With tax season looming, cyber criminals are gearing up to take advantage of unsuspecting Canadians by posing as the Canada Revenue Agency (CRA), often requesting personal information or money in exchange for alleged overdue fees.
READ MORE: Tax season brings tax scams, warns CRA
These deceptive emails are often so-called phishing scams, a type of online identity theft often used by criminals to trick users into handing over personal data and online passwords.
Take for example this recent CRA email scam: The subject line reads “Tax Return File Overdue,” alleging one of more of the user’s tax returns are overdue or incomplete. The email then instructs the user to follow a link to find detailed information about money they may owe to the government.
The link takes the user to a webpage that look almost identical to the CRA’s website and asks them to fill out their personal information, including their credit card number, expiry and security code, as well as their social insurance number.
However, a close look at the URL reveals the user is not on the agency’s official website – a classic warning sign of a phishing scam.
This type of scam targeting taxpayers is not new; so-called CRA scams began popping up in 2013 and have become a popular tool for defrauding people by phone or email, according to the RCMP.
The scam phone calls that take place are quite similar to the email scams. Someone claiming to be from the CRA calls and, in a conversation that starts out calmly enough, tells the victim that they have made an error on their tax return or neglected to file it. More concerning, the phone number may seem legitimate to those with caller ID.
According to RCMP, the scammer then asks for financial or banking information to settle the alleged debt owed.
In other email scams, fraudsters have sent notice of a tax refund, asking users to send their personal and financial information in order to receive it. Others have requested victims to buy iTunes gift cards in order to pay off their alleged debts.
But these scams can be hard to spot. In one instance, a Calgary woman handed over nearly $20,000 before police intervened.
How to spot an income tax scam
“The Canada Revenue Agency (CRA) has noted an increase in telephone scams and advises Canadians to be vigilant,” a spokesperson told Global News. “We recognize that there is enormous financial impact on a person who falls victim to a scammer and that it is deeply upsetting to be scammed.”
The CRA will never:
– Ask you to provide your personal or financial information by email, text, or by clicking on a link
– Never asks for information about your passport, health card, or drivers licence
– Never shares your taxpayer information with another person
– Never sends payments using Interact e-transfer (they only send payments by direct deposit or cheque)
– Never requests payments by gift cards or pre-paid credit cards
Additionally, the CRA will only send you notification emails if you have subscribed to the service and the email will only advise the user to go into their secure tax account to see relevant information.
But, just in case, there are a few surefire ways to recognize a phishing scam email from a mile away.
First – never be fooled by official names or logos. One of the most common ways that phishing scams will try to fool you is by using official company logos or insignias. In some cases, the email address or web address may look close to the company’s name, but is slightly altered or off by a letter.
Take, for example, the email below. Though the sender’s name clearly states “Canada Revenue Agency” the email address is not a government email (which usually ends in “gc.ca”).
This tip is especially important: Never click on a link included in a suspicious email – and, if you do, never enter any personal information on the webpage.
Often attackers will use a legitimate web address in the hyperlinked text of the email, but once you click on the link it takes you to a malicious website.
But, if you are working on a computer, you can hover your mouse over the link – without clicking on it – and a small yellow box will appear showing the actual web address the link will take you to. If the link doesn’t match the hyperlinked text, it’s likely malicious.
If you are working on your smartphone and you tap to open the link, take a close look at the web address and see if it matches the webpage you are looking at.
For example, the recent CRA scam we looked at took us to a webpage designed to look just like the CRA’s website, but the URL did not match at all.
If you do receive what you believe to be a fraudulent email, you can report it to the Canadian Anti-Fraud Centre.