The drastic rise of e-commerce has resulted in an increase of scammers sending fake shipping notices from popular courier services. Scammers are taking advantage of this by sending phishing SMS and emails to trick unsuspecting clients into submitting their banking information.

Package Delivery Scams table

Here's how it works:


 The messages claim that there is a problem with a package delivery due to an incomplete or incorrect delivery address.

The message will urge you to click on a link to resolve or confirm the address information in order to have the package delivered and if no action is taken, the package will be returned to the sender.

How to protect yourself
  • Stay vigilant - Be cautious of unsolicited text messages, especially those claiming to be from delivery companies. If you didn't initiate contact, it's best to treat the message with suspicion.
  • Don't click on links: Avoid clicking on links or downloading attachments from unsolicited messages, especially if they claim to be from a delivery service. These links could lead to fake websites designed to steal your personal information or infect your device with malware.
  • Verify through official channels: If you're unsure about a delivery notification, contact the delivery company directly using their official website or customer service number and use reputable delivery services and their official apps or websites when tracking packages.
  • If you haven’t ordered anything, any communication regarding a package is more than likely a scam.
  • Look for red flags: Watch out for spelling mistakes, grammatical errors, or unusual formatting in the message.

Bank Impersonation Scams

A bank impersonation scam involves you being contacted by a scammer pretending to be a legitimate bank employee. Scammers will try to trick you in various ways to obtain account information or complete unauthorized transactions

Bank Impersonation Scams table

Here's how it works:


 A bank impersonation scam may start with a phone call, text or email from what looks to be your bank. In many cases, the communication will claim there is an urgent issue with your account – such as a security breach, an unauthorized transaction or some other suspicious activity that has taken place.

Posing as a legitimate representative, the fraudster may ask for your online banking password or your PIN. They claim it will verify your identity but they act as the key that gets them access to your account.

How fraudsters trick you

 Bank impersonation scams can be very convincing for a few reasons. For one, they may call from a phone number that looks legitimate – it might either mimic or closely resemble your bank’s phone number. They may even use caller ID spoofing, where the ID shows that “RBC” is calling, but it is actually a scammer.

They may also have information about you that makes you feel the call, email or text is coming from a real source – for instance they may call you by your full name or recite your address or date of birth to you. As fraudsters could have collected this information from other sources (i.e., they could have hacked your email or seen these details on social media), the fact they have these details about you should not qualify them as legitimate.

Fraudsters will also often state that the situation is highly urgent, and you have to act immediately to “protect” or “secure” your account. Their tactic is to make you act right away without taking time to think and assess the situation.

How to spot a Bank Impersonation Scam

 While bank impersonation scams have become increasingly sophisticated and believable, there are a few red flags that give them away.

  • A request for sensitive information: If your bank calls to verify a transaction, they will never ask you to confirm sensitive information such as a PIN, password, or verification code. They will never ask you to complete a transaction to “secure” your account.
  • Aggressive or urgent language: If the person on the other end is pressuring you into making a decision or giving away information, it’s a definite red flag.
  • Unusual requests: If something feels off to you, it probably is.
  • You are asked to complete actions to ‘secure your profile’, such as send a mobile or online transfer to ‘RBC’ or Send yourself funds and/or initiate any other type of transactions

How to protect yourself

 There are a few simple ways you can protect yourself against bank impersonation scams:

  • Reject unsolicited calls or messages: If you receive a call, email or text from someone claiming to be from your bank and it sounds suspicious, hang up and/or delete the message and don’t click on any links.
  • Don’t give away personal information: No matter how convincing the message, never provide your PIN, password, account numbers to anyone. Your bank will never ask for this information from you.
  • Take 6 seconds: An effective tactic of fraudsters is the sense of panic they create. Take 6 seconds to breathe, process the request and establish if it seems legitimate.
  • Don’t trust Caller ID: Fraudsters are skilled at spoofing phone numbers, so don’t be fooled by a number that looks like a call from your bank. If you receive a call you’re not sure is fake or real, contact your bank directly using the phone number on the back of your credit or debit card.
  • Sign up for Visa Transaction Alerts: By receiving transaction Alerts, you’ll stay on top of any suspicious activity on your account by getting notifications first-hand.

If you've been a victim:

If you believe your confidential information may have been stolen or obtained by a fraudulent party either online, by telephone, text message or through any other means, call your local branch or client contact centre immediately.
  • For phishing emails, please notify us by forwarding the suspicious email to phishing@rbc.com for analysis. Please note that phishing@rbc.com is an automated mailbox for reporting phishing and website fraud only – we are unable to provide responses from this mailbox. If you require a response, please direct your question through the phone numbers listed below.
  • If you receive a suspicious text message, report it to your mobile carrier. This helps carriers identify and block smishing attempts.

Resources

Contact Us


Phone

Email

ATM & Branch Locator