Melissa Plett, who has called Quebec home for 14 years, is speaking out after losing near $15,000 in a scam targeting RBC customers.
On June 13, she received a call that appeared to be from RBC, warning her of fraudulent activity involving her account.
“They called in regards to claiming there was a fraud happening in Vancouver, that there was taking place in Vancouver, $2,000 was being removed from my account,” Plett explained. “They instructed me to walk through security steps to secure one of my devices.”
Despite not clicking on any links or sharing codes, the scammers gained access to her account.
“While using the app, they somehow gained access to my account. They continued to walk me through fake security steps while moving money out and around in my account,” she said.
Plett says she lost about $10,000 via e-transfers from her personal account, and another $5,000 through via wire transfer from her business account.
The scammers even created a profile using Plett’s own name to divert e-transfers to someone else.
“RBC confirms that there are multiple IP addresses active in my account at the time… despite evidence, they’re refusing to help me at all,” Plett expressed.
Plett says the scam call felt real because it closely resembled a legitimate call she received from RBC two months earlier when her credit card was hacked.
“When they called me now in June, they essentially said the exact same thing. So it felt exactly the same as two months ago. I had no reason to disbelieve it wasn’t RBC because everything they said sounded like an RBC script,” she said.
During the call, she used two-factor authentication codes she received via the RBC app, believing it was a normal security procedure.
Plett’s suspicion only began after receiving a follow-up call from her bank.
“As soon as this call was done, the real RBC called me, said, ‘Hi, this is RBC. There’s fraudulent activity happening in your account.’ And I said, ‘Yeah, I know, I was just talking to you.’ And then they said, ‘Well, that wasn’t us. That was someone else.’”
Plett wants RBC to take responsibility for the security breach.
“I don’t know how these people managed to send calls as RBC appearing on the thing. I don’t know how they managed to send texts from RBC… The bank needs to be responsible for something.”
She highlighted that scammers managed to transfer money from her mortgage line of credit to her checking account and alter her e-transfer profile.
“It feels frustrating because the bank is trying to refuse any responsibility and yet clearly somehow they’re getting hacked or something.”
RBC tells CityNews that while they can’t comment on the specifics of Plett’s situation, they say they take client concerns seriously and are communicating with their client directly.
“We understand that experiencing fraud or a scam can be a difficult and stressful event,” said Cheryl Brean, director of communications for personal and commercial banking at RBC. “We encourage clients to contact us if they believe they have been impacted by a scam or fraud.”
She added that the bank has “a team of dedicated fraud experts working 24/7 to prevent, detect and investigate fraud,” and that it collaborates with industry associations, government and law enforcement.
The bank also outlined warning signs for customers to watch out for. It says an RBC representative or employee will never:
“In case of any doubt, clients should communicate with us by calling the number on the back of their debit or credit card,” Brean said.
Plett urges others to be cautious with phone calls claiming to be from banks.
“If the bank is calling you and you don’t answer your phone, they will leave a message, then wait a bit and call the number on the back of your debit card. Do not hit redial. If they don’t leave a message, it’s a scammer.”
She has escalated her case with RBC multiple times and hopes to see justice.
“If they still refuse to help me after that, and the media’s help, then I will take it to the next steps… I know there are more steps in which you can fight it.”
Plett also notes that more than 220 people in Quebec have experienced similar scams, yet RBC has not issued a warning.
She expressed her frustration over scammers.
“They’re 130,000 per cent taking advantage of people. What they’re doing is wrong. They are soulless. And it’s heartbreaking because people are being scammed out of their entire life savings.”
She also calls for empathy towards victims. “I hope it never happens to you, because these guys are good and it’s not fair to bash people when they’re down for making an honest, seemingly honest mistake at the time.”
Carmi Levy, a technology analyst based in London, Ont., and originally from Montreal, explains how scammers can take over accounts without victims sharing their passwords.
“Even though the victim doesn’t actually click on a link or sign in for them, in answering those questions, they can provide some information that would allow the perpetrators… access to their account. It’s called a socially engineered attack.”
Levy warns that scammers are highly sophisticated at mimicking legitimate institutions.
“The first thing you need to assume is that every time your phone rings, it is a fraudulent call. Even if you look at your screen display and it says your bank, or it says your insurance company, or the governments of Canada, the CRA, whatever it is, assume that it’s not legitimate. If you do indeed wanna double-check that — yeah, did my bank call me with a problem — you can end the call right there, and then you call your bank directly using a number that you’ve obtained from other sources.”
When asked who should be responsible for preventing such fraud, Levy said it’s a “shared responsibility.”
“Banks certainly need to be doing more to tighten their security rules, their protocols, the technologies they use, their apps, their platforms, their websites, and customers also need to tighten their personal security plans. They need to be a lot more cynical, they need to be a lot more aware, they need to be a lot more conscious of the kinds of threats — evolving threats — that they are facing every time they open up an app or every time they receive a phone call. So everyone needs to raise their game here. It’s very difficult to assign fault to one person or one organization; we all have a role to play here.”
Levy describes this type of fraud as particularly dangerous because it comes from sources victims believe to be trustworthy.
“The scammers are getting inside of that circle of trust. They’re pretending to be someone that we have dealt with previously. They’re using all of the tools to fake like they are, in fact, them. And it means that they’re essentially opening the door to taking us for tens of thousands of dollars or more. And so it is particularly dangerous because it doesn’t seem like a fraud until afterward, when you realize you have been had. And so that’s the ultimate crime — it’s not big and flashy. It’s quiet and stealthy. And you only realize after the fact that you’ve been victimized.”
“That’s the problem here — none of this looks like fraud. It doesn’t feel like fraud. And so we have to change our game as well in order to accommodate this. And we need to recognize also that scammers — cyber criminals — are getting better all the time. So they’re constantly learning from their experience in the field, and they’re becoming more sophisticated almost by the day. A couple of months from now, there will be another victim. They’ll have been victimized using even more sophisticated means. We always have to be on the lookout.”
Levy urges people to reduce online oversharing and improve password security. “Start sharing less and start sort of being conscious of what you share and with whom.” He adds that this simple awareness can go a long way toward making life harder for criminals.
He also stresses the importance of passwords as a last line of defence.
“We often use the same easy-to-guess password that has been around since we were in high school,” he explains, and many people reuse that password across multiple services. He says that when there is a security breach, “that almost gives criminals a master key to all of your accounts.”
To protect yourself, Levy recommends following smart password protocols: “Change your passwords often. Make them difficult to guess. Use a password management app.” He also highlights the need to stay informed about major breaches and act quickly — “the first thing that you need to do is change your password; that slams the door on them rather easily.”
Finally, Levy advises turning on two-factor or multi-factor authentication. “That way, if they get your password, there’s still another lock on the digital door. They won’t get into your account.” Levy says that small but consistent changes like these in every-day online habits can make a significant difference in reducing your vulnerability to cyber attacks.
Levy points out that while the PR departments of major Canadian banks claim they are doing everything possible to maximize online security, the reality falls short.
“There is no real-time capability to detect fraud,” he said.
Even after banks are notified about fraud incidents, he says that many victims report that the response is inadequate and that legitimate customers aren’t protected as well as they could be.
Levy emphasizes that security is a shared responsibility—everyone has a role to play. However, he also highlights that if banks truly wanted to, they could invest more resources to ensure real-time awareness of security breaches.
“But they don’t because there are no laws in place that require them to,” he said.
