You were targeted in a scam. Is your bank liable for the losses?
Globe and Mail3 days ago
Crystal Quast had just finished writing a mystery novel when she found herself embroiled in a real-life mystery of her own.
Ms. Quast, a corporate communications professional based in Waterloo, Ont., had decided to self-publish her book through Amazon. The technology behemoth's logo was on her receipts, and calls from the representatives she was dealing with came up as 'Amazon publishing' on her phone.
But something felt off to Ms. Quast. The company was charging $2,500 for a publishing package that included editing, but didn't appear to be doing much of it. Ms. Quast eventually reached out to a friend at Amazon who informed her that she was dealing with an imposter.
'I was really shaken. My confidence was shaken ... I didn't think I'd ever get taken in by a scam,' Ms. Quast said.
Ms. Quast is one of a growing number of Canadians falling victim to fraud, and its changing nature is raising questions about who should be liable for the losses that siphon hundreds of millions of dollars out of the economy each year.
Fraud victims reported a total of $647-million in losses to the Canadian Anti-Fraud Centre last year, up from $577-million in 2023. Those figures likely represent just the tip of the iceberg, as an estimated 90 to 95 per cent of fraud goes unreported, according to the agency.
Scammers are impersonating finance experts to steal millions – and the real ones are struggling to stop it
As financial institutions have bolstered their defences, criminals have shifted tactics, creating new challenges for banks and other institutions. Victims, meanwhile, are forced to navigate a patchwork of regulations that in many cases leave them footing the bill.
Geoff Morton, senior director of fraud strategy at Royal Bank of Canada, said that in the past, criminals would typically commit what's known as unauthorized fraud by gaining access to a customer's bank account and transferring funds out, all without the victim's involvement.
'That was a problem for a very long time across all the banks, not just in Canada but everywhere. And so everybody's been investing very heavily into lots of technological solutions to that,' Mr. Morton said.
Banks have implemented stricter authentication requirements in recent years, making it harder for criminals to gain access to client accounts, and have also gotten better at spotting and blocking those types of fraudulent transactions, Mr. Morton said.
But rather than putting an end to the theft, the new security measures have prompted the criminals to change tactics to what's known as authorized fraud, Mr. Morton said. Instead of gaining unauthorized access to a victim's account, the perpetrators are interacting directly with the victims, and convincing them to transfer funds.
'The biggest trends we're seeing these days are things like investment scams, romance scams ... where they convince the client to send a payment directly to them,' Mr. Morton said.
'That's been a shift we've seen over the last year really accelerate,' he added.
That creates new challenges for banks, whose fraud detection tools are geared more toward identifying the markers of unauthorized fraud – for instance, transactions originating from new devices or locations. When the customer has fallen prey to a scam, those markers no longer apply. Instead, banks have to look for transactions that don't match the client's typical pattern of behaviour, Mr. Morton said.
Addressing scams also requires more call-centre resources. In an unauthorized fraud, customers are asked a simple yes or no question: had they authorized the transaction? With authorized fraud, call-centre employees may find themselves in a trickier situation: telling a customer they've fallen prey to a scam, after the bank has blocked the transaction. Still, customers may insist it's a valid transaction and that the payment be made.
'You have to break this spell that the client is under,' Mr. Morton said.
In many cases, the victims have been coached by the scammer on what to say when the bank calls to verify the transaction, he added. 'It's a whole element of behaviour that we haven't had to deal with in the past as a bank.'
Victims can be so bought into the scam that they refuse to heed the bank's advice. British digital bank Revolut has in some instances resorted to asking suspected scam victims to take selfies while holding up a sheet of paper that states the bank warned them against completing a particular transaction.
Banks aren't the only institutions affected by what the Ontario Securities Commission has described as a massive surge in online scams and fraud. The deceptive and unauthorized use of a company's name or logo, known as brand abuse, has had such a significant impact on Amazon that the tech giant has taken the matter to court.
In late 2023, Amazon sued what it described as a 'ring' of individuals and entities based in the United States and Pakistan for scamming authors by falsely claiming to be affiliated with Amazon Publishing and Kindle Direct Publishing, the company's self-publishing arm.
Authors such as Ms. Quast were lured into paying what the company described as 'substantial sums of money' for inadequate or non-existent services, the company alleged.
In February, the Northern District of California court awarded Amazon US$36.4-million in damages. The company said it will 'evaluate its options to most effectively use any damages recovered to benefit those impacted by impersonation scams.'
'The ultimate fraud machine': Scammers are using AI to target people and businesses with increasingly convincing deepfakes
Some countries have implemented shared liability models, which aim to prompt institutions such as banks and telecoms to bolster their anti-scam measures by holding them responsible for losses. In Britain, for instance, liability for reimbursing the victims of what are known as authorized push payment scams is split equally between the bank that sent the money and the one that received it. (An authorized push payment scam occurs when a customer is tricked into a sending money to someone posing as a payee.)
Singapore, meanwhile, has adopted what's known as a waterfall approach to determining who should bear the cost when a customer loses money to a phishing attack. The responsibility for compensating the victims falls first on the financial institution. If the bank has met all of its obligations under the rules, the burden shifts to the telecom company involved, then finally to the customer.
'I think that shared liability model on the surface is a good idea, because it really incentivizes every person in that chain to have skin in the game,' said Carl Davies, head of fraud and identity at Equifax Canada.
'The real challenge is, at some point, those organizations can do everything that is asked of them but the consumer will still do it because they've been bought into the scam,' he added.
In Canada, the discussion around fraud liability is continuing.
'It is a patchwork right now in Canada,' said Sara Eve Levac, a lawyer and analyst at Montreal-based consumer advocacy Option consommateurs.
For unauthorized credit-card transactions, the Bank Act limits the consumer's liability to $50, as long as the consumer wasn't grossly negligent.
'For any other modes of payment, there's no protection by law,' Ms. Levac said.
'You have to look at the rules under civil liability, or the contracts that the consumer has with the bank, and what we've noticed is that in many circumstances the bank will say that the consumer authorized the transaction, even if we're in the situation of a scam and the information was given under false pretenses,' she added.
Option consommateurs has been advocating for changes to the Bank Act, including a uniform legal framework for all payment methods, and wording to specify that a transaction should not be considered authorized if the consumer has been tricked into providing their banking credentials. In Quebec, the government is looking to limit consumer liability for unauthorized debit transactions to $50, making the rules consistent with those governing credit-card fraud.
RBC's Mr. Morton says the responsibility for tackling authorized fraud lies with multiple parties, including banks, customers, telecom companies, social media platforms and search engines.
'It's not just a bank problem to solve, we really need to bring everybody to the table,' he said.
The Canadian Bankers Association has convened a roundtable, billed as the Canadian anti-scam alliance, in an attempt to do just that.
Nathalie Bergeron, a spokesperson for the CBA, said banks are 'one of several lines of defence' in the fight against scams, and are continuously strengthening their security measures.
'Banks have controls – including fraud alerts and one-time passcodes – to help protect customers from fraud. Under client banking agreements, customers also share responsibility for protecting their personal information, including keeping PINs and passwords confidential,' Ms. Bergeron said in a statement.
A report published last week by the Washington-based Bank Policy Institute calls on telecom, tech and social media companies to assist in the fight against fraud. 'Financial institutions cannot solve this problem alone and need cross-industry collaboration with tech and telecom to protect their mutual customers,' it reads.
Scams can cost victims more than their money. Here's how to recover emotionally from fraud
Ms. Quast has seen firsthand how scams impact the broader business ecosystem – from Google, whose search engine had taken her to the Amazon imposter's website, to Amazon to the banks that facilitated the payments.
She used two different credit cards to pay the fake Amazon publisher. The Bank of Nova Scotia has refunded her for the payment made on its card. Ms. Quast said Toronto-Dominion Bank eventually also issued a refund, after protracted communication back and forth. A spokesperson for TD declined to provide details but said the case was closed in the spring.
Ms. Quast's book Dinked: Serenity Acres: Where Secrets Barely Stay Hidden – which, coincidentally, contains an Amazon phishing scam subplot – has since been published, through Amazon's legitimate self-publishing arm.
'I'm happy with it, but it's turned what was a really joyous experience into a nightmare,' she said.
'I was thrilled that I had written my first novel, I was really happy with it, and it went from being something I was really proud of to being ashamed that I got suckered into a scam.'
Ms. Quast, a corporate communications professional based in Waterloo, Ont., had decided to self-publish her book through Amazon. The technology behemoth's logo was on her receipts, and calls from the representatives she was dealing with came up as 'Amazon publishing' on her phone.
But something felt off to Ms. Quast. The company was charging $2,500 for a publishing package that included editing, but didn't appear to be doing much of it. Ms. Quast eventually reached out to a friend at Amazon who informed her that she was dealing with an imposter.
'I was really shaken. My confidence was shaken ... I didn't think I'd ever get taken in by a scam,' Ms. Quast said.
Ms. Quast is one of a growing number of Canadians falling victim to fraud, and its changing nature is raising questions about who should be liable for the losses that siphon hundreds of millions of dollars out of the economy each year.
Fraud victims reported a total of $647-million in losses to the Canadian Anti-Fraud Centre last year, up from $577-million in 2023. Those figures likely represent just the tip of the iceberg, as an estimated 90 to 95 per cent of fraud goes unreported, according to the agency.
Scammers are impersonating finance experts to steal millions – and the real ones are struggling to stop it
As financial institutions have bolstered their defences, criminals have shifted tactics, creating new challenges for banks and other institutions. Victims, meanwhile, are forced to navigate a patchwork of regulations that in many cases leave them footing the bill.
Geoff Morton, senior director of fraud strategy at Royal Bank of Canada, said that in the past, criminals would typically commit what's known as unauthorized fraud by gaining access to a customer's bank account and transferring funds out, all without the victim's involvement.
'That was a problem for a very long time across all the banks, not just in Canada but everywhere. And so everybody's been investing very heavily into lots of technological solutions to that,' Mr. Morton said.
Banks have implemented stricter authentication requirements in recent years, making it harder for criminals to gain access to client accounts, and have also gotten better at spotting and blocking those types of fraudulent transactions, Mr. Morton said.
But rather than putting an end to the theft, the new security measures have prompted the criminals to change tactics to what's known as authorized fraud, Mr. Morton said. Instead of gaining unauthorized access to a victim's account, the perpetrators are interacting directly with the victims, and convincing them to transfer funds.
'The biggest trends we're seeing these days are things like investment scams, romance scams ... where they convince the client to send a payment directly to them,' Mr. Morton said.
'That's been a shift we've seen over the last year really accelerate,' he added.
That creates new challenges for banks, whose fraud detection tools are geared more toward identifying the markers of unauthorized fraud – for instance, transactions originating from new devices or locations. When the customer has fallen prey to a scam, those markers no longer apply. Instead, banks have to look for transactions that don't match the client's typical pattern of behaviour, Mr. Morton said.
Addressing scams also requires more call-centre resources. In an unauthorized fraud, customers are asked a simple yes or no question: had they authorized the transaction? With authorized fraud, call-centre employees may find themselves in a trickier situation: telling a customer they've fallen prey to a scam, after the bank has blocked the transaction. Still, customers may insist it's a valid transaction and that the payment be made.
'You have to break this spell that the client is under,' Mr. Morton said.
In many cases, the victims have been coached by the scammer on what to say when the bank calls to verify the transaction, he added. 'It's a whole element of behaviour that we haven't had to deal with in the past as a bank.'
Victims can be so bought into the scam that they refuse to heed the bank's advice. British digital bank Revolut has in some instances resorted to asking suspected scam victims to take selfies while holding up a sheet of paper that states the bank warned them against completing a particular transaction.
Banks aren't the only institutions affected by what the Ontario Securities Commission has described as a massive surge in online scams and fraud. The deceptive and unauthorized use of a company's name or logo, known as brand abuse, has had such a significant impact on Amazon that the tech giant has taken the matter to court.
In late 2023, Amazon sued what it described as a 'ring' of individuals and entities based in the United States and Pakistan for scamming authors by falsely claiming to be affiliated with Amazon Publishing and Kindle Direct Publishing, the company's self-publishing arm.
Authors such as Ms. Quast were lured into paying what the company described as 'substantial sums of money' for inadequate or non-existent services, the company alleged.
In February, the Northern District of California court awarded Amazon US$36.4-million in damages. The company said it will 'evaluate its options to most effectively use any damages recovered to benefit those impacted by impersonation scams.'
'The ultimate fraud machine': Scammers are using AI to target people and businesses with increasingly convincing deepfakes
Some countries have implemented shared liability models, which aim to prompt institutions such as banks and telecoms to bolster their anti-scam measures by holding them responsible for losses. In Britain, for instance, liability for reimbursing the victims of what are known as authorized push payment scams is split equally between the bank that sent the money and the one that received it. (An authorized push payment scam occurs when a customer is tricked into a sending money to someone posing as a payee.)
Singapore, meanwhile, has adopted what's known as a waterfall approach to determining who should bear the cost when a customer loses money to a phishing attack. The responsibility for compensating the victims falls first on the financial institution. If the bank has met all of its obligations under the rules, the burden shifts to the telecom company involved, then finally to the customer.
'I think that shared liability model on the surface is a good idea, because it really incentivizes every person in that chain to have skin in the game,' said Carl Davies, head of fraud and identity at Equifax Canada.
'The real challenge is, at some point, those organizations can do everything that is asked of them but the consumer will still do it because they've been bought into the scam,' he added.
In Canada, the discussion around fraud liability is continuing.
'It is a patchwork right now in Canada,' said Sara Eve Levac, a lawyer and analyst at Montreal-based consumer advocacy Option consommateurs.
For unauthorized credit-card transactions, the Bank Act limits the consumer's liability to $50, as long as the consumer wasn't grossly negligent.
'For any other modes of payment, there's no protection by law,' Ms. Levac said.
'You have to look at the rules under civil liability, or the contracts that the consumer has with the bank, and what we've noticed is that in many circumstances the bank will say that the consumer authorized the transaction, even if we're in the situation of a scam and the information was given under false pretenses,' she added.
Option consommateurs has been advocating for changes to the Bank Act, including a uniform legal framework for all payment methods, and wording to specify that a transaction should not be considered authorized if the consumer has been tricked into providing their banking credentials. In Quebec, the government is looking to limit consumer liability for unauthorized debit transactions to $50, making the rules consistent with those governing credit-card fraud.
RBC's Mr. Morton says the responsibility for tackling authorized fraud lies with multiple parties, including banks, customers, telecom companies, social media platforms and search engines.
'It's not just a bank problem to solve, we really need to bring everybody to the table,' he said.
The Canadian Bankers Association has convened a roundtable, billed as the Canadian anti-scam alliance, in an attempt to do just that.
Nathalie Bergeron, a spokesperson for the CBA, said banks are 'one of several lines of defence' in the fight against scams, and are continuously strengthening their security measures.
'Banks have controls – including fraud alerts and one-time passcodes – to help protect customers from fraud. Under client banking agreements, customers also share responsibility for protecting their personal information, including keeping PINs and passwords confidential,' Ms. Bergeron said in a statement.
A report published last week by the Washington-based Bank Policy Institute calls on telecom, tech and social media companies to assist in the fight against fraud. 'Financial institutions cannot solve this problem alone and need cross-industry collaboration with tech and telecom to protect their mutual customers,' it reads.
Scams can cost victims more than their money. Here's how to recover emotionally from fraud
Ms. Quast has seen firsthand how scams impact the broader business ecosystem – from Google, whose search engine had taken her to the Amazon imposter's website, to Amazon to the banks that facilitated the payments.
She used two different credit cards to pay the fake Amazon publisher. The Bank of Nova Scotia has refunded her for the payment made on its card. Ms. Quast said Toronto-Dominion Bank eventually also issued a refund, after protracted communication back and forth. A spokesperson for TD declined to provide details but said the case was closed in the spring.
Ms. Quast's book Dinked: Serenity Acres: Where Secrets Barely Stay Hidden – which, coincidentally, contains an Amazon phishing scam subplot – has since been published, through Amazon's legitimate self-publishing arm.
'I'm happy with it, but it's turned what was a really joyous experience into a nightmare,' she said.
'I was thrilled that I had written my first novel, I was really happy with it, and it went from being something I was really proud of to being ashamed that I got suckered into a scam.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CTV News
10 minutes ago
- CTV News
Shot fired at vehicle during road rage incident
The logo from a Windsor police cruiser in Windsor, Ont., on Thursday, July 16, 2015. (Melanie Borrelli / CTV Windsor) The Windsor Police Service (WPS) is investigating after they say a gunshot was fired during a road rage incident. The incident happened around 11 p.m. Saturday in the 1300 block of Riverside Drive East. When officers arrived on scene, they located a vehicle with damage to its rear window consistent with a gunshot. According to police, two vehicles were heading east on Riverside Drive when one driver reportedly yelled obscenities at the complainant. Then, someone in the vehicle allegedly shot a gun at the complainant's car. The suspect vehicle fled the scene, and no physical injuries have been reported. The suspect vehicle is described as a late model, four-door sedan, possibly grey or chocolate brown in colour. The driver is described as a black man in his 20s. Two other occupants were seen in the vehicle, though no descriptions are currently available. The Major Crimes Unit is investigation the incident and are asking residents and business owners to review dashcam or surveillance footage between 10:30 p.m. and 11:30 p.m. on July 26 for any relevant evidence. Anyone with information is urged to contact the Major Crimes Unit at 519-255-6700, ext. 4830.
CTV News
10 minutes ago
- CTV News
Three charged after early-morning metal theft in Palmerston
Three people are facing charges after allegedly stealing metal from a business in Palmerston early Saturday morning. Wellington County Ontario Provincial Police were called just before 4 a.m. for a report of three males stealing metal from a local business. Police said the suspects fled the scene when officers arrived, but were later located and arrested. A 33-year-old from Listowel, a 35-year-old from Listowel and a 40-year-old from Atwood have all been charged with theft under $5,000, possession of break-in instruments and break and enter.
CTV News
10 minutes ago
- CTV News
CSEC to host hiring fair Monday afternoon at Saddledome
Calgary Sports and Entertainment Corp. are holding a hiring fair Monday and Tuesday at the Saddledome. Calgary Sports and Entertainment Corp. (CSEC) are hosting a hiring fair Monday. The parent company of the Calgary Flames are looking for security operations personnel and conversion team members (quick service cooks, line cooks, 50/50 staff) for its venue operations. These positions support events for the Flames, Wranglers, Hitmen, Riggers and Stampeders. The event takes place between 1 p.m. and 5 p.m. Monday and 10 a.m. and 2 p.m. Tuesday. Bring a resume to enter at the west side of the Saddledome through the Telus Club. CSEC says that they're hiring on the spot. For information, go here.
