In 2025, a Vancouver law firm transferred $2.3 million CAD to a fraudster who had intercepted their invoice process and redirected the payment. The money was recovered — through international police collaboration, which is rare. Most businesses don't get it back.
Business email compromise (BEC) and invoice fraud are among the fastest-growing financial crimes in Canada. Unlike card fraud, there's no chargeback mechanism. Once an EFT or wire transfer settles, the money is gone. Your invoicing workflow is the weakest link in your payment security, and it's getting worse as AI tools lower the barrier to convincing fraud.
There are three dominant attack patterns. All of them exploit the gap between "an email that looks right" and "money going to the right place."
The attacker compromises — or spoofs — a supplier's email account. They send an invoice that looks identical to genuine ones, but with different banking details. The victim pays the invoice. The real supplier eventually follows up wondering why they haven't been paid. By then it's often weeks later and the funds are gone.
This is what happened in the Vancouver law firm case. The attacker intercepted an email thread and redirected a legitimate real estate transaction payment.
Warning signs: Bank details that differ from previous invoices. A request to update payment information via email. Urgency framing ("please process today, we're changing banks").
The attacker spoofs or compromises the CEO or owner's email and sends an urgent wire transfer request to an employee who handles payments. Typically framed as time-sensitive — a deal closing, a confidential acquisition, a tax obligation. The employee processes it before verifying.
This attack exploits authority and urgency together. Employees are conditioned not to delay when the boss asks for something immediately. The fraudsters know this.
Warning signs: CEO email from an unusual domain. Request for unusual payment method (wire instead of normal EFT). "Don't discuss with anyone else" language.
The attacker intercepts a legitimate PDF invoice during email transit — either through a compromised account or by monitoring forwarded email threads — and edits the banking details before it reaches the recipient. The body of the email and the sender are genuine. Only the PDF has been altered.
This attack is hard to detect because the email itself isn't spoofed. The invoice looks right. The vendor relationship is real. Only the account number is wrong.
Warning signs: Bank details that don't match your records. Invoice metadata that shows recent editing in document properties.
KPMG Canada's March 2026 fraud report found that 60% of Canadian businesses had been targeted by AI-generated email fraud, and 39% had encountered deepfake document fraud — invoices, purchase orders, and payment confirmations fabricated by AI tools that are now accessible to anyone.
The traditional defence against BEC was catching obvious signs: grammatical errors, odd phrasing, sender email domains that were close-but-wrong. AI removes all of those signals. A generated phishing email in 2026 reads exactly like a message from a professional supplier. Deepfake invoices have correct logo fonts, spacing, and formatting. The cognitive shortcuts your accounts payable team uses to identify "something seems off" no longer work.
AI voice cloning adds another layer. The CAFC has documented cases where fraudsters called businesses with a cloned voice of the CEO to follow up on the email request. The employee heard what sounded like their boss confirming the wire transfer. They processed it.
The hard truth about EFT and wire transfers: once settled, they're not reversible through the same mechanism as a credit card chargeback. There's no equivalent of a chargeback for push payments.
There's a narrow window — 24 to 48 hours — during which your bank may be able to place a recall request. This only works if the receiving bank cooperates and the fraudster hasn't already withdrawn the funds. In practice, fraud proceeds move internationally within hours.
Credit card: Chargeback mechanism exists. 60–120 day dispute window. High recovery rate for fraud.
Interac e-Transfer: Autodeposit cannot be recalled. Manual-deposit transfers can sometimes be recalled if unclaimed. Very limited recovery once accepted.
EFT / PAD: Can be reversed if fraud is caught quickly and receiving institution cooperates. 24–48h window. Not guaranteed.
Wire transfer: Almost never recovered. Once international, tracing is difficult without law enforcement involvement.
The Vancouver law firm recovered their $2.3 million because it involved a large enough sum to trigger international police involvement (RCMP + CAFC + Interpol coordination) and the funds hadn't moved out of a recoverable jurisdiction yet. This outcome is exceptional. For smaller amounts — the $30,000–$200,000 range most SMB fraud targets — law enforcement resources aren't deployed at that scale.
Banks also have limited liability for authorized push payment fraud. If an employee at your company was deceived into authorizing the transfer, the bank generally treats that as your authorized action. This is different from unauthorized card fraud, where bank liability rules are clearer.
Any request to change banking details — for any supplier, ever — gets verified by a phone call to a number you already have on file (not a number in the email requesting the change). This one process stops vendor impersonation cold.
The call must use a number from your contact database or previous invoices, not from the email that arrived. Fraudsters often include a spoofed phone number in the same email.
No single person should be able to update supplier banking information in your accounting system without a second person confirming. This is standard treasury policy in large organizations — apply the same principle at SMB scale. Two people need to sign off: the one who received the change request and one other.
Email attachments can be intercepted and modified in transit. Sending invoices through a portal — Xero, QuickBooks Online, Wave, FreshBooks — means the invoice is retrieved from a system you control, not forwarded as a file. An attacker who intercepts the email gets a link, not a PDF they can edit.
Ask your key suppliers to do the same when sending to you. This creates a two-sided audit trail.
If your email domain doesn't have DMARC, SPF, and DKIM configured, attackers can spoof emails that appear to come from your domain. This is how CEO fraud works — the email address looks like yours. Configuration takes about an hour with your DNS provider and your email host. Consult a managed IT provider or your email admin if you're not sure how to do it.
A properly configured DMARC policy (at minimum p=quarantine) means spoofed emails from your domain get flagged or blocked by recipient mail servers.
Before paying an invoice you haven't seen before, or where the banking details differ from your records, right-click the PDF → Properties. Check the "Created" and "Modified" dates. If a January invoice was "modified" yesterday, that's a red flag worth investigating before payment.
This is a 30-second check that catches a specific class of manipulation fraud.
Speed is everything. If you believe you've just sent a fraudulent payment:
Canada's real-time rail (RTR) rollout — detailed in our RTR guide — includes a feature called Confirmation of Payee (CoP) as part of phase 2, expected around 2027. CoP allows a sending bank to verify that the account holder name matches the expected payee before a payment is processed. In the UK, CoP has demonstrably reduced authorized push payment fraud since its 2020 launch.
Until then, the existing EFT and wire infrastructure has no equivalent verification step. The receiving account name is not confirmed — only the account number and institution routing. This is the structural gap that BEC exploits.
CoP won't eliminate fraud, but it will catch the simplest case: a fraudster redirecting payment to an account in a different name than the expected supplier. Combined with callback verification, it significantly raises the bar for successful attack.
☐ Written policy: all banking detail changes require a callback to a known number
☐ Dual approval required in accounting system for any supplier banking change
☐ DMARC/SPF/DKIM configured on your email domain
☐ Invoices sent via portal (Xero/QuickBooks/Wave) not email attachment
☐ Staff training: what CEO fraud looks like, what to do if an unusual payment request arrives
☐ Cyber insurance coverage confirmed and policy reviewed for fraud reporting windows
For broader payment security context, see our guide on payment fraud prevention for Canadian merchants. If you're evaluating whether your current payment setup reduces your fraud exposure, the processor comparisons at compare payment processors include fraud tooling differences.