The CRA is not calling you - Protect yourself from tax fraud

The CRA will never phone or email you asking for personal information or monetary payment. Stay safe this tax season by following these tips.

11 March 2024

Originally published February 2019

No one plans to be a victim of fraud. Yet over the last seven years, more than 60,000 Canadians have complained about being the target of fraudulent CRA phone calls. This constantly evolving scam has cost victims millions of dollars, and the tricks don't end there: phishing emails, direct deposit scams, tax preparer fraud and even fraudulent letters in the mail all plague Canadians every year, particularly during tax season.

Many scam artists take advantage of the stress and emotion that comes with tax season by attempting to lift your personal information so they can cash in on a refund request or steal your identity. These scammers are crafty, but you can outsmart them by staying vigilant and watching for these tricks.

Be on the Lookout For

1. Phone calls
Fraudulent CRA phone calls are a consistent threat during tax season. However, the CRA does make phone calls to taxpayers, so the difficulty comes from telling a scam artist from a genuine CRA agent.
Here's what the CRA may do in a phone call:
  • Validate your identity by asking for certain personal information (which could include asking you to verify your address and/or social insurance number)
  • Call to request payment in full or to discuss a payment arrangement
  • Ask for financial information to support ability to pay
  • Request payment for a tax debt through any of the CRA's payment options
  • Send legal warning letters after initial attempts to contact the taxpayer have been unsuccessful
  • Take legal action to recover the money you owe if you refuse to pay your debt
However, the CRA will never:
  • Ask for information about your passport, health card, or driver's license
  • Threaten with arrest, police, or deportation
  • Demand an immediate payment
  • Ask for payment via prepaid credit cards, gift cards, Bitcoin or other cryptocurrencies
  • Collect or distribute payments through Interac e-transfer

If you receive a fraudulent phone call, do not divulge any personal or financial information. Hang up and report the call to the Canadian Anti-Fraud Centre. If you believe you've been a victim of tax fraud, follow these steps to protect yourself.

If you are in doubt about whether a CRA phone call is legitimate or a scam, hang up the phone and either check your account online or call the agency back at 1-800-959-8281.

2. Text messages
A more recent and prevalent method scammers are now attempting is to contact you via text message, claiming to be the CRA. They will indicate that you have a monetary amount ready to deposit into your account and to click the link to accept, or the text indicates that your notice of assessment is ready and that identification is required — among other similar narratives.

The CRA will never use text messages or instant messaging platforms such as Facebook Messenger or WhatsApp to begin a conversation with you about your taxes.

Remember: The CRA has introduced multi-factor authentication for all of its sign-in services. If you enrolled with the telephone option, you will receive a text message with a one-time passcode each time you sign in to your CRA account.

3. Direct Deposit-Paycheque Phishing Attacks
A direct deposit phishing scam has affected a number of employers:

  • First, an employee receives an official-looking email from what appears to be a trusted service or resource. The email asks the employee to click a link and access a website.
  • On the website, the employee is prompted to confirm their data by providing their real username and password.
  • Scammers then use that login information to access the employee's payroll portal and reroute their direct deposits to bank accounts owned by the scam artists.

These fraudulent emails look real, right down to the logo and signature. Many employers do not discover this phishing attack until their employees begin reporting that they haven't received their paycheques. These phishing emails are specifically targeted to employees only.

Remember: think before you click, and never give out your personal information via email.

4. General Phishing Emails
Some phishing attacks are not targeted to a specific group of people. Scammers will often send mass phishing emails that ask recipients to click on a link, download an attachment or divulge sensitive information. These emails often look legitimate and they can even mimic the CRA's email header, footer, and logo.

Watch out for unsolicited emails, texts, social media posts, or fake websites that may lure you in and prompt you to share valuable personal and financial information. Learn more about how to spot a phishing attack.

5. Online Tax Preparer Fraud
Most tax preparers provide honest services, but some disreputable individuals may target unsuspecting taxpayers, resulting in refund fraud and/or identity theft. The CRA reminds anyone filing a tax return that the preparer must sign it with his or her preparer tax identification number.

Alternatively, your tax preparer could be the victim of cybercrime themselves, potentially compromising your data. Always keep an eye on your bank account. If you receive a refund you did not request, contact the CRA immediately. If someone calls you claiming to be from a collection agency, be skeptical, and do not divulge any personal or financial information if you suspect it might be a scam. Hang up the phone and either check your CRA account online or call the CRA at 1-800-959-8281.

How to Stay Safe

  1. Update, patch, and tighten cybersecurity: To avoid being a victim of cybercrime, make sure that the operating system and software on all of your computing devices (including mobile) are up to date. Maintain and keep up to date your antivirus, security patches/fixes and internet security program.
  2. When in doubt, throw it out: Scam artists are good at what they do, and many times, the phishing emails they send look legitimate. However, just because something looks real doesn't mean it is. If you receive an email that seems suspicious, even if you know the source, play it safe and delete it, or at the very least, contact the supposed sender through a separate channel to validate the email's legitimacy.
  3. Think before you act: Be wary of communications that implore you to act now, especially if you are told you owe money to the CRA and it must be paid immediately. Scammers prey on our emotions, and invoking a sense of urgency is a common tactic. Keep an eye open for any urgent or threatening language.
  4. Use complex passwords: Passwords that are too short or simple are easy for a scammer to crack. Choose a password that is at least eight to ten characters long and consists of a mix of numbers, special characters and upper and lowercase letters. Get tips on selecting a secure password, and if you don't already have one, start using a password manager.
  5. Exercise caution when using public WiFi: Public WiFi networks are convenient, but not secure. Anyone can gain access to a public network to compromise your Internet traffic, monitor your activity and steal your personal information.
  6. File taxes from a secure website: Before you file a tax return online, ensure that the website begins with https, not http. The extra "s" at the end means that any data sent over that connection is encrypted and cannot be read by hackers. If the website you're using doesn't begin with https, then don't use it to file your tax return.
Remember, the CRA will never do the following:
  • Use threatening or abusive language
  • Send an email asking you to divulge personal or financial information
  • Call you and ask for monetary payment right away
  • Send any documents or forms unless you specifically requested them

The only exception is if you call the CRA to request a form or a link for specific information. Then, a CRA agent will forward the information you are requesting to your email during the telephone call.

Don't be a Victim

Despite best efforts, scam artists are always evolving and introducing new techniques. The only way to stay ahead of scammers is to be vigilant and skeptical. Tax fraud is prevalent at this time of year, but cybercrime happens year round. Stay alert, and follow the steps outlined by the Government of Canada to protect yourself from fraud and identity theft.

References

  1. National Cyber Security Alliance: https://staysafeonline.org/ 
  2. Canada Revenue Agency: http://www.cra-arc.gc.ca/scrty/frdprvntn/menu-eng.html and https://www.canada.ca/en/revenue-agency/news/newsroom/tax-tips/tax-tips-2022/not-sure-cra-calling-here-how-to-find-out.html
  3. Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/
  4. CBC News: https://www.cbc.ca/news/canada/kitchener-waterloo/wrps-interac-tax-refund-cra-canada-revenue-service-1.5430927