With tax season looming, cyber criminals are gearing up to take advantage of unsuspecting Canadians by posing as the Canada Revenue Agency (CRA), often requesting personal information or money in exchange for alleged overdue fees. These deceptive emails are often so-called phishing scams, a type of online identity theft often used by criminals to trick users into handing over personal data and online passwords.
Many cyber criminal organizations will pose as the Canada Revenue Agency (CRA) in the form of an email where the subject line reads “Tax Return File Overdue,” alleging one of more of the user’s tax returns are overdue or incomplete. The email then instructs the user to follow a link to find detailed information about money they may owe to the government. The link takes the user to a webpage that looks almost identical to the CRA’s website and asks them to fill out their personal information, including their credit card number, expiry and security code, as well as their social insurance number. However, a close look at the URL (which is the website address) reveals the user is not on the agency’s official website – which is a classic warning sign of a phishing scam.
Many scams targeting taxpayers is not new; so-called CRA scams began popping up in 2013 and have become a popular tool for defrauding people by phone or email. The scam phone calls that take place are quite similar to the email scams. Someone claiming to be from the CRA calls and, in a conversation that starts out calmly enough, tells the victim that they have made an error on their tax return or neglected to file it. More concerning, the phone number may seem legitimate to those with caller ID. According to RCMP, the scammer then asks for financial or banking information to settle the alleged debt owed. With that in mind, in other email scams, fraudsters have sent notice of a tax refund, asking users to send their personal and financial information in order to receive it. Others have requested victims to buy iTunes gift cards in order to pay off their alleged debts. In one instance, a Calgary woman handed over nearly $20,000 in iTunes gift cards before police intervened.
Some ways to spot an income tax scam: After talking with a representative of the CRA they said that they will:
– Never ask you to provide your personal or financial information by email, text, or by clicking on a link.
– Never ask for information about your passport, health card, or drivers licence.
– Never share taxpayer information with another person.
– Never ask you to send payments using Interact e-transfer (they only request you send payments by direct deposit or cheque)
– Never requests payments by gift cards or pre-paid credit cards
Additionally, the CRA will only send you notification emails if you have subscribed to the service and the email will only advise the user to go into their secure tax account to see relevant information.
Additional advice would include:
Firstly – never be fooled by official names or logos. One of the most common ways that phishing scams will try to fool you is by using official company logos or insignias.
Secondly – take note of the email address and web address as it may look close to the company’s name, but is slightly altered or off by a letter.
Even though the sender’s name may clearly state “Canada Revenue Agency” the email address may not be a government email (which usually ends in “gc.ca”). Though, if the criminals are tech savvy enough this reply address can be spoofed or masked.
Thirdly – attackers will use a legitimate web address in the hyperlinked text of the email, but once you click on the link it takes you to a malicious website. To determine this, if you are working on a computer, you can hover your mouse over the link – without clicking on it – and a small yellow box will appear showing the actual web address. If the link doesn’t match the hyperlinked text, it’s likely malicious. If you are working on your smartphone and you tap to open the link, take a close look at the web address and see if it matches the webpage you are looking at.
Most often the fraudulent webpage is designed to look just like the CRA’s website, but the website address will never match. If you do receive what you believe to be a fraudulent email, you can report it to the Canadian Anti-Fraud Centre. The address is: http://www.antifraudcentre.ca