Interac e-Transfer Scam: Real vs. Fake

The short answer

There are two Interac e-Transfer scams, and they mirror each other. The one you receive: a fake "you've received money" email copies the Interac logo and gold "Deposit your money" button, then sends you to a counterfeit bank login that steals your password — the sender and link use a look-alike domain, not interac.ca. The one that hits when you send: if the recipient isn't on Autodeposit, the money waits behind a security question, and a fraudster who guessed or read the answer can answer first and divert it — CIBC describes this exactly. One setting closes both: Autodeposit, which Interac says "bypasses the email and security question and answer steps." Below is the real email beside the fake, then a beat-by-beat decode.

For most people the scam arrives as a single email: an Interac e-Transfer notification saying money is waiting, with a gold "Deposit your money" button. The trouble is that a genuine notice and a fake one look almost identical — same logo, same button. Here is the real email beside the scam, and the three details that separate them.

Real vs. fake. The scam copies the logo and the gold button — the giveaways are the look-alike sender and link domain, and the panic clock. Recreated examples; illustrative, links disabled.

Why the security question is the weak point

An e-Transfer to someone not on Autodeposit is protected by a single shared secret: the security question and its answer. The system assumes only the right recipient can answer it. But that assumption breaks in ordinary ways. People pick answers that are easy to guess or already public — a pet's name, a street, a favourite team. They reuse the same answer across many transfers. And if a fraudster has gotten into the recipient's email, the notification and, often, the answer are sitting right there to read. CIBC spells it out: fraudsters "guess the correct security answer, use previous answers, or check for emails containing the security question and answer to redirect the funds." Answer first, and the money is theirs.

This is the mirror image of the fake bank-text scam: there, you're tricked into handing over a login code; here, the secret that protects your money is something a stranger can simply guess or read. Either way, the safeguard is only as strong as a piece of information someone else can get hold of — which is why removing the secret entirely, with Autodeposit, is the real fix.

Anatomy of an interception — decoded

Interception isn't a hack of Interac or your bank. It's a quiet exploitation of the one step where the money pauses. Naming each move makes the gap visible.

1The transfer waits behind a question

You send an e-Transfer to someone who isn't on Autodeposit. Interac holds the funds and protects them with a security question only the recipient should be able to answer.

The lever — A shared secret. The whole security model rests on that answer being known only to the right person. But answers are often guessable, reused, or written down in an email — and a held transfer is a target sitting still, waiting for anyone who can answer.

The counter — If the recipient uses Autodeposit, there is no question and no pause — the money lands directly in their account and this step doesn't exist.

2The deposit link goes out by email or text

A notification — 'you've received an Interac e-Transfer, deposit your money' — is sent to the recipient's email or phone, the same channels a fraudster may already be watching.

The lever — Exposure of the notice. If the recipient's inbox is compromised, the fraudster sees the transfer arrive in real time. In a related phishing variant, the 'click to deposit' link itself is fake and leads to a counterfeit bank login page that steals credentials — RBC warns about exactly this.

The counter — A genuine Autodeposit transfer simply appears in your account with nothing to click. Never log in through a deposit link — open your bank's app yourself.

3Whoever answers first gets paid

The fraudster answers the security question before the real recipient does, and the funds are redirected into the scammer's account. Your intended recipient never receives them.

The lever — First-to-answer wins. Interac releases the money to whoever satisfies the question. There's no second check on identity at that moment, so the race goes to whoever has the answer — and a determined fraudster has often arranged to have it.

The counter — Remove the race: with Autodeposit there is no question to win. Failing that, use an answer no one can guess and share it through a separate channel, never in the transfer message.

If it happens, recovery is hard. Canada has no law forcing banks to reimburse money lost on a transfer you authorised, so it's decided case by case. CBC's Go Public has reported Canadians turned down after interception — including a woman who lost $7,000 through RBC after the system gave a fraudster repeated attempts at her security question — with banks frequently pointing to a weak or shared answer as the customer's responsibility. And beware the follow-up: anyone who then calls offering to "recover" your money is almost certainly running the second scam.

What to do

1Turn on Autodeposit in your banking app. Interac says it bypasses the security-question step, and TD states auto-deposited funds can't be intercepted by a third party. This is the single most effective fix.

2If you must send to someone not on Autodeposit, choose a security answer that can't be guessed or found online — never a pet, a street, a team, or anything public — and don't reuse the same answer across transfers.

3Never put the answer in the same email or text as the transfer notification. Share it a different way, like a quick phone call, so a compromised inbox can't reveal both at once.

4Never log in through a "click to deposit" link. A real Autodeposit transfer needs no link — open your bank's app yourself, and forward a suspicious Interac message to phishing@interac.ca.

5If a transfer was intercepted, tell your bank immediately and report to the Canadian Anti-Fraud Centre — then see the full Canada reporting directory and recovery odds. Unsure about a message? Run it through our Scam Checker or send it to our free case review first.

From the field. What makes interception work is that nothing about it feels like a scam. You send money to a real person; no one phones you, no one threatens you, no link gets clicked. The failure is structural — a few quiet minutes where the money sits behind a secret that turns out not to be secret enough. That's why the answer isn't vigilance, it's design: turn on Autodeposit and the vulnerable step simply stops existing. The cruelty is in the aftermath, where the same banks that built the security-question system can turn around and call a guessed answer your fault. So close the gap before you ever need to argue about it. Send money in a way that has no question for a stranger to answer.

An e-Transfer or "deposit" message you're unsure about? Send it to us first.

Paste the message or the link. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure — before you tap anything.

Submit a free case review →Where to report a scam in Canada

Common questions about Interac e-Transfer interception

What is an Interac e-Transfer interception scam?

It's when money you send by e-Transfer is diverted before it reaches the person you meant to pay. When a transfer isn't set to Autodeposit, Interac holds the funds behind a security question and sends the recipient a link to "deposit your money." Whoever answers the security question first gets paid — and a fraudster who has guessed the answer, reused an old answer, or read it inside a compromised email inbox can answer first and redirect the money to their own account. CIBC describes exactly this: fraudsters "guess the correct security answer, use previous answers, or check for emails containing the security question and answer to redirect the funds." The recipient simply never receives it.

How do I stop my e-Transfers from being intercepted?

Turn on Autodeposit. Interac says Autodeposit "bypasses the email and security question and answer steps" — the money lands directly in the registered account, and TD states auto-deposited funds "cannot be intercepted by a third party." With no security question in the chain, there is nothing for a fraudster to answer. If you ever do send to someone not on Autodeposit, use a security question whose answer can't be guessed or found online, and never send the answer in the same email or text as the transfer notification — share it a different way, like a phone call.

Will my bank refund an intercepted e-Transfer?

Be realistic: Canada has no law forcing banks to reimburse money lost to a transfer you authorised, so it's case-by-case and at the bank's discretion. CBC's Go Public has documented Canadians refused reimbursement after interception — in one case a woman lost $7,000 through RBC after the system gave a fraudster repeated chances at her security question, and banks often point to a weak or shared security answer as the customer's responsibility. Report it to your bank the moment you notice, but don't count on getting it back. See our Canada guide for the full reporting process and the honest odds.

I got an email saying I have an e-Transfer to "click to deposit" — is it safe?

Treat it with suspicion. A common variant is a phishing email or text — "you've received an Interac e-Transfer, click here to deposit" — whose link goes to a fake bank login page that harvests your online-banking credentials. RBC warns about exactly this. A real Autodeposit transfer just appears in your account with no link to click. If you have to act on a deposit link, never log in through it: open your bank's app yourself or type the bank's address directly. You can forward a suspicious Interac message to phishing@interac.ca.

Sources & further reading

Claims here follow Interac's and the banks' own security pages (CIBC, TD, RBC), the Canadian Anti-Fraud Centre, and CBC's Go Public reporting on Canadian e-Transfer reimbursement. The diagram is illustrative, built from that guidance, not a captured real transfer.

An Interac e-Transfer isn't really sent to a person. It's released to whoever answers the security question first — and that's the gap every version of the scam slips through.