Jun 22, 2026
She had never once logged in. No apps, no online portal, no password to remember — just phone calls and direct mail, the way she’d always done things.
Which is why it was so alarming when her wealth management firm sent her a letter asking whether she’d recently changed her email address and her linked bank account.
Advertisement
She hadn’t.
During a call to The Ramsey Show, Jean, 84, discovered that someone had stolen her identity to open a chequing account at another bank. The scammers then used that fraudulent account to electronically link to her wealth management account and drain US$45,500 (C$61,400) from a balance of US$169,790 (C$229,200). By the time the firm attempted to reverse the transaction, the money was gone.
“I think that’s on them,” Dave Ramsey said on the show, pointing out that it was the firm’s own systems that were compromised.
Ramsey went further, noting that the firm had apparently allowed someone to change Jean’s email address and linked bank account — sensitive security details — without triggering any verification with the actual account holder.
“Cybersecurity at a minimum is horrible at this company,” Ramsey added.
What Canadian law and regulations actually say
While this incident occurred in America, Ramsey’s instinct — that the firm bears responsibility — aligns with Canadian regulatory expectations. In Canada, investment dealers and mutual fund dealers are overseen by the Canadian Investment Regulatory Organization (CIRO), the national self-regulatory organization formed in 2023.
CIRO’s 2026 Annual Compliance Report makes clear that dealers are required to report cybersecurity incidents that meet certain criteria and to implement necessary controls to protect their clients. The report specifically warns of an increase in incidents involving third-party service providers and encourages dealers to review whether they have the necessary controls in place to protect clients, client information and assets, as well as their own critical operating systems.
Advertisement
Beyond cybersecurity obligations, CIRO’s know-your-client (KYC) rules and client identification requirements (IDPC Rule 3200) require investment dealers to verify client identity and take reasonable steps to confirm the accuracy of account information. That means a firm that allows sensitive security details — an email address or a linked bank account — to be changed without direct verification from the account holder may have fallen short of its regulatory obligations.
In Jean’s case, if her wealth management firm allowed someone to change those credentials without confirming the request with her directly — and then released funds to the new account — it may have created grounds for a demand for reimbursement.
Is your retirement fund leaking? Secure your future today. Silent fees and stagnant interest can push your retirement date back by years. See how moving your savings to a high-interest account can help you retire sooner and with more confidence.
Must Read
- Warren Buffett used these 4 solid, repeatable money rules to turn $9,800 into a $150B fortune. Here’s how to apply them to your own life
- Stop the leak: 5 costs Canadians (still) overpay for every single month. How many are sabotaging your 2026 budget?
- Three in four Canadians say their insurance premiums have increased in the last two years. Compare 20+ quotes on Rates.ca and save up to 20% when you bundle home and auto
Join 19,000+ readers and get Money.ca’s best stories and exclusive interviews first — clear insights curated and delivered weekly. Subscribe now.
What to do if this happens to you
Ramsey’s first directive to Jean was clear: before doing anything else, call the firm to confirm the remaining balance is secured. Then demand reimbursement on the grounds that the account was compromised through the firm’s own security failure.
For Canadians, if the firm resists, the next step is to file a complaint with the Ombudsman for Banking Services and Investments (OBSI).
OBSI is Canada’s independent, free dispute resolution service for consumers who can’t resolve a complaint directly with their investment firm or bank — there are no filing fees and no complex legal process to start. OBSI investigates complaints about unauthorized transactions and fraud and, where a complaint has merit, can recommend compensation of up to C$350,000. The process typically resolves within 180 days.
Advertisement
Canadians also have the option of filing a complaint directly with CIRO, which can investigate possible violations of dealer rules and impose disciplinary action.
For broader identity theft reporting, the Canadian Anti-Fraud Centre (CAFC) maintains an online reporting portal at antifraudcentre-centreantifraude.ca.
A growing crisis for older Canadians
Jean’s situation is not isolated. It is part of a pattern that is accelerating — and for Canadians, that falls hardest on the older generation.
According to the CAFC’s 2025 Annual Statistical Report, Canadians reported C$704 million in fraud losses in 2025 — nearly four times the $165 million recorded in 2020. Identity fraud was the most reported type, at 8,403 incidents, followed by investment scams at 4,409. However, because most fraud goes unreported, the CAFC estimates that those figures represent only 5 to 10% of total actual losses, suggesting the real toll could reach into the billions.
Canadians aged 60 and older are a prime target for fraudsters. An additional report from the CAFC found that this demographic absorbed 40.3% of all reported dollar losses in 2024 — despite representing roughly 23% of the population. Their average per-victim loss was C$21,604, about $3,000 higher than the national average across all age groups.
As Ramsey and co-host Jade Warshaw noted on the show, whoever targeted Jean had enough of her personal information to open a new bank account, locate her wealth management firm and successfully link the two. That level of access suggests the threat to her other accounts may not have been over.
Advertisement
For older Canadians managing retirement savings — RRSPs, TFSAs, non-registered investment accounts or any other wealth management holdings — the message is the same: you don’t need to be online for your accounts to be at risk.
Protect your credit — with an important Canadian caveat
In the U.S., Ramsey advised Jean to immediately freeze her credit at all three bureaus — Equifax, TransUnion and Experian. In Canada, as of now, the options are more limited, but steps can still be taken.
Canada has two credit bureaus: Equifax and TransUnion. A full credit freeze — which prevents lenders from accessing your credit file to open new accounts — is currently only available to residents of Quebec, where legislation has required it since February 2023. Ontario regulations allowing credit freezes are set to take effect on July 1, 2026, with the credit bureaus having an additional year to fully implement the requirements. Other provinces are expected to follow.
For Canadians outside Quebec, the available option is a fraud alert — a flag on your credit file that prompts lenders to take extra verification steps before approving new credit. Fraud alerts can be placed at both Equifax (equifax.ca) and TransUnion (transunion.ca) at no charge. Placing an alert at one bureau does not automatically apply it at the other; they must be contacted separately.
Anyone who suspects their identity has been compromised should also monitor all existing accounts for unauthorized activity and contact each financial institution directly.
What Canadians can do right now
If you’re a Canadian investor — particularly one who manages accounts offline, as Jean did — here are concrete steps to protect yourself and actions to take if you’re already a victim:
- Call your firm immediately. If you suspect unauthorized access, confirm your remaining balances are secure and demand the account be locked down until the situation is investigated.
- Demand reimbursement from the firm. If the breach happened through the firm’s own systems or a failure to verify account changes with you directly, the firm may owe you restitution.
- Escalate to OBSI if the firm won’t cooperate. The OBSI (obsi.ca) is free, independent and can recommend compensation up to C$350,000. You do not need a lawyer to file.
- File a complaint with CIRO. Report the firm’s conduct to the Canadian Investment Regulatory Organization (ciro.ca). CIRO can investigate regulatory violations and impose disciplinary action on members.
- Report the fraud to the CAFC. The Canadian Anti-Fraud Centre (antifraudcentre-centreantifraude.ca) tracks identity theft and investment fraud patterns. Reporting helps law enforcement and may support your case.
- Place a fraud alert on your credit files. Contact Equifax (equifax.ca) and TransUnion (transunion.ca) separately to flag your files. Quebec residents can request a full credit freeze. Ontario residents can do so starting July 1, 2026.
- Ask your firm about security verification options. Request that any changes to your contact information, email address or linked bank accounts require direct confirmation with you — by phone or in person, not just online.
You May Also Like
- This 7-step plan from Dave Ramsey is designed to help you ditch debt, save more and build wealth — here’s how it works
- Prioritize these 4 critical investments and watch your net worth skyrocket
- Focus on these 3 ‘magic numbers’ to become a millionaire — and only on these numbers. How do you stack up?
- Millionaires under 43 are reshaping investing — just 25% of their portfolios are in stocks. Here’s where their money is going
With a writing and editing career spanning over 15 years, Emma creates and refines content across a broad spectrum of industries, including personal finance, lifestyle, travel, health & wellness, real estate, beauty & fitness and B2B/SaaS/tech.
