Skip to main content
What Is Phishing?

Phishing is a common online scam designed to trick you into disclosing your personal or financial information for the purpose of financial fraud or identity theft.

Here’s How It Works

You receive an unsolicited email appearing to be from a legitimate company. A typical phishing email will give you a phoney reason, such as a security breach or contest, to trick you into providing your personal information.

The email will often include a reason that urges you to click on a link that takes you to a fake website.

That fake website will look authentic by copying the brand name and logo of the real company. This phoney site will ask you for personal information such as credit card numbers, account numbers, passwords, date of birth, driver’s license number, and social insurance or social security numbers.

While you may think you are giving your information to a valid company, instead you are providing it to a fraudster!

Why Did I Receive a Phishing Email?

You received a phishing email simply because your email address has ended up in the hands of a fraudster. Email addresses are easily obtained and shared on the Internet – just like phone numbers and mailing addresses.

So, these fraudsters need to do three things to be successful.

  • Target companies with large numbers of customers…the more, the better!
  • Send thousands of phishing emails in order to reach as many of these customers as possible (many of the emails are also received by non-customers).
  • Write the email messages in such a way as to trick people into revealing their confidential information.

Recognizing Phishing Emails

Phishing emails are becoming more sophisticated and can be tricky to spot. Being able to recognize phishing emails can help prevent you from becoming a victim.

Recognizing Fake Websites

A fake or “spoofed” website can look just like a company’s real site. Look for these telltale signs to help you spot a fake website. Ensure the address in your browser’s address bar begins with “https” when entering personal information. That means your information is being secured. If the address begins with only “http” do not enter any information on that website.

Malvertising Scams Cybercriminals are actively targeting people by taking out fake online advertisements to drive traffic to malicious websites. Known as “malvertising”, these attacks target the web search results of highly visited websites, including popular ecommerce sites and financial institutions like RBC. Fraudsters aim to trick users into divulging sensitive information before the search engines can remove fake ads. Be careful when clicking on any link and stay alert for fake websites.

Telltale Signs of Malvertising Scams Include

  • The ad text appears genuine, but when clicked the link takes you to a different URL.
  • When trying to sign in with genuine credentials, often there’s an “error message” and asking you to call for support.
  • When calling the (fraudulent) support number provided on screen, an agent asks for details like you client card number, password and verification questions – or to take over your computer remotely.
  • There is “urgent action required”.

Reporting it

If you believe your confidential information may have been stolen or obtained by a fraudulent party either online, by telephone or through any other means, call us immediately.

For phishing emails, please notify us by forwarding the suspicious email to for analysis. Please note that is an automated mailbox for reporting phishing and website fraud only – we are unable to provide responses from this mailbox. If you require a response, please direct your question through the phone numbers listed here.

To report fake websites masquerading as RBC company websites, send an email to with the subject “Fake RBC website.” Remember to copy the full URL (website address) into the body of the email.

To help you spot phishing emails and fake websites, see the tips under “Recognizing it“.

Protecting Yourself

Follow these tips to help you avoid falling victim to phishing scams:

Never provide your confidential or financial information over the Internet in response to unsolicited emails.

Play it safe! If you don’t know the source of an email or if it looks suspicious, do not open it.

Be cautious! Even if you recognize a sender’s email address, do not rely on that alone because addresses may be faked. Pay attention to the contents of the email and be careful of any embedded links.

Before you enter confidential or financial information online, check for the lock icon on your browser. Ensure the URL in the browser address bar starts with “https.” Remember though, if this is a link that is contained in an unsolicited email, it may still be a fake site so do not provide your confidential or financial information.

Never click on a link in an email that you suspect may be fake.

Be sure! If you are unsure whether you are on a legitimate website, reopen your internet browser and type the company URL in the address bar yourself.

Be alert! Just because an email or website appears to be from a legitimate company doesn’t mean it is. Phishing schemes are designed to look real to trick users into divulging personal information for the purpose of financial fraud or identity theft.

Verify any instructions for making payments included in an email to ensure they are legitimate. Always take additional steps to be certain of payment instructions. This can include confirming invoices with your suppliers through a different channel. For example, if you are contacted by email, it would be good practice to call the supplier to confirm using their known contact information.

Never share your security devices. Keep your Client and Business Client Cards, tokens, and other security devices in a safe place and do not reveal to anyone your card numbers, PINs, IDs, passwords, or token values.

Use security features. Implement all security features available e.g. for RBC Express online banking users set-up dual administration, two-factor authentication, and multiple approval rules. Review your account activity.