Home › Industries › Wealth Management

Wire Fraud and Business Email Compromise at Canadian Wealth-Management Firms

Last updated: May 2026 · Reviewed by Mike Pearlstein, CISSP

The costliest cyber incident at a wealth-management firm is rarely exotic. It is usually a redirected client transfer that began with a compromised or spoofed email. Here is exactly how the attack works, the one control that breaks it, and what a Canadian advisory firm has to do in the first hour after it happens.

Talk to Fusion

How big is the wire-fraud problem for Canadian firms?

According to the Canadian Centre for Cyber Security, the Baseline Cyber Security Controls for small and medium organizations are a starting set spanning MFA, patching, backups, and incident response that aligns with CIS Controls v8.1.

According to the Canadian Anti-Fraud Centre, a large share of business losses comes from business email compromise, where a spoofed instruction moves client funds before anyone calls the bank, so a verified out-of-band callback on every wire is the single control that stops it.

Big, and concentrated in exactly the kind of work advisory firms do every day. The Canadian Anti-Fraud Centre recorded 108,878 fraud reports and more than $643 million CAD in reported losses in 2024. Spear phishing, the category that captures business email compromise, accounted for $67.3 million CAD of that, second only to investment fraud.

That figure understates the real scale. The CAFC estimates that only 5 to 10 percent of victims ever report, so the true loss to Canadian businesses is many times higher. South of the border the pattern is identical: the FBI’s 2024 Internet Crime Report tied business email compromise to US$2.77 billion in losses across 21,442 complaints.

How the attack actually works

According to Statistics Canada’s survey of cyber security and cybercrime, small and medium businesses absorb a disproportionate share of incident impact while running the leanest security teams.

Forget the broken-English phishing email. A modern business email compromise is patient and quiet. The attacker first gains access to a real mailbox, or registers a look-alike domain that reads correctly at a glance. Then they wait, reading the genuine conversation about a pending transfer or fee payment.

At the moment money is expected, they insert one believable message with revised banking details. The tone matches. The thread is real. Nothing about it trips the recipient’s instinct, because almost everything in it is genuine. The RCMP describes the same playbook: impersonate a trusted party, exploit a real payment, redirect the funds.

The mechanics matter because they tell you where defence works. The attacker does not need to break encryption or defeat your firewall. They need one believable message to land at one vulnerable moment. That is a human and process problem first, and a technology problem second.

Why wealth-management firms are a prime target

As reported by Microsoft and CISA, multi-factor authentication blocks the large majority of account-takeover attacks, which is why it is the highest-leverage control most Canadian SMBs can deploy.

Advisory practices combine three things fraudsters love. You move client money on instructions that often arrive by email. You hold detailed know-your-client and banking records that make impersonation convincing. And client transfers are frequently large and time-sensitive, so urgency is built into the work.

There is a compliance dimension too. A redirected transfer is not only a loss. It can trigger client-information duties under PIPEDA and a conversation with your regulator about whether reasonable safeguards and supervision were in place. For the broader regulatory picture, see our guide to CIRO cybersecurity expectations for wealth firms.

What single control stops a fraudulent transfer?

Out-of-band callback verification. Treat any change to banking or transfer instructions as unverified until a person confirms it by phone, on a number from your own records, never a number or link supplied in the email. This one step breaks the attack even when the mailbox is fully compromised, because the fraudster does not control the client’s real phone line.

Everything else is defence in depth around that core rule. If you adopt only one thing from this article, write the callback rule down and make it non-negotiable. Writing it down is what turns a good habit into a control your auditor and your cyber-insurer will actually credit.

A callback-verification protocol you can adopt this week

Most firms already do callbacks informally. Formalizing the rule is what makes it reliable under pressure. This is the protocol we put in place for advisory clients:

1. Treat any change to banking or transfer instructions as unverified until a person confirms it.
2. Call the client back on a number from your own records or CRM, never a number or link supplied in the email.
3. Read the destination account detail back and have the client confirm it verbally.
4. Record who verified the change, when, and how, in the client file.
5. For transfers above a set threshold, require a second staff member to sign off before funds move.

The written record in step four matters as much as the call itself. When a regulator or insurer asks how you prevent fraudulent transfers, a documented, dated verification log is the difference between a strong answer and an uncomfortable silence.

The technical controls that close the door

Process stops the fraudulent payment. Technology stops the mailbox compromise that makes the fraud possible in the first place. Three layers do most of the work.

Enforced multi-factor authentication on email and any system that touches money makes a stolen password far less useful on its own. Email-impersonation protection flags spoofed senders, look-alike domains, and auto-forwarding rules that attackers quietly set up to watch a thread. Staff awareness training keeps the human layer alert to the pattern, which is decisive when the message itself looks legitimate. Our security awareness training is built around exactly these scenarios.

What should a firm do in the first 60 minutes?

Move fast and in a fixed order. Speed decides whether the funds are recovered, and a recall has the best odds in the first hours. A short written plan that names who does each step saves the time that matters most:

1. Call the receiving and sending banks’ fraud lines immediately to attempt a recall of the transfer.
2. Report to the Canadian Anti-Fraud Centre and to local police.
3. Preserve the relevant emails, full headers, and sign-in logs before anything is deleted.
4. Reset the compromised mailbox password and revoke active sessions, app passwords, and forwarding rules.
5. Notify the affected client, and assess whether a privacy-breach report to the Office of the Privacy Commissioner or a CIRO notification is required.

A firm that has rehearsed these five steps, even once around a table, recovers faster and demonstrates the diligence a regulator and an insurer expect to see.

What do you have to report, and to whom?

It depends on what was exposed. A pure financial loss with no client data exposed is reported to the banks, the CAFC, and police. If client personal information was accessed, PIPEDA breach-reporting duties to the Office of the Privacy Commissioner may apply where there is a real risk of significant harm.

Firms regulated by the Canadian Investment Regulatory Organization should also weigh their own notification and recordkeeping duties. When in doubt, document the assessment and the decision, because the reasoning itself is evidence of diligence.

Vendor exposure is a related blind spot. If a fraud reaches you through a third-party platform or a partner’s compromised mailbox, your third-party risk posture is part of the story your regulator will want to understand.

How we would set this up

In our experience across advisory engagements, the firms that never lose a transfer are not the ones with the biggest security budget. They are the ones with a written callback rule and a team that follows it.

For a firm without an internal security lead, we anchor on that rule, enforce MFA across email and money-movement systems, turn on impersonation protection, audit mailbox forwarding and delegation, and write a one-page incident plan the team can actually follow.

That package addresses the threat that costs the most, for a fraction of what a single redirected transfer would. It is the core of our managed cybersecurity work for regulated firms. The federal Get Cyber Safe program publishes the same baseline controls for Canadian organizations.

Frequently asked questions

Talk to Fusion about your firm’s security

If your firm wants a security-first managed IT partner that understands CIRO expectations and protects client money and data, talk to us. We will review your current posture and show exactly where the evidence gaps are before they cost you a transfer.

Book a consultation   or call (416) 566-2845

Regulated industries we secure: law firms · accounting firms · financial services · wealth management · all industries

Related: CIRO cybersecurity for wealth firms · vendor and third-party risk · IT and cybersecurity for wealth-management firms.