SAAQ chasing $1.5 million wired to fraudsters posing as IT vendor

Quebec’s public auto insurer has turned to the Ontario courts after losing $1.5 million in an apparent “spoofing” cyberscam.

In a statement of claim filed with the Ontario Superior Court of Justice in Toronto, the Société de l’Assurance Automobile du Québec (SAAQ) says that in early March, fraudsters tricked the insurer into sending two separate payments to a CIBC bank account in Sudbury, Ont., in the mistaken belief that the account belonged to an IT vendor it had recently retained for data management services.  

In addition to seeking damages and legal costs from the alleged fraudsters, SAAQ’s claim also asks for a court order to freeze the remaining funds in the CIBC account where the money was allegedly sent. SAAQ also seeks an order to obtain any records the bank holds about the account owners and their assets.  

According to SAAQ’s claim, which has not been proven in court, the fraudsters laid the groundwork for their heist back in December 2025, communicating with SAAQ via fake email addresses “designed to mimic the legitimate” addresses of the IT vendor.

In those original messages, the fraudsters, posing as the IT vendor, warned SAAQ they were planning to change their direct deposit information and requested details of pending payments owing to the IT company, citing an upcoming annual reconciliation and audit.

The fraudsters followed up in February this year, providing SAAQ with its new direct deposit details, supported by a void cheque from CIBC and a faked “letter of direction” that appeared to be on the IT vendor’s letterhead.

In early March – the precise dates are not specified in the claim – SAAQ then made two payments to the new bank account: one for $830 and another for $1.506 million.

Also in the news: New and improved benefits under Alberta’s Care-First auto reforms

The claim says SAAQ only discovered the scam on Mar. 11, when the public insurer issued a standard deposit notice to the IT vendor’s legitimate email address. In response, the IT vendor said it never received the money, and the bank account where it had been sent did not belong to them. SAAQ filed its legal action less than a week later, on Mar. 17.

Geneviève Côté, a spokesperson for SAAQ, said in a statement that the insurer is not anticipating any financial loss, due to its swift discovery of the fraud and prompt actions in response. While the legal proceedings continue, SAAQ will not be making any further comment, she added.  

Cyber claims in Canada went up by 102% over the course of 2025, according to a recent report by the cyber insurer Coalition.

Any increase in 2026 could be just as spectacular, if the experience of Rafaella Rullo is anything to go by.

Rullo, a lawyer in the Toronto office of law firm DWF Group, frequently assists clients with the recovery of funds lost in transfer frauds as part of her practice focusing on privacy and cyber security.

“We’ve seen a massive uptick, even within the last year. The primary reason is the fact that these attackers are becoming so much more sophisticated. It’s becoming increasingly difficult to pinpoint indicia of fraud,” she says. “Long gone are the days when you get a funny email written in Comic Sans with something very conspicuous.”

According to Rullo, the success of the recovery process depends largely on how quickly the victim can report the fraud to both their own financial institution and to the recipient’s.

“In my experience, the ‘safe window’ is usually about a 48-hour period,” she says, adding that smaller sums typically have a lower recovery success rate, because it is easier for fraudsters to move the money out of their account without raising suspicion.

Dave Oswald, the founder of Forensic Restitution, a fraud detection and recovery firm based in Oakville, Ont., says red flags should always be raised whenever a supplier asks to change their bank payment details.

“As soon as you have a request, pick up the phone and call someone at the supplier that you actually know, not just any number you see at the bottom of their message,” he says. “Ask them if they actually meant to change their bank account or if it’s a fraud attempt, in which case it will be stopped at that point in its tracks.”