[
Canadians are being drained of their life savings by scammers — and many are shocked when their banks refuse to reimburse them.
Bank fraud is a significant concern in Canada, according to the Canadian Anti-Fraud Centre. Every week, Go Public hears from people whose accounts have been emptied by fraudsters using everything from phishing emails and fake banking apps to phone spoofing, hacked passwords and unauthorized e-transfers.
All too often, investigations by financial institutions end not with accountability, but with banks blaming the very customers who trusted them with protecting their money.
- Got a story you want investigated? Contact Erica and the Go Public team gopublic@cbc.ca
“It’s very disappointing,” said Claudiu Popa, a cybersecurity expert who’s spent decades investigating cybercrime and educating the public.
“Banks appear to be protecting themselves and their own reputations, rather than trying to remedy a situation.”
Popa says he’s seen firsthand how criminals exploit everyday habits and security gaps. To help, he’s sharing five tips that can reduce your risk of becoming the next victim of bank fraud.
CBC News reporting reveals that banks are increasingly blaming customers for falling victim to fraud and errors involving their accounts. The National’s Erica Johnson asks cybersecurity expert Claudiu Popa to break down the current risks and what Canadians need to know to protect their money.
1. Use strong, unique passwords
The first tip is the most basic: change your password regularly — every three months is recommended — and make it unique.
According to password manager NordPass, the most common password used in Canada and dozens of other countries in 2025 is “123456.” The second most common password? “123456789.”
Popa says we should stop thinking of passwords as short codes, and instead think of them as memorable passphrases.
“Choose your favourite line from a movie or poem or whatever, and sprinkle in some personal punctuation,” he suggested. Something like, H@staLaV1staBaby!
Make sure it’s 15-20 characters, and never reuse passwords across different websites. Reused passwords are one of the most common ways criminals can gain access after a data breach.
He also recommends using a password manager to store passphrases, so you can just copy and paste them, instead of typing them out.
“Viruses latch onto the keyboard and track the keys you’re typing, which it can’t do if you’re pasting it directly.”
2. Enable two-factor authentication, account alerts
Even the strongest password isn’t enough if a hacker gains access through a data breach or phishing scam — which is why Popa says two-factor authentication (2FA) is so important.
It adds a second layer of security, typically through a code sent to your device or generated by an authentication app.
“It needs to be a separate platform, so that’s why you should always try to have a different device that you’re getting your second factor on,” said Popa.
He advises against using SMS text messages for 2FA when possible. Instead, opt for a secure authentication app like Google Authenticator or Microsoft Authenticator.
Also turn on every available account notification — for logins, password changes and transactions.
“Time is of the essence when you get defrauded,” said Popa. “The sooner you find out, the more likely it is that your banking institution will work with you, rather than protect themselves against you.”
Go Public asked the big five banks — BMO, CIBC, RBC, TD and Scotiabank — if they allow customers to set up two-factor authentication. All said they give users the option to get codes via text message, which the Canadian Anti-Fraud Centre says are vulnerable to being intercepted.
All the banks also offer a more secure option — push notifications sent through their mobile apps. But only TD offers an authenticator app, which Popa says should be standard in the industry.
Popa also thinks customers should have the option to set up two-factor authentication for all purchases where a physical card is not used — not just when they log in to their online banking.
Currently, none of Canada’s big five banks offer that. The banks do allow customers to set up alerts for every transaction, so they can know right away if there’s a fraudulent charge.
3. Guard personal information
Bank fraud doesn’t always involve hacking. Scammers often trick people into handing over information themselves.
Popa says social engineering scams, phishing emails and phone scams are becoming increasingly sophisticated.
One common tactic people have written to Go Public about is call spoofing.
Fraudsters make it appear as though they’re calling from your bank, then ask you to confirm details like your login credentials or account number to “prevent fraud.”
They might also ask you to share a “one-time passcode” sent to your phone.
“Many of these scammers intentionally make these calls at dinnertime because you’re busy doing something else, because your bank branch might be closed, because it happens to be a weekend,” said Popa. “They know exactly how to play with your emotions and your instincts.“
Never share your passwords, PIN, one-time passcodes, or banking information with anyone who contacts you unexpectedly, either by phone, text or email.
Popa advises calling your bank directly using the number on their official website or your bank card. And don’t click links in unsolicited messages claiming to be from your bank, he warns. Many lead to fake websites designed to steal your credentials.
4. Avoid public wi-fi for banking
Checking your account while at a café might seem harmless — but public wi-fi is one of the riskiest ways to access financial information, Popa warns.
Hackers can use “man-in-the-middle” attacks to intercept your connection, steal your login credentials, or even install malware.
Instead of relying on wi-fi, use your cellphone data plan, which is more secure or connect through a trusted VPN (Virtual Private Network), which encrypts and protects your information.
Sarah Bradley, the ombudsman and CEO at Ombudsman for Banking Services and Investments, responds to a report that found only a quarter of banking complaints resulted in monetary compensation in 2023.
5. Be careful with banking apps
Banking apps are convenient — but they can also pose risks, especially if downloaded from unofficial sources or used on devices with other background apps.
Many cybersecurity experts Go Public has spoken to — including Popa — decline to bank on their phone.
“Many apps can run spyware or malware without your knowledge,” Popa said. “They can take screenshots, track your activity or steal your credentials.”
Popa’s advice if you do use mobile banking: only download apps from the Apple App Store or Google Play Store.
“Those are the only app stores that should ever be trusted with any apps at all,” he said.
Better yet? Consider using your bank’s website on a secure browser at home.
Bonus tips
Also consider implementing these additional safety measures:
-
Monitor accounts regularly. Check your bank statements and transaction history frequently to catch suspicious activity early.
-
Shred financial documents. Don’t toss bank statements, cheques or credit card offers without shredding them first.
-
Secure devices. Install antivirus software, enable automatic updates and use screen locks on all devices that access your financial accounts.
A preventable crime
Bank fraud can feel overwhelming — but it isn’t inevitable. Popa says small changes in how you manage accounts and devices can make you a far less attractive target.
“You can’t control what banks do,” he said. “But you can control how easy it is to scam you.”
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrongdoing and hold the powers that be accountable.
If you have a story in the public interest, or if you’re an insider with information, contact gopublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.