Ottawa resident Kimberley Bray was selling a vintage blouse on the marketplace platform Poshmark when she received a normal-looking email from a potential buyer asking if the product was still available, she told CTV News (1). Unfortunately, the email was the start of a devious phishing scam that drained $1,000 from Bray’s bank account and leaving her perplexed.
After confirming she would sell the blouse to the prospective buyer, Bray received another email with a “secure payment link” to receive an e-transfer. But after Bray clicked on the link to obtain payment and logged into her bank account, she received a text message from her bank notifying her that an e-transfer for $1,000 was sent and another was shortly on the way.
The email link was a sophisticated phishing trap used to pull Bray’s personal information so the scammer could send money to themselves. Bray fell prey to what’s known as “e-transfer fraud”— and it’s harder to spot than you might think.
“It doesn’t make a difference what age you are, what your job is, how smart you think you are,” Bray told the news outlet, adding, “These scammers — they have a process that they’ve gone through to check all the boxes. And once they feel like they have you, they are going to take advantage, and you will be victimized.”
According to the federal government, e-transfer fraud occurs when a scammer acts as either a sender or recipient in a fraudulent e-transfer transaction (2). Scammers typically use phishing techniques — sending links that trick users to reveal their personal information on a fake website or form (3) — to initiate these e-transfers. In Bray’s case, she was prompted to login into her bank from a phishing link, which gave her banking login details to the scammer so they could e-transfer funds from Bray’s account at will.
To entice users to click on these malicious links, scammers use an emotionally exploitative technique known as social engineering (4). They research potential targets’ backgrounds, such as their search history or social media usage, to learn more about them and how they act. Then, they send a message from a company or person the victim likely trusts based on the information collected — this could be from an employer, co-worker, familiar company or another trusted source.
Story Continues
In Bray’s case, the scammer used social engineering to pretend to be a Poshmark client, which was extremely convincing given she had an active listing on the marketplace.
Bray’s experience with e-transfer fraud isn’t unique, either. According to the Canadian Anti-Fraud Centre’s (CAFC) 2024 Annual Report (5), phishing was listed as one of the top 10 forms of fraud based on dollars lost by victims, affecting over 1,000 people last year. Additionally, in 2024, e-transfers scams rose 26.1% year-over-year in terms of dollars lost, with over $36 million paid to scammers.
Read more: Here are 5 expenses that Canadians (almost) always overpay for — and very quickly regret. How many are hurting you?
E-transfer scams that use sophisticated social engineering can be hard to spot, but there are some common ways to tell if an e-transfer request is malicious. Here are some tips to help you spot common tactics.
Double check the URL. While a scammer can make a link in an email look legitimate, as in Bray’s scam, it’s much harder to create a legitimate looking website address. If you receive an e-transfer request link that looks real, hover over the link with your cursor (or press and hold the link if you’re on a smartphone) to reveal where it leads to.
Watch for manipulation tactics. If someone is pressuring you to send an e-transfer with threats, a reward that seems too good to be true or via emotional manipulation, don’t go any further in the conversation — it is likely a scam.
Look for odd spelling or grammatical errors. Scammers often use email addresses or links that are similar but not identical to legitimate addresses or domain names (e.g. interac-transfers.ca instead of interac.ca). If you see any inconsistent spelling or odd website addresses, you’re likely dealing with a scammer.
Falling prey to an e-transfer scam isn’t something to be ashamed of, as fraudsters have developed sophisticated tactics to reel in anyone that banks online. If you do get scammed via e-transfer fraud, follow these steps (6):
Contact your financial institutions. Notify the bank that the e-transfer was sent from so they can flag your accounts and report the fraud to both credit bureaus (TransUnion and Equifax) so they can also monitor your accounts.
Change your passwords. Immediately change all your passwords for any accounts that have login information similar or identical to the banking information the scammer used to defraud you.
Report the fraud. Let your local police service know about the incident so they can track the suspicious activity. Also report the fraud to the CAFC through its online portal or via phone at 1-888-495-8501.
Keep organized records. Gather all information you can about the fraudulent transaction, including emails, text messages, receipts, etc.
Getting your money back after an e-transfer scam can be difficult. Because you willingly gave your personal information to a third-party, banks may determine you did not meet your security responsibilities and should not be reimbursed for the loss.
E-transfers are a convenient way to send and receive money in our digital economy, but they also work just as efficiently for bad actors. Do your due dilligence when receiving any requests to send or receive money online so you know exactly who you’re dealing with.
We rely only on vetted sources and credible third-party reporting. For details, see our editorial ethics and guidelines.
CTV News (1); Government of Canada (2, 3, 4), CAFC (5, 6)
This article provides information only and should not be construed as advice. It is provided without warranty of any kind.