I am sure, especially nowadays, that we have all received a fraudulent voice call at some point. And if not an outright fraud call, it is someone impersonating a legitimate organization to demand your immediate attention. Threat actors will use any and all available means to extract sensitive data through social engineering. Recently I received a phone call that turned out to be a vishing attempt. The threat actor on the other end displayed some glaring red flags before the conversation could progress to anything significant. Because of how it all played out, I decided to write this post to help others identify key details that can differentiate a genuine phone call from an attempt to steal your personal information.

Prior Context

Typically, if a phone call does not display caller ID, I let the individual leave a voicemail and respond at a later time. This not only keeps me from wasting time, but makes me appear as a non-responsive number to spam callers; answering confirms I am a live target, effectively flagging me as an active responder. It was a combination of circumstances that led me to pick up in the first place. At the time, I was in email correspondence with Canada Post regarding the delivery of a package. So when I received a call whose caller ID displayed “Canada Post,” I felt inclined to answer. This was my biggest mistake, and it reminded me how easy it is to be manipulated.

Initial Contact

The caller opened by stating he was calling from the Canada Post Investigation Unit. He provided his employee number followed by his name, “David Tice.” The purpose of the call, he explained, was to address a suspicious package flagged with my home address as the destination. Upon inspection, authorities had reportedly found what appeared to be, as he described, “stacks of cash wrapped in duct tape.” He used my full name and stated that someone by the last name of “Maxico” was the initial sender.

Within the first twenty seconds of contact, David had established authority through a government-adjacent program, leveraged what was likely publicly available information to demonstrate “extensive research” into my background, and framed the situation as an urgent matter requiring my immediate cooperation.

My first response was confusion, as I had not purchased anything recently across the border. And who wraps cash in duct tape? Since “David” mentioned the sender was from Boston, I assumed the money would be in American currency. Wrapping paper bills in duct tape seems, how to formally say, counterintuitive.

David's Most Detrimental Error

This is where I feel David made his gravest error. He began to explain that the sender, “Maxico,” had obtained my information and opened seven separate bank accounts under different institutions across the country. He then asked me to verify which was my real bank account in order to “eliminate the others.” Strange that a postal service would be concerned with my banking. This is where I stopped, out of near disbelief. The conversation, albeit paraphrased, went:

---

Me: “Wait, David, why would you, a Canada Post employee, need my banking information? That would have nothing to do with you.”

David: “Sir, are you seriously questioning my authority as a Canada Post Investigation Unit detective? I have already provided you with my verification information. I suggest someone who is under investigation refrain from asking silly questions.”

---

And that was it. That is exactly what I needed to confirm the suspicion I already had. His tone and delivery changed dramatically the moment I questioned what he knew and how he knew it. By responding aggressively, he was attempting to re-establish the authoritative control he held at the start of the call. It is a classic social engineering recovery tactic.

But just from that one reply, consider a few points:

• Providing an “employee number” over the phone does not validate or authenticate your identity in any meaningful way.
• I asked a genuine, valid question: why would two completely separate services attempt to cross-access each other’s sensitive data (Canada Post to a bank)?
• Why the sudden hostility? Legitimate organizations do not train their representatives to respond aggressively to reasonable customer inquiries.

The Escalation

My question changed the entire dynamic of the call. Rather than focusing on the package from the outset, David was now more concerned with escalating the matter to his senior advisor, to whom I was then transferred.

The sound of a microphone unmuting and background chatter greeted me before David’s manager, “Gary Lopez”, took over. I was told that my lack of cooperation would be detrimental to my case. At this point, I was fully aware this was not a legitimate concern; these individuals were attempting to extract whatever personal information they could. So I told Gary he could have someone call me if there was a real issue (admittedly a poor decision on my part, as it kept the line of contact open). Gary became increasingly hostile when I continued to question the legitimacy of the call. He then told me his boss, who worked remotely, would call me directly to explain, at which point I simply hung up.

David and Gary, I presume, called my number back three separate times following the initial call. I did not answer any of them. The final call appeared on my phone with a caller ID pointing to the Ontario Provincial Police. Again, I did not pick up. After that call from the “police,” I received no further contact.

After the Phone Calls

Anyone who has received a fraud call has probably felt the urge to call back and seek some form of payback. Instead, a far more effective option is to submit a report to the Report Cybercrime and Fraud portal, maintained by the Canadian government. This gives you the opportunity to document and report phone numbers, names, and any other useful information gathered from the interaction. That data can potentially be used to identify and disrupt threat actors. The portal works in collaboration with organizations such as the Royal Canadian Mounted Police (RCMP), the National Cybercrime Coordination Centre (NC3), and the Canadian Anti-Fraud Centre (CAFC). Inter-agency collaboration is not just useful, it is essential for the continued development of effective cybercrime detection and prevention. Contributing to this portal is directly helping the cause.

Key Takeaways

Based on this experience, here are the takeaways I think are worth keeping in mind:

1. Caller ID can be spoofed. The “Canada Post” caller ID was fabricated. Caller ID spoofing allows attackers to impersonate legitimate organizations with minimal effort. Never use the number that contacted you to verify legitimacy. Always look up the official number independently and initiate the call yourself.

2. Recognize pretexting when you hear it. David constructed a believable scenario (a flagged package, suspicious cash, an ongoing investigation) to manufacture urgency and fear. This technique is called pretexting: building a false context to justify extracting sensitive information. The more elaborate the setup, the more suspicious you should be.

3. Authority and urgency are social engineering tools. David immediately established authority (employee number, investigation unit, full use of my name) and urgency (active investigation, serious allegations). These are deliberate pressure tactics designed to compress your decision-making time and bypass critical thinking.

4. No legitimate organization will ask for banking details during an unsolicited call. Canada Post has no operational reason to access your financial information. If the information being requested does not logically connect to the caller’s stated role, treat it as a red flag and terminate the call.

5. Hostility when questioned is a strong red flag. When I pushed back with a reasonable question, the tone shifted immediately from professional to aggressive. Legitimate representatives are trained to handle skepticism patiently. An attacker breaking character under scrutiny is a reliable signal that something is wrong.

6. Escalation to a “supervisor” is a scripted tactic. Being transferred to a more authoritative figure is designed to reset your trust and re-apply pressure. This is a standard step in the vishing playbook. Don’t let a title change override your instincts.

7. Report it, don’t engage it. Calling back or engaging further only confirms you are a responsive target. Instead, document the phone numbers, names used, timestamps, and any specific claims made, then submit everything to the appropriate fraud reporting authority.

Closing Thoughts

What struck me most about this experience was not how sophisticated the attack was, but how straightforward it was. David and Gary were not particularly skilled. The script they ran is one that has been used countless times, and it still nearly worked because the timing and context were right. That is the part worth sitting with. It is easy to assume you would immediately recognize a fraud call, but social engineering is designed to exploit the moments when your guard is down. The best defense is not just awareness in the abstract, it is building habits: letting unknown numbers go to voicemail, independently verifying any organization that contacts you, and knowing which questions to ask when something feels off. If this post helps even one person pause before handing over their information, it was worth writing.

AD.