← All insights
Threats

Bank Impersonator Scams: How to Spot a Fake Call From Your Bank

Part of our guide: Phishing, scams & account security

The phone rings. The caller knows your name, says they’re from your bank’s fraud department, and warns that suspicious activity has been spotted on your account. They sound calm and professional, the number on your screen even looks right — and they need you to act now to protect your money.

It’s one of the most effective scams going, and it works on careful people every day. Bank impersonator fraud preys on trust and urgency rather than any weakness in technology. The caller doesn’t need to break into anything — they just need to convince you to open the door yourself. Businesses are a favourite target because the accounts are larger, payments move in bigger batches, and a single fraudulent transfer can drain serious money before anyone notices.

This guide walks through exactly how these scams unfold, the red flags that give them away, the controls that stop them at a business, and what to do in the first hour if you think you’ve been hit.

How the scam works

Bank impersonator scams usually start with an unexpected contact — a call, text, or email claiming there’s a problem with your account. The fraudster’s goal is to manufacture enough panic that you stop questioning and start complying. Everything that follows is theatre designed to keep you on that emotional edge.

Once they have your attention, the impersonator will try to do one or more of the following:

  • Ask for your credentials — your user ID, PIN, password, or a one-time security code or token. A one-time code is the single key to your account; reading it out loud hands it straight to the attacker.
  • Get you to install software. They’ll ask you to download a “security tool” or remote-access app so they can “help” — which really lets them see your screen and control your device while you’re logged in.
  • Send you to a fake login page. They provide a link or read out a web address and ask you to sign in, capturing whatever you type.
  • Redirect your communications. Some will ask you to forward your calls, texts, or emails to another number or address so they can intercept the verification messages your bank sends.
  • Pull in a colleague. In a business, they may ask you to loop in whoever can approve a payment, add a user, or release a token — spreading the pressure across your team.

Once they have what they need, they can log in as you — moving money, adding new users, or issuing new tokens — often before you realize anything is wrong. The whole sequence can take less than ten minutes.

What it looks like in practice

Scams feel abstract until you see the script. Here are two realistic walkthroughs.

The personal “fraud alert” call. Your phone shows what looks like your bank’s number. The caller introduces themselves by name and an employee ID, then says they’ve blocked a suspicious $1,900 purchase and need to verify it wasn’t you. To “cancel” it, they say, they need the code that was just texted to you. The text really does arrive — because the scammer just triggered a password reset or a login on your account, and that code is what completes it. Read it out, and you’ve authorized them in. A real bank cancels a fraudulent charge on its own; it never needs your code to stop a payment.

The business token-theft call. Someone calls your accounts-payable clerk claiming to be from the business banking team, investigating an unusual outgoing wire. They sound knowledgeable, reference your company name, and create urgency: the account may be frozen unless it’s resolved now. They ask the clerk to open online banking using a link they provide, and to read back the token code to “release the hold.” With the login and token in hand, the fraudster adds themselves as a user, raises a transfer limit, and pushes a payment through — sometimes looping in a second staff member to approve it, so the fraud passes your own internal checks.

In both cases nothing was “hacked.” The credentials and approvals were handed over, politely, under pressure.

The red flags that give it away

Train yourself and your team to notice the tells. A genuine call from your bank won’t tick these boxes:

  • Manufactured urgency. “Act now or lose your money / your account will be frozen.” Pressure is designed to stop you thinking and checking.
  • A request for secrecy. Being told not to tell anyone, or to handle it quietly, is a fraud signal — not a security measure.
  • Asking for codes, PINs, or passwords. No legitimate bank employee needs your one-time code, PIN, or full token to verify you or to cancel a transaction.
  • Caller ID that “proves” it’s them. Numbers are trivially spoofed. A familiar number on your display is not proof of anything.
  • Inbound links. A texted or emailed link that takes you to a login page is a classic credential trap, no matter how perfect the branding looks.
  • A request to install software or grant remote access to “help” or “secure” your device.
  • A request to forward your calls, texts, or emails elsewhere.

If a single one of these appears, treat the contact as a scam until you’ve verified otherwise through your own channel.

What your bank will never ask you to do

The most useful thing you and your staff can memorize is the short list of things a legitimate bank simply does not do. No matter how official the caller sounds, your bank will never:

  • Ask you to install remote-desktop or remote-access software as part of a “security check.”
  • Send a text or email link that asks you to sign in or enter your credentials.
  • Ask you to forward your phone calls, texts, or emails to another number or address.
  • Ask you to read out your PIN, password, or full security-token code to cancel, reject, or reverse a payment.
  • Pressure you to act immediately or keep the call secret.

If a request does any of these, it’s a scam — full stop.

What to do if you get a suspicious call or message

The safest response is to slow everything down and verify on your own terms:

  • If it’s a phone call, hang up. Don’t share any information, and sign out of any banking session you have open. Hanging up on a real bank costs you nothing; staying on with a scammer can cost you everything.
  • If it’s a text or email, don’t click. Treat every link as untrusted, no matter how convincing the branding looks.
  • Call your bank back on a number you trust — the one printed on the back of your card or on the bank’s official website. Never use a callback number, link, or address the caller gave you, and never assume the number on your call display is genuine.
  • Wait out the urgency. Scammers rely on momentum. Even a five-minute pause to call back on a known line is usually enough to break the spell. Real bank issues survive a phone call.
  • Verify before you act. If you’re being asked to approve a payment, add a user, or release a token, confirm directly with your bank through a known channel first.

Building defences at your business

For a business, awareness is the first layer but it shouldn’t be the only one. The same controls that stop bank impersonator fraud also blunt related attacks like business email compromise, where an attacker poses as a supplier or executive instead of the bank.

  • Out-of-band verification. Make it standard practice that any request to move money, change banking details, add a payee, or grant access is confirmed by calling a known number — never one supplied in the message or call.
  • Dual approval. Require a second, independent approver for large payments, new payees, new users, and limit changes, so no single employee can be talked into a transfer on their own.
  • Transaction and user limits. Cap daily transfer amounts and restrict who can add users or issue tokens. Lower limits turn a catastrophic loss into a recoverable one.
  • A written callback policy. Give staff an explicit, blameless rule: any unexpected “bank” or “vendor” call about money gets hung up on and called back on a verified number. Make following the policy the expected behaviour, never something an employee gets in trouble for.
  • A clear reporting path. When staff know exactly who to tell, a suspicious call becomes an early warning instead of a quiet loss. Our guide on what to do after a phishing click walks through the first hour.
  • Multi-factor authentication everywhere. It makes a stolen password far less useful on its own — and the codes must never be shared with a caller, no matter what they claim.
  • Security awareness training. The people who handle money and approvals are the real targets. Regular, realistic training — including practice calls — keeps these tactics fresh and makes “let me call you back” the reflex.

The pattern that protects you is simple to state and hard for a scammer to beat: no money moves and no access is granted on the strength of an inbound call or message alone.

If it happens to you: the first hour

If money has already moved, or you’ve shared a code or granted access, speed matters more than anything. Recovery is often possible — but the window is short.

  1. Call your bank’s fraud line immediately using a verified number. Ask them to freeze the account, reverse or recall any pending transfers, and lock out unauthorized users or tokens. Funds can sometimes be clawed back if you act within hours.
  2. Cut off any remote access. If you installed software or let someone control your screen, disconnect the device from the internet, uninstall the tool, and have the machine checked before using it for banking again.
  3. Change credentials from a clean device — passwords, and any forwarding rules the scammer may have set on your phone or email.
  4. Preserve the evidence. Note the phone numbers, times, names used, and any links or messages. Don’t delete them; they help your bank and investigators.
  5. Report it to the Canadian Anti-Fraud Centre (1-888-495-8501). Reporting feeds national fraud intelligence even when individual recovery isn’t possible, and it may be required for an insurance claim.
  6. Tell your team. If it targeted your business, warn other staff immediately — these campaigns often hit several people in the same organization in quick succession.

A note specific to Canada: many of these scams end in an Interac e-transfer or wire, both of which can be very difficult to reverse once the receiving account empties out. That’s exactly why the out-of-band verification habit matters so much — by the time a transfer looks wrong, the money is often already gone.

The habit that beats them all

Bank impersonator scams succeed by rushing you past your better judgment. Every defence above comes down to one habit: when a call or message about your money feels urgent, stop, hang up, and verify through a channel you trust. A real bank issue will still be there after you call back on a number you chose. A scam usually won’t survive the pause.

If you’d like help putting the right training, policies, and controls in place to protect your business from social-engineering fraud, contact our team.

Keep reading

Related insights

Threats

How Attackers Break Into Small Businesses

Most small-business breaches start the same few ways — phishing, stolen passwords, unpatched systems. Here's how attackers get in, and how to shut each door.

Read article
Threats

AI-Powered Scams: Deepfake Voice and Email Attacks on Canadian Businesses

Attackers now use AI to clone voices and write flawless phishing emails. Here's how AI-powered scams target Canadian businesses and how to defend against them.

Read article
Threats

Dark Web Monitoring: Does Your Business Actually Need It?

Dark web monitoring promises to alert you when your data leaks. Here's what it really does, its limits, and whether it's worth it for a small business.

Read article

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us