Can You Tell a CRA Agent from a Scam Artist?

Phishing emails and phone calls are some of a scammer's favourite tricks. Learn how to spot them and protect yourself from tax fraud.

University of Alberta IST - 19 March 2019

No one plans to be a victim of fraud. Yet over the last five years, at least 60,000 Canadians have complained about being the target of fraudulent CRA phone calls. This constantly evolving scam has cost victims over $10 million, and the tricks don't end there: phishing emails, direct deposit scams, tax preparer fraud, and even fraudulent letters in the mail all plague Canadians every year, particularly during tax season.

Many scam artists take advantage of the stress and emotion that comes with tax season by attempting to lift your personal information so they can cash in on a refund request or steal your identity. These scammers are crafty, but you can outsmart them by staying vigilant and watching for these tricks.

Be on the Lookout For:

  1. Phone Calls
    Fraudulent CRA phone calls are a consistent threat during tax season. However, the CRA does make phone calls to taxpayers, so the difficulty comes from telling a scam artist from a genuine CRA agent.

    Here's what the CRA may do in a phone call:

    • Validate your identity by asking for certain personal information (which could include asking you to verify your address and/or social insurance number)

    • Call to request payment in full or to discuss a payment arrangement

    • Ask for financial information to support ability to pay

    • Request payment for a tax debt through any of the CRA's payment options

    • Send legal warning letters after initial attempts to contact the taxpayer have been unsuccessful

    • Take legal action to recover the money you owe if you refuse to pay your debt


However, the CRA will never do the following:

  • Ask for information about your passport, health card, or driver's license

  • Threaten with arrest, police, or deportation

  • Demand an immediate payment

  • Ask for payment via prepaid credit cards, gift cards, Bitcoin or other cryptocurrencies

  • Collect or distribute payments through Interac e-transfer

  • Communicate through text messages

    If you receive a fraudulent phone call, do not divulge any personal or financial information. Hang up and report the call to the Canadian Anti-Fraud Centre. If you believe you've been a victim of tax fraud, follow the steps outlined by the Canadian Anti-Fraud Centre and the RCMP


If you are in doubt about whether a CRA phone call is legitimate or a scam, hang up the phone and either check your account online or call the agency back at 1-800-959-8281.

  1. Direct Deposit-Paycheque Phishing Attacks

A direct deposit phishing scam has affected a number of employers. In this scam, employees receive an official-looking email that asks them to click a link and provide their real username and password. Scammers then use that login information to access the employee's payroll portal and reroute their direct deposits to bank accounts owned by the scam artists.

Remember: think before you click, and never give out your personal information via email.

  1. General Phishing Emails

Some phishing attacks are not targeted to a specific group of people. Scammers will often send mass phishing emails that ask recipients to click on a link, download an attachment, or divulge sensitive information. These emails often look legitimate, even mimicking the CRA's email header, footer, and logo.


Watch out for unsolicited emails, texts, social media posts, or fake websites that may lure you in and prompt you to share valuable personal and financial information.

Learn more about how to spot a phishing attack.

  1. Online Tax Preparer Fraud
    Most tax preparers provide honest services, but some disreputable individuals may target unsuspecting taxpayers for refund fraud or identity theft. The CRA reminds anyone filing a tax return that the preparer must sign it with his or her preparer tax identification number. Alternatively, your tax preparer could be the victim of cybercrime themselves, potentially compromising your data.

    Always keep an eye on your bank account. If you receive a refund you did not request, contact the CRA immediately. If someone calls you claiming to be from a collection agency, be skeptical, and do not divulge any personal or financial information if you suspect it might be a scam. Hang up the phone and either check your CRA account online or call the CRA at 1-800-959-8281.

How to Stay Safe:

  1. Update, Patch, and Tighten Cybersecurity: To avoid being a victim of cybercrime, make sure that the operating system and software on all of your computing devices (including mobile) are up to date. Maintain and keep up to date your antivirus, security patches/fixes, and internet security program.

  2. When in Doubt, Throw it Out: Just because an email looks real doesn't mean it is. If you receive an email that seems suspicious, even if you know the source, play it safe and delete it, or at the very least, contact the supposed sender through a separate channel to validate the email's legitimacy.

  3. Think Before You Act: Be wary of communications that implore you to act now, especially if you are told you owe money to the CRA and it must be paid immediately. Scammers prey on our emotions, and invoking a sense of urgency is a common tactic.

  4. Use Complex Passwords: Choose a password that is at least eight to ten characters long and consists of a mix of numbers, special characters, and upper and lowercase letters. Select a secure password and consider using a password manager.

  5. Exercise Caution When Using Public WiFi: Public WiFi networks are convenient, but not secure. Anyone can gain access to a public network to compromise your Internet traffic, monitor your activity, and steal your personal information. Avoid using public WiFi to share personal or financial details online.

  6. File Taxes from a Secure Website: Before you file a tax return online, ensure that the website begins with https, not http. The extra "s" at the end means that any data sent over that connection is encrypted and cannot be read by hackers.

Remember, the CRA will never do the following:

  • Use threatening or abusive language

  • Send an email asking you to divulge personal or financial information

  • Call you and ask for monetary payment right away

  • Send any documents or forms unless you specifically requested them


Don't be a Victim:

Despite best efforts, scam artists are always evolving and introducing new techniques. The only way to stay ahead of scammers is to be vigilant and skeptical. Tax fraud is prevalent at this time of year, but cybercrime happens year round. Stay alert, and follow the steps outlined by the Government of Canada to protect yourself from fraud and identity theft.

References:

  1. National Cyber Security Alliance: https://stopthinkconnect.org/2stepsahead/resources

  2. Canada Revenue Agency: http://www.cra-arc.gc.ca/scrty/frdprvntn/menu-eng.html

  3. Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/

  4. CBC Marketplace: https://www.cbc.ca/news/canada/cra-phone-tax-scam-marketplace-1.4830141

  5. CBC Marketplace: https://www.cbc.ca/marketplace/blog/full-statement-from-the-cra