Canadian businesses have been getting a lot of messages lately that appear to be from trusted sources but are actually from fraudsters.
Last year impersonator fraud emerged as the most widespread and costly form of online fraud perpetrated against Canadian businesses. According to a 2024 study by Payments Canada, one in five businesses fell victim to payment related fraud in the previous six months, and one in seven suffered financial losses as a result.
In fact, businesses fell victim to fraud at higher rates than Canadian consumers, even though a majority felt confident that their business was well protected. The most common type of fraud perpetrated against businesses in Canada during that period was impersonator fraud, accounting for one quarter of all reported payment scams.
What is impersonator fraud?
What makes this type of fraud so successful is that it impersonates a trusted source to avoid detection or scrutiny. Online fraudsters send emails, text messages, social media messages and even make phone calls alleging to be from a trusted business source, institution or organization, and request some type of payment or sensitive information.
According to the Canadian Anti-Fraud Centre, Competition Bureau and RCMP, impersonator fraud is one of the fastest growing forms of fraud in the country. In 2024 the CAFC received more than 108,000 reports from more than 34,600 victims, who lost $638 million in online scams. In fact, Canadians have lost more than $2 billion to online fraud since 2021.
How impersonator fraud works
Impersonator fraud can be highly effective and financially devastating because it exploits existing relationships with trusted sources, like suppliers, financial institutions, couriers, employees, clients, law enforcement and regulators.
Sometimes a successful scam requires the fraudster to have pre-existing knowledge of their victim’s regular business contacts, but often they seek to impersonate widely used institutions, contacts or services.
Often the communications will suggest there has been an unauthorized transaction, that an order was not received, that outstanding dues or taxes are outstanding, or that payment was sent to the wrong account. In almost all cases the fraudsters will seek to extract sensitive information—such as passwords, social security information, or banking details—or request direct payment.
Scammers will also use artificial intelligence, data gathered from a previous hack or breach, or publicly available information to add credibility to those requests. They could also lead victims to “cloned” websites designed to look nearly identity to the falsely represented organization’s legitimate website, or clone phone numbers and caller ID information to appear authentic.
Telltale signs: How to identify impersonator fraud
The best way to guard against impersonator fraud is awareness, caution and remaining on guard for some telltale signs.
For example, fraudulent requests often rely on users acting before giving the situation too much thought, meaning that requests for money or information are often made to appear urgent, which is one of the signs to look out for.
Furthermore, requests for personal or sensitive information that has already been provided or seems unnecessary given the nature of your relationship with the institution or individual making the request should be approached with greater scrutiny.
Finally, requests for payments or money transfers outside of the organization’s existing payment relationship, such as payment to a new account or via a new payment portal, should also warrant further investigation.
How to prevent impersonator fraud
If you receive an urgent request asking for sensitive information or payment, especially to a new address, account or website—even from a seemingly trusted source—it’s important to stop and investigate further.
While impersonator fraud often seeks to mimic legitimate sources and contacts, there are often subtle signs that the sender is not who they say they are, such as minor differences in email addresses, spelling errors, or communications from an unfamiliar phone number.
When in doubt about a sender’s legitimacy, try contacting them using official contact information, or contact details you have used previously. For example, if you receive an email claiming to be from a supplier requesting an additional payment for a recent order, call their office line directly, rather than answering the email.
Organizations are encouraged to request information that only the legitimate source would know for all transactions as a matter of policy, like previous order details, invoice numbers, or customer IDs.
Organizations of all sizes can also better protect themselves by adopting strong fraud prevention and detection tools, such RBC Beyond Banking partner Kobalt.io.
What to do in the event of impersonator fraud
Businesses or individuals that fall victim to impersonator fraud are encouraged to report the incident immediately to the Canadian Anti-Fraud Centre, and cease all communications with the suspected fraudsters.
Next, organizations should quickly change all their passwords and login credentials, even to unaffected accounts, and encourage all team members to do the same. Using a password manager like RBC Beyond Banking partner 1Password can help quickly generate complicated, unique and secure passwords for all accounts while making them accessible via a single, secure application.
If there is a chance that they have fallen victim to impersonator fraud, organizations should also notify their financial institution to help stop payments and secure accounts. According to the Payments Canada study, 71% of businesses were partially or fully reimbursed for any money lost to fraud.
With Canadian businesses at high risk of falling victim to this increasingly common form of online fraud, it’s important they maintain strong organizational cyber security tools, policies and protocols, and remain on the lookout for suspicious communications—even from seemingly trusted sources.
Read more: Cyber security for your business
