The Decibel - If you fall for a scam, who should pick up the bill?
Episode Date: July 30, 2025Scams are becoming more common and more sophisticated. As quickly as safeguards are developed to protect people, scammers are finding workarounds. And if you do fall victim to a scam, does your bank o...we you anything?Alexandra Posadzki joins The Decibel to discuss what current regulations say about who is liable for losses from a scam, the risks for consumers and whether the current system reflects who is actually party to a scam.Questions? Comments? Ideas? Email us at thedecibel@globeandmail.com
Transcript
Discussion (0)
So Crystal Quast is a woman who works in communications.
She lives in Waterloo, Ontario, and she recently decided to write a mystery novel.
That's Alexander Posadsky.
She covers financial and cybercrime for the Globe and Mail.
And so she went online, and she typed into her search bar, something like Amazon self-publishing.
One of the top results offered a publishing service that appeared to be from Amazon.
on.
Crystal knew that the online shopping website also had a publishing arm, so it made sense.
And Crystal decided to pay for one of their editing packages.
But then she started to get kind of suspicious, because first of all, it was taking a really
long time to get back the edits on her book.
And when Crystal finally did get her edits, she noticed it was still full of glaring typos.
That's when she called a friend who worked at Amazon.
And her friend told her,
Crystal had been tricked by an imposter.
It turned what was supposed to be this, like, joyous moment into feeling very ashamed that she had been taken in by a scam.
She was very embarrassed and just, you know, felt very foolish.
Today on the show, Alex joins us to talk about how scams appear to be changing, how financial institutions are trying to keep up,
and what Canadian laws say about who should pay for money lost.
I'm Irene Gallia, guest hosting The Deciple from The Globe and Mail.
Okay, Alex, thanks so much for joining us.
Thank you for having me.
Can you break down what exactly happened?
How did this fraud take place?
So she had handed her manuscript over to this other company or this other individual or group of individuals who were essentially committing what's known as brand abuse,
which is pretending to be affiliated with a known and recognizable brand, such as Amazon,
when they actually have no affiliation with that brand.
Amazon has actually taken this issue to court because it is so prevalent.
And the issue is you're either getting no services or you're getting some service,
but you're not getting a good service.
So, you know, there was some editing, perhaps done on her manuscript, just not a lot.
Not good ones.
And not of a very high quality.
And we don't actually know whether they would have ultimately published her novel online or not.
But essentially, this is kind of how these frauds operate is, you know, through kind of preying on these brands.
And what kind of fraud is this?
So what's interesting is I spoke to a banker at RBC named Jeff Morton, who is in the fraud department.
And he told me that there's actually this trend in fraud where fraud is shifting.
So what used to be really common is what's known as unauthorized fraud.
And so an unauthorized fraud, essentially, someone tries to get into your bank account without your knowledge or authorization.
So maybe they got your credentials somehow.
Maybe you clicked on a link and you put in your credentials at some point.
And so they go into your bank account and they move your money out of your account into their own bank account or a crypto exchange or wherever without your knowledge.
So that's unauthorized fraud.
What we're seeing now, according to Jeff, is this shift towards what's known as authorized fraud.
And the difference is that in an authorized fraud, the payment is actually authorized by the victim.
So instead of trying to break into your bank account, the fraudsters are actually going to the victim, interacting with them, and trying to scam them through something like what happened to Crystal, for example.
And just to understand this in context, Alex, how big of a problem is this?
Well, fraud overall is a massive problem, not just in Canada, but globally.
It is a bit hard to get very precise stats on fraud because people understandably feel very embarrassed to admit that they have fallen prey to fraud.
And so they tend to not report instances of fraud.
But there is this thing called the Canadian Anti-Fraud Center, which is a data repository that is operated by law enforcement.
And according to the Anti-Fraud Center, fraud victims reported $647 million of losses last year, which was an increase from the previous year where they had reported $577 million.
And those numbers are actually just really a tip of the iceberg.
The center estimates that maybe like 5 to 10 percent of frauds are reported.
Yeah.
Wow.
And who exactly is being targeted by these scams?
well literally everyone we've all probably received at some point a text message phone call or email trying to convince us to invest in a fraudulent investment or you know click on a link so it's quite broad there are certain people who tend to be more susceptible generally anyone who is not as comfortable with technology might be more susceptible to being defrauded so elderly people tend to be prime targets anyone who is not as comfortable with technology might be more susceptible to being defrauded so elderly people tend to be prime targets
anyone with money. So like we do see very, very sadly, we see a lot of romance scams that are really targeting lonely, elderly people who have a large retirement funds set aside. So yeah, so those tend to be some of the more common victims. But as we see, you know, really like it can be anyone. It can be crystal quas to the communications professional in Waterloo, Ontario.
So Alex, you were saying that increasingly scammers are doing this thing called authorized fraud where they essentially trick.
people into giving away their information. What did experts that you spoke to say about why scammers
are changing their tactics? So it may actually be in response to the fact that banks have tightened
their controls in order to prevent unauthorized fraud. So there's a lot more authentication
steps that you have to go through to prove that you are who you say you are in order to gain
access into your bank account. Banks have also gotten better at spotting things like, you know,
somebody logging into your bank account from a different location than where you normally would
or, you know, at a different time or from a different device. And so there's all these additional
protections to protect us from someone gaining unauthorized access to our bank accounts. And so that
may have kind of pushed them. There's also some people I spoke to who suggested it's because
the sort of barriers to entry for committing a scam have really gone down thanks to things like
AI, deep fakes, there's like, you know, all these services you can buy online that will effectively
help you run a scam. And then, of course, we've all heard the stories about the scam compounds
overseas that are effectively like massive call centers of forced laborers who are, you know,
being forced to commit these scams on people. I imagine that must make it even harder to crack down
on the issue of fraud. It definitely makes it harder for law enforcement to actually catch the
perpetrators because, you know, if your victim is in Canada, but the fraudster is,
who knows where, it's not like the Canadian police can go and swoop in and arrest them.
They would have to work with law enforcement in that jurisdiction in order to shut down the
operation. And so we are seeing more collaboration between law enforcement in different
countries. When you were reporting on Crystal's story, what did it tell you about fraud liability
in Canada? That is a really important.
Interesting question. So this shift from authorized fraud to unauthorized fraud has opened this whole can of worms around who should be liable for this.
Because when you look at unauthorized credit card transactions, there's actually protections in the Bank Act that say consumer liability for an unauthorized charge to your credit card is limited to $50.
And so beyond that, it's going to be up to the bank or the credit card company to cover that loss.
But when it comes to authorized fraud, we actually don't have regulations in law stating who should be responsible.
And so what ends up kicking in is the agreement that you have with your banks.
So you know all that fine print that you probably didn't read.
And it's going to ultimately tell you that if you authorized the transaction, that generally means in most cases that you are on the hook for those losses.
But even then, like, it's kind of a patchwork is what I've learned.
Like, it depends on where you are.
It depends on your agreements.
It depends on the payment method that you used, right?
So those protections I mentioned earlier are only for credit card transactions, but not for a debit transaction.
So, you know, there's quite a bit of inconsistency in Canada around how this issue is dealt with.
We'll be right back.
Let's talk about the banks.
What exactly are they doing in Canada to try to keep up with this?
Well, there are a number of things.
So they've actually changed how they try to look for fraud.
So in addition to the things I mentioned earlier about all the authentication features that they've introduced,
they now have to look at whether a transaction that a customer is trying to make
is outside of that customer's normal pattern of behavior.
So, you know, Irene doesn't normally.
transfer half of her life savings to an account in the Cayman Islands. Maybe we should see what's up
with that. Yeah, not frequently. So that's like another thing that they're doing. They've also,
the CBA, the Canadian Bankers Association, has also put together this thing called the Canadian
Anti-Sam Alliance. And it's actually an attempt to bring together different players from across different
industries to find out how to best address this problem. Okay. So banks have better protection
against non-authorized fraud and it's a lower barrier of entry into this type of fraud.
But we know that this type of authorized fraud is indeed increasing.
So what makes these scams so difficult to respond to?
Well, part of the challenge, I think, is sometimes the victims can get so bought into the scam
that it actually can be like trying to break the spell that they're under.
I've heard stories of times when, you know, a bank has actually blocked a transaction and, you know, someone at the call center calls the person and says, hey, I see you're trying to transfer money to this entity. We think this is a scam. So that's why we've blocked your transaction. And the person will go, oh, no, no, no, like that's a real investment that I'm trying to make. Or that's my boyfriend overseas. He's in the Army. He's stationed in Afghanistan or whatever. And so they've so bought into this fantasy that they're going to get really rich from investment.
in this new thing or they're in love with someone and that person just needs a bit of money
so they can set up their life together. And so now you have these call center employees who
before, you know, when they were dealing with unauthorized fraud, all they had to do was call
the customer and say, did you authorize this transaction? Yes or no. No, that wasn't you.
Okay, cool. We're going to reverse that for you. Now they're having to break it to the victim.
Like, hey, I think you are the victim of a scam. Yeah. Your international boyfriend is
indeed exist. Exactly. Or he exists, but he maybe is not who you think he is. Yeah. And so that is
just such a new kind of challenge. At the end of the day, like the bank can't stop you from doing
what you want with your money, right? It's your money. And so if you're insistent that you really
want to complete this transaction, what can they do? And so I actually read this one story talking about
a digital bank based out of Britain called Revolut that was having suspected scam victims right down
on a piece of paper, like the bank told me this is likely a scam, but I asked to make this
transaction anyway and take a photo and pick up the piece of paper.
What about other countries? What do they say about the bank's liability and fraud cases?
Yeah, so there are countries that have created quite interesting models to try to approach
this sort of growing scam problem. So for instance, in Britain, they have this shared liability
model. And so what they're doing is for any kind of authorized push payment scam, which is when a
customer is essentially tricked into sending money to someone who's pretending to be a genuine payee,
the burden, the financial burden for compensating the victim is split 50-50 between the bank that
sent the money and the bank that received it. Okay. And so the idea then is that both banks on both
ends of the transaction are looking for signs that a transaction is fraudulent. Right, which of course is meant to
incentivize those banks to try to crack down on this? Yeah, to try to prevent the fraud from
happening because they don't want to have to pay back crystal cost for her fraudulent publishing
experience. In Singapore, they have a different model, which is a waterfall approach. And so it's
effectively, there's like a chain of command. And so, you know, first you've got the bank. And this is
for a fishing attack. And so first, first in line is the bank. And if the bank has met all of its legal
obligations under the law. So if they can say, look, we did, you know, steps one, two, three,
four, five, six to prevent this, but, you know, it was outside of our control. Then the
responsibility shifts to whatever telecom was involved as part of that scam. And then if the telecom
can prove that it met all of its obligations, for example, you know, we flagged that this number
was being spoofed or whatever, then ultimately the responsibility falls to the customer. Right. And of
course, with phishing, you're talking about the pH fishing of like sending an email or another
message to try to induce someone to click the link, click the link. Put in their password.
Okay. So really sharing the responsibility. Alex, I think you're touching on a question of regulation,
actually. You already mentioned that in Canada, it's a bit of a patchwork. But what do the regulations
in Canada say about who's responsible when somebody's been defrauded?
In short, very little when it comes to authorized fraud or scams.
For unauthorized fraud, we do have that language in the Bank Act, that customer liability
is capped at $50.
And that's only for credit card transactions.
We do have some changes coming in Quebec.
They're actually going to introduce some rules around extending that protection for
consumers to debit, so it's not just for credit.
So it would kind of bring debit transactions in line with credit card transactions.
But that is still for an unauthorized payment.
When it comes to authorized, we actually don't really have any regulations at all.
So it does come down to that agreement that consumers have with their bank.
Is that enough protection?
I think probably depends on who you ask.
If you're speaking to, you know, the victim of a scam, they would most likely tell you no.
If you're speaking to a bank, they might say, well, you know, why should we have to be?
be the ones to pay back consumers who are being scammed. Don't they have some responsibility to
prevent the scam? And then, you know, you've got all these other players in the chain, right? You've
got search engines. Like if you look at what happened with Crystal, there was the fact that
there was displayed near the top of the search results, this sponsored result, which was this
fraudulent website. You've got the social media companies that are connecting scammers with
victims, right? Like we often hear that the contact is through Facebook, for example.
So you've got, you know, social media sites in the chain.
You've got the telecoms who, whose networks are being used to send these, you know,
fishing texts and phone calls.
So there's a lot of different players in the chain.
And so I think that's why it's really interesting what Singapore has done, which obviously isn't
covering the whole gamut of potential players, but it is actually spreading around some of that
responsibility.
And at the end of the day, you know, the consumer does have a role to play in terms of trying to be
vigilant, but it can't necessarily be all on the consumer, right? There has to be skin in the game for
these other players. Is there any indication that something like what is happening in Singapore
spreading out the responsibility over multiple entities? Could that happen in Canada? Is anyone
or any groups advocating for a change like that or something else here? There is a consumer
advocacy group based out of Montreal called Option Consumateurs. And they have been advocacy.
for changes to the Bank Act that would not only do what is being done in Quebec in terms of
bringing other payment methods under the same protection, but also to kind of change the
definition of authorized or unauthorized fraud. Essentially, they're arguing that we should not
be calling it authorized if the consumer provided the information or the payment under false
pretenses. They did not actually authorize what they thought they were authorizing. And so they have
been lobbying for changes to the Bank Act. There has been some, you know, consultation going on.
I don't know whether this current government has any plans to change that, but it'll be an
interesting space to watch for sure. I mean, just to bring it back to Crystal, did she ever get
her money back? So she did get her money back. Crystal was sort of fortunate in that she had made
the payments to Amazon publishing. I'm doing publishing in air quotes here. On two credit cards,
a Scotia Bank card and a TD card. And Scotia Bank pretty much right away refunded her.
TD did take a bit longer. There was a bit of a protracted back and forth there. But ultimately,
they did end up refunding her money. And so that chapter of her publishing journey is hopefully
closed for good now. I should also mention that her book did come out. She did. She did
end up publishing it through Amazon's legitimate self-publishing arm.
Okay, that's really good to hear.
Just to wrap up, Alex, this conversation raises to me really interesting questions about how we
distribute blame and responsibility in society.
But it also taps into this question about trust and how we trust each other and institutions
and businesses.
I mean, how do you feel?
that this is shaping how we trust in the digital age?
That's a great question.
I mean, I think it's really complex.
I do think that the more prevalent that scams become,
the more our trust does get eroded in institutions,
in whether we're actually even dealing with the institution
that we think we're dealing with.
A quick anecdote I'll share is that a couple months ago,
one of my banks that I bank with actually called me
to offer me a credit limit.
increase and I was going to agree to it and then I got kind of sketched out because the banker
kept calling me and then sent me this document to docusign but he followed up like three times
in the same day and I started thinking it was a scam right and so I got so panicked I ended up
blocking this guy's phone number and sometime later my partner goes to the bank and the guy's like
hey how come you guys are dodging my calls I'm trying to offer you a credit limit increase
Hi, it's me. I'm a real guy. I exist. And he's like, oh, shoot, we blocked your phone number because we didn't think you were a real person. But I think it's really interesting because I wonder how much legitimate business is being stifled by people, you know, not wanting to answer their phones anymore if you don't recognize the phone number and, you know, thinking that something may be a scam when actually it's not. I think at the end of the day, like we all just kind of jumped into doing everything on the internet so fast, doing so much business and so many transnational.
transactions online, and we never actually really figured out first, like, how to properly
verify digital identity online. And so we've ended up in this kind of wacky place where
scams have become so, so prevalent. And I do think that there's, you know, now, especially
with AI and deep fakes, it's like, it's hard to know if what you're seeing is real anymore.
We're in this kind of post-truth reality. And it has made things.
pretty wacky out there.
Pretty wacky indeed. Alex,
thank you so much for joining us today.
Thank you for having me.
That was Alexander Posadsky,
financial and cybercrime reporter
for the Globe and Mail.
That's it for today.
I'm Irene Gallia.
Tiff Lamb produced this episode.
Our producers are Madeline White,
Mikhail Stein, and Ali Graham.
David Crosby edits the show.
Adrian Chung is our senior producer,
and Angela Pichenza is our executive editor.
Thank you for listening.