Consider the following messages that many of us are seeing pop up in our email, social media or messaging apps with increasing frequency. 

• Judy from Toronto receives an email from her bank, advising her to change her password due to suspicious activity

• Tony from Vancouver glances at a text message that says his credit card was compromised and he needs a new one

• Mo in Montreal gets a phone call from Interac to say his last e-transfer didn’t go through, but that they can help 

On the surface, each case appears to be legitimate. But all three are actually common scam messages aimed at prying out our passwords and personal and financial details. 

Unfortunately, criminals are only getting more sophisticated and scams are getting harder to detect. Thanks to advances in AI, fraudsters can create authentic-sounding messages – and are even using “deep fake” technology to make it sound or even look like someone you know. 

Bank or credit card “phishing” scams – which typically lure unsuspecting targets to a website where they’re asked to verify personal or financial information – often leverage a victim’s fears around losing money, prompting them to act fast without thinking. 

How can you know if a message from your bank is fake?

Fake bank messages are one of the most common phishing tactics, and they’re getting more difficult to spot, says Ian Bednowitz, general manager of LifeLock, a company that offers identity-theft protection services and cybersecurity software.

“Cybercriminals can easily impersonate trusted institutions with alarming accuracy, using official logos, spoofed email addresses and even cloned websites to trick people into clicking or sharing sensitive information,” warns Bednowitz. “Whether it’s through a call, text or email, these scams are designed to look and feel just like the real thing.”

To identify that a message may be fake, Bednowitz says to watch for these “telltale” signs:

• Urgency: Messages that say your account is locked, there’s suspicious activity or warn that you’ll face fees unless you act immediately are typical tactics used to create panic.
• Personal info requests: If someone requests your social insurance number, account login, password, or PIN via these methods, it’s likely a scam – banks will never ask for these over text, email or phone.
• Dubious links and sender addresses: Scammers use lookalike domains (e.g., “TDBankCo.com” instead of TD.com) and spoofed email addresses to appear legitimate.
• Generic greetings: Messages that start with “Dear Customer” instead of your actual name is a sign something’s off. However, even if the greeting specifically states your name, that doesn’t mean it’s legitimate. 
• Caller ID: Scammers can fake bank phone numbers to make a call or text seem real.

“Banks will not ask you to share sensitive information, such as login passwords or one-time passcodes,” confirms Tarun Dhot, vice president of Canadian Fraud Management at TD Bank. “Banks also do not send representatives to your home to retrieve your debit or credit cards. If you experience such a situation, it should be an immediate red flag.”

What to do if you’re contacted?

The first advice is to avoid a quick panic-induced response, advises Dhot: “Pause before acting on urgent requests,” he says.

“Bad actors often pressure people to make quick decisions. If something feels rushed, take a step back, consult someone you trust and do a little research before proceeding,” Dhot says. 

If you do receive a message or call from your bank or credit card company you think may be legit – especially if it’s tied to a recent purchase you know you made, for example – politely tell them you will get back to them and ask for an extension they can be reached at. Then call a number you know is legitimate, such as calling the number on the back of your debit or credit card – not a number given to you by the person contacting you via phone, text, or email (as that can be fake, too).

What if it’s too late and you already fell for it?

If you’ve clicked a link or entered your personal information – and then have that sinking “uh oh” feeling – take a breath and do the following:

Report it to your bank or credit card company immediately. Again, it’s critical to only call the number on the back of your debit or card. Calmly tell them what happened.

Then change your password tied to the account that may have been compromised. Never use the same password across multiple online accounts. Cyber criminals who successfully obtain your password may try it on your other accounts.

If you can’t remember all your passwords, download a reliable and free password manager app, such as 1Pass, Dashlane, Roboform, LastPass or Norton Password Manager.

Moving on, going forward

There are also some simple tricks you can do to minimize the odds of falling victim to these scams.

Turn on two-factor authentication, which not only requires your password to log into your financial accounts, but a one-time code sent to your mobile device as well.

Consider using your face or fingerprint (a.k.a. “biometrics”) identifications to log into your accounts, along with your password.

Always monitor your accounts for any unauthorized activity, and report anything suspicious. Services like LifeLock can add extra protection as well. 

Dhot emphasizes that you should always think twice before you share personal details: “Be selective about sharing sensitive information such as your birthdate, phone number or address – especially with people or businesses you don’t know well,” as that can be used for identity theft purposes.

It’s also important to remind your friends and family – perhaps those who may not be as tech savvy – about the many different tactics used by scammers. Social media is also a popular hangout for cybercriminals; it’s best to be suspicious of new, unsolicited friend requests. 

“At the end of the day, protecting your identity starts with staying alert and trusting your instincts,” adds Bednowitz. “If something feels off, slow down, verify it through official channels, and don’t give out personal information.”