Modern scammers use psychology, not just tech—here’s how they work and what to do right now
Picture this: A Winnipeg grandmother picks up the phone late at night. It’s her grandson’s voice, panicked: “Grandma, I’m in jail after a car accident. I need $5,000 wired now—don’t tell Mom.” Her heart races; the voice is spot-on. She almost sends it. CBC reported similar AI voice-cloning scams targeting Manitoba families, in which scammers recreate loved ones’ voices from seconds of social media audio. Victims lose thousands because it feels real.
Scams aren’t just for the “gullible.” Recent data from the Canadian Anti-Fraud Centre shows Canadians lose more than half a billion dollars to fraud every year, a trend confirmed by the 2025 State of Scams report, which finds scam activity rising sharply across North America. Charities face fake donors draining accounts. Small businesses lose card details from hacked sites. Professionals get tricked into sending “urgent” payments to criminals posing as vendors or executives.
This scams 101 guide walks through the core tricks behind modern fraud and shows you how to train your brain—and your team—to pause and protect yourself, your organization, or your nonprofit.
Scams 101: What Counts As A Scam Now?
At its core, a scam is any scheme built on lies: someone pretends to be a person, organization, or opportunity they’re not, so they can steal money, data, or access.
Today, scams are:
- Personalized. Criminals scrape LinkedIn, Facebook, and websites to learn names, roles, and family details so their stories land.
- Tech-Enabled. AI writes polished emails, clones voices, and helps fake websites look real.
- Psychological. The real “tool” isn’t the computer—it’s emotions like fear, hope, embarrassment, and urgency.
That’s why scams 101 isn’t just about firewalls and antivirus. It’s about spotting the mind tricks that show up across phone calls, texts, emails, DMs, and even face‑to‑face conversations.
Once you learn the patterns, the details of each scam matter less. Whether you run a charity, manage a small team, or work solo, the same core moves show up again and again across age groups and income levels.
As security expert Bruce Schneier famously put it, “Amateurs hack systems, professionals hack people.”
The rest of this guide focuses on how those professionals try to hack you—and how to resist.
Urgency and Fear: “Act Now or Lose Everything!”
Scammers thrive on panic. They manufacture deadlines:
- “Your account freezes in 24 hours.”
- “Your grandkid’s in trouble—send cash now.”
- “Pay this invoice today or your shipment is cancelled.”
When your heart rate spikes, your brain shifts from thoughtful to reactive. That’s exactly what scammers want.
A CBC story highlighted a senior who heard her “grandson’s” AI-cloned voice claiming he was arrested. She nearly wired money before pausing. Businesses see the same pattern: fake “urgent invoice” emails right before year‑end, or “final notice” messages about supposed overdue taxes. Charities get “donor matching ends tonight” pleas from bogus accounts.
Red Flag Checklist
When something feels urgent, slow the moment down and look for these red flags:
If you spot even two of these in the same message, treat it as a likely scam until you’ve checked it independently.
What to Do
Breathe. Say something like: “I never make financial decisions on the spot. I’ll verify this and call back.”
Then:
- End the call or ignore the email.
- Look up the official phone number or website yourself.
- Contact the organization through that trusted channel and ask if the request is real.
Real organizations—including banks, CRA, and donors—give you time. Anyone who won’t is waving a bright red flag.
Authority Impersonation: “This Is Official”
Authority is powerful. Scammers know that if they sound “official,” many people will obey without thinking.
They pretend to be CRA, police, your bank, your IT department, or even your boss. On phones, AI voices make it chillingly personal—mimicking family members in “grandparent scams.” Emails come from “support@your‑bank.ca” via a cloaked link like[email protected].
Websites copy real login pages down to the logo, colours, and fonts.
CBC covered grandparent scams in Saskatchewan and Toronto, where AI voices fooled seniors into thinking their relatives were in crisis. Toronto police noted a surge in these scams by early 2026.
For organizations, the same psychology fuels Business Email Compromise (BEC) and CEO fraud. A staff member receives what appears to be an email from the Executive Director or CFO, requesting an urgent wire transfer, gift card purchase, or a change to vendor banking details. The sender line looks close enough to pass a quick glance. The subject line is urgent. The tone is firm.
The result can be tens or hundreds of thousands of dollars gone in a single afternoon.
For Businesses/Charities
If you manage money or donations, teach your team that:
- Executives and board members never bypass normal approval processes by email.
- Legit IT staff will not ask for passwords or MFA codes over the phone or through chat.
- CRA, Service Canada, and banks do not demand payment by gift card or crypto.
- Any email address that looks “almost right” (like an extra letter or number) is a warning sign.
When in doubt, pick up the phone and call the person using the number you already have on file—never the one in the message.
Safe Action
If something feels off:
- Hang up or stop replying.
- Redial the official number from the real website, your wallet card, or your records.
- Ask, “Did you really contact me about this?”
If the answer is no, you just dodged a scam.
Too Good to Be True: “You’ve Won Big!”
Some scams don’t scare you—they flatter you.
They offer free grants, guaranteed investment doubling, “exclusive” high‑return crypto deals, or “your donation gets matched 10x if you send it directly to this wallet.” Facebook and TikTok ads promise quick riches. Fake charities pop up within hours of a disaster to catch people in a wave of generosity.
For small businesses and nonprofits, scammers might pitch:
- “Government relief grants” that require a “processing fee.”
- Investment opportunities “only available to selected businesses.”
- Donor-matching programs that ask you to move donations off your usual platform “to avoid fees.”
Why it works: we all want good news and simple fixes. But real wins require effort and verification. There is no “click here for $10,000” button.
As the old saying goes, “If it sounds too good to be true, it probably is.”
Brain Train Tip
Before you let hope make the decision, ask: “Why me, right now, with zero strings?”
Then:
- Search for the offer on Canada.ca or through official government grant portals.
- Use CRA’s charity search to confirm any organization asking for donations.
- For nonprofits, confirm grants or donor matches through the funder’s official website or your usual funding platform.
If you can’t easily verify it from a trusted source, treat it as a training example for your personal scams 101 notes, not as an opportunity.
Secrecy and Isolation: “Keep This Quiet”
- “Don’t tell anyone—they’ll ruin it.”
- “Your boss asked that this stay between us.”
- “If you tell the bank, the offer is off the table.”
Scammers isolate you on purpose. If you talked to a spouse, coworker, board member, or friend, they’d probably say, “Wait, this doesn’t sound right.” So the scammer frames secrecy as smart, loyal, or necessary.
Watch for lines like:
- “You’re the only one I can trust with this.”
- “If this gets out, it could cost me my job.”
- “Compliance will delay this, so let’s keep it between us.”
For charities, a classic risk is a lone volunteer or staff member handling a “private” large donation, grant, or bequest and being asked to bend normal rules “for confidentiality.” In some cases, that’s how internal theft happens. In others, it’s how external scammers extract money from your organization without anyone else knowing.
CBC stories about family scams show the same script: victims are told not to tell other relatives to avoid “embarrassing” the caller or to keep them “out of trouble.”
Counter
Make “no secret money decisions” a rule at home and at work.
- If someone tells you not to loop in others, treat that itself as a red flag.
- For organizations, require at least two people to sign off on any unusual payment, new vendor, or large donation paperwork.
Loop in one trusted person immediately. Scammers hate second opinions because they break the spell.
Tech Tricks: AI, Deepfakes, and Sneaky Links
The tech side of scams is getting slick, but the goals are the same: get you to click, pay, or share data.
AI can clone voices from 30 seconds of audio (think TikTok, Instagram Reels, podcasts, or YouTube clips). Deepfake tools can create videos that look real enough at a glance. Hacked websites inject fake ads that redirect you to phishing pages. Emails and texts hide malware behind “update your info,” “open this invoice,” or “track your package” links.
Security company reports now describe pop‑ups that perfectly mimic antivirus alerts or operating system warnings—part of a broader surge in digital threats documented in Key Cyber Security Statistics, showing that social-engineering and phishing attacks account for the majority of successful breaches. They tell you to call a number or install “support” software so a fake technician can “fix” your device—for a fee, or for a chance to rummage through your files.
CBC reported rising AI use in fraud across Ontario and the Prairies. This isn’t sci‑fi. It’s a normal workday for many criminals.
Quick Fixes
You don’t need to be a security expert to block a big slice of tech‑based scams:
- Turn on multi-factor authentication (MFA) everywhere you can, especially email, banking, and cloud tools. Even if someone steals your password, they’re blocked.
- Before you click any link, hover over it (on desktop) or long‑press (on mobile) to see where it really goes. If it doesn’t match the text or looks odd, don’t click.
- Keep a basic antivirus or security suite running, and let your browser warn you about sketchy sites and downloads.
- Use a reputable password manager (such as Bitwarden or 1Password) so you don’t reuse the same password across many sites.
Simple Flowchart for Any Scam
|
Step |
Your Pause Question |
Safe Next Step |
|---|---|---|
|
Get a suspicious contact |
Is this rushed or too good? |
Pause for 5 minutes |
|
Voice/email claims authority |
Is this normal for them? |
Hang up or reply “verifying” and stop |
|
Urges secrecy or money |
Can I check independently? |
Call a known number; search CRA or gov |
|
Tech alert or link |
Is this an official source? |
Type URL manually; scan your device |
If at any step you can’t confidently answer “yes, this is normal and verified,” treat it as a scam and walk away.
Common Scam Types Hitting People, Businesses, And Charities
Beyond the psychological tricks, some scam formats recur. Getting familiar with them is a key part of scams 101.
For Individuals
Every day, Canadians are hit with:
- Phishing emails and smishing texts pretending to be from banks, delivery companies, or streaming services, asking you to “log in” on a fake page.
- Romance scams, where someone builds a relationship online over weeks or months, then suddenly faces a “medical emergency” or “travel problem” that needs money.
- Tech support scams, where a pop‑up or caller claims to be from Microsoft, Apple, or your internet provider and wants remote access to your device.
- Investment and crypto scams, which show fake dashboards with “profits” to encourage more deposits before the site disappears.
If the request involves secrecy, pressure, or odd payment methods (gift cards, crypto, wire transfers), it belongs in your mental scams 101 folder—filed under “avoid.”
For Businesses And Professionals
Organizations are prime targets because they move larger amounts of money.
Common attacks include:
- Business Email Compromise (BEC) and CEO fraud. A fake or hacked email account sends instructions for urgent payments or gift card purchases. Because it appears to come from a leader, staff feel pressured.
- Invoice and payment redirection fraud. A criminal sends a convincing invoice for services never provided or slips a small change into a real vendor’s banking details. Accounts payable are paid to the wrong account.
- Ransomware. Malicious software encrypts your files and demands a ransom in cryptocurrency to restore them. For small businesses and nonprofits, downtime and data loss can be devastating.
- Fake recruitment or HR messages. Scammers pose as recruiters, ask for personal data for “background checks,” or send fake checks that lead to losses when they bounce.
The scams 101 lesson for organizations: treat any request that changes where money goes or how you pay as suspicious until verified with a trusted contact.
For Charities And Nonprofits
Nonprofits face all of the above, plus a few special twists:
- Fake donor or grant offers that require “processing fees” or push you off your normal donation platform.
- Fraudulent fundraising pages that copy your logo and story to collect donations in your name.
- Internal fraud, where a volunteer or staff member misdirects donations or expenses, often using secrecy and rushed timelines.
Defences don’t have to be complicated: clear approval processes, dual signatures on large payments, regular board reviews, and a culture where talking openly about near‑misses is encouraged.
Phishing, Smishing, And Vishing: How Messages Reel You In
Phishing is one of the most common vehicles for modern scams. It shows up in three main flavours:
- Phishing (email)
- Smishing (SMS/text)
- Vishing (voice/phone)
Underneath, they follow the same basic pattern.
- The Bait
You receive a message that looks legitimate and triggers emotion: a “suspicious sign‑in attempt,” an “urgent invoice,” or a link to view an “important shared document.” The sender line and branding look close enough to the real thing. - The Hook
There’s a clear call to action: click a link, open an attachment, call a phone number. The link typically leads to a pixel‑perfect copy of a real login page. The attachment may contain malware. - The Catch
If you enter your password on the fake page, the scammer captures it. If you open the wrong file, malicious code installs quietly. From there, criminals can log in to your email, reset other passwords, or move deeper into your organization’s systems.
A few extra telltale signs:
- The sender address doesn’t quite match the real domain.
- The greeting is very generic (“Dear Customer”) or oddly formal for the person.
- The message threatens bad consequences and offers an easy fix “just by clicking.”
Adding AI to the mix makes phishing harder to spot: fewer typos, better grammar, and convincing personalization—challenges explored in research on preventing and mitigating fraudulent interactions online, which highlights how AI-enhanced deception is increasingly difficult for individuals to detect without structured verification habits. That’s why habits—pausing, hovering over links, verifying through your own channels—matter more than ever.
Train Your Brain: Habits That Stick
Scams exploit instinct. You can’t eliminate emotions like fear or excitement, but you can build habits that slow things down just enough to think clearly.
Start small. Pick one or two behaviours from this section and practice them until they’re automatic.
- The 3 Questions Habit
Any time money, passwords, or personal info are involved, quietly ask yourself:- Am I rushed?
- Is this normal for this person or organization?
- Have I verified using my channel (not the one they gave me)?
- Family Code Word
Agree on a silly phrase (like “blueberry pancakes”) that only real relatives know. If a family member calls in crisis, you ask for the code word. If they don’t know it, you hang up and call them back on their regular number. - Pause Script
Many people freeze when put on the spot. Having a script ready helps. Practice saying:“I never decide about money on the spot. I’ll check this and get back to you.”Say it out loud a few times so it rolls off your tongue when you need it. - Group Practice
For businesses and charities, add a 2‑minute “near‑miss” share to regular team or board meetings. Someone briefly describes a shady email, call, or message they got and how they handled it. This normalizes talking about scams and turns every attempt into free training.
Fridge-Ready Checklist
Print or share this as a quick reference for your household or team.
|
Situation |
Red Flag |
Do This Now |
|---|---|---|
|
Urgent family call |
Voice matches perfectly |
Hang up; text or call their real number from your contacts |
|
Bank/CRA email |
Asks for codes or passwords |
Ignore the link; go to the official site or app directly |
|
Donation/grant offer |
Pressure plus secrecy |
Verify at canadahelps.org, the donation platform your charity uses, or CRA |
|
Pop-up alert |
Tells you to “call this number” |
Close the tab or browser; run an antivirus scan |
|
Unusual invoice |
New banking details or urgency |
Call the vendor or executive using a known phone number to confirm |
If everyone around you uses the same simple scams 101 checklist, you dramatically cut the odds of a successful attack.
Stronger Defences For Your Organization
Technology matters, but people and processes are just as important—especially for small businesses and nonprofits with limited IT support.
Technical Basics (No Jargon Required)
Even modest steps can go a long way:
- Turn on MFA for all email accounts, cloud tools, and financial systems.
- Keep computers, phones, and key software updated so known security holes get patched.
- Use reputable email filters and antivirus tools to catch obvious phishing attempts and malware before anyone sees them.
- Back up important data regularly to a secure, separate location so a ransomware hit doesn’t wipe everything out.
Think of this as locking the front door. It doesn’t stop every possible break‑in, but it makes you a harder target.
Smart Processes Around Money And Data
Set simple rules so no one has to “guess” what’s okay:
- No single person can create and approve a large payment on their own.
- Any request to change banking details for vendors, staff, or donors must be confirmed by phone using a number already on file.
- Put clear data-handling rules in writing: who can access donor lists, client records, or payroll details, and how they’re stored and shared.
- Keep an incident log where staff can record suspicious contacts and near‑misses, making patterns easier to spot.
For a charity or small business, these kinds of low‑tech controls are some of the strongest anti‑fraud tools you can have.
Your Human Firewall
People are your best defence—and sometimes your weakest link.
- Offer short, regular awareness sessions about common scams, not just once-a-year policy briefings.
- Share real examples that have targeted your sector or region. They’re more memorable than generic warnings.
- Make it safe to say, “I clicked something weird,” without blame. Early reporting often limits the damage to a minor headache instead of a crisis.
Think of this as practical, ongoing scams 101 training for your entire organization.
If You’re Scammed—or Think You Are
Even careful, tech‑savvy people get caught. Shame and silence help scammers more than anything else. If you think you’ve been hit, act quickly and methodically.
- Stop All Contact. Don’t reply, don’t argue, and don’t try to get your money back from the scammer. Block their numbers and email addresses.
- Contain The Damage
- Change passwords on affected accounts (starting with email and banking).
- Turn on MFA if it wasn’t already enabled.
- If a device might be infected, disconnect it from Wi‑Fi and run a full security scan.
- Contact Financial Institutions. Time matters. Call:
- Your bank or credit union’s fraud line.
- Your credit card company if card details were shared.
- The gift card issuer, if you paid with cards, may be able to freeze unused funds.
- Wire transfer services, if you sent a transfer, ask if it can be stopped.
- Report Officially. Report to:
- Canadian Anti-Fraud Centre: antifraudcentre.ca or 1‑888‑495‑8501
- Your bank/telecom (they may reverse charges or flag accounts)
- Local police for significant losses
- If sensitive personal information (like a SIN) was exposed, consider contacting Equifax and TransUnion to place a fraud alert on your credit file
- If your organization lost client, donor, or employee data, you may also need to report the loss to the Office of the Privacy Commissioner of Canada and notify affected individuals.
- Preserve Evidence. Keep:
- Emails, texts, and DMs
- Screenshots of profiles, ads, or websites
- Receipts, bank records, and gift card numbers
- Names, phone numbers, and email addresses used by the scammer
You are not alone—even smart, cautious people get hit. Scammers are professionals at manipulation. Talking about what happened is part of your recovery and may prevent someone else from losing their savings or their nonprofit’s operating budget.
Use this scams 101 guide as a living resource: share it with your family, your team, and your board. Update your own checklists as you see new tricks.
Next Up: Phone & SMS scams deep dive—plus more AI voice defences.
Help Happy Bits Help You: Running a site with donations or forms? Book a quick audit to block hacked-site risks. Share your near-miss in comments!
This article was inspired by the Stand Against Scams campaign and, sadly, by the experiences of individuals from my circles.
