Phishing, phone calls and frauds: How to stay safe this tax season

Spot cybercriminals’ favourite tricks and protect yourself from scams at tax time.


Tax season is upon us: T4 slips are out, accountants are booked solid and the filing deadline is just weeks away. In all the craze, it’s easy to forget about online security—and that’s exactly what cybercriminals count on.

Canada Revenue Agency is warning people to be on the lookout for scammers at tax time, who will pose as CRA employees. “They’ll try to take advantage of tax season by attempting to lift your personal information so they can cash in on a refund request or steal your identity,” said Gordie Mah, chief information security officer for the University of Alberta.

6 ways to protect yourself online

Update, patch and tighten cybersecurity. To avoid being a victim of cybercrime, make sure the operating system and software on your desktop computer, laptop and mobile devices are up to date. Download an antivirus and internet security program if you don’t already have one. And if you’re filing your taxes through mobile, ensure your phone or tablet has all the latest updates and is running a cybersecurity program.

When in doubt, throw it out. Cybercriminals are good at what they do, and the phishing emails they send often look legitimate. But just because something looks real doesn’t mean it is. If you get an email that seems suspicious—even if you know the source—play it safe and delete it.

Think before acting. Be wary of communications that implore you to act now, especially if you are told you owe money to the CRA and must pay immediately. “Cybercriminals prey on our emotions, and invoking a sense of urgency is a common tactic. Keep an eye open for any urgent or threatening language.”

Use complex passwords. Passwords that are too short or simple are easy for a cybercriminal to crack. Choose a password at least eight to 10 characters long and use a mix of numbers, special characters, uppercase and lowercase letters.

Be cautious when using public Wi-Fi. Public networks are convenient but not secure. Anyone can gain access to a public network to compromise your internet traffic, monitor your activity and steal personal information.

File taxes from a secure website. Before filing a tax return online, ensure the website begins with https, not http. “The extra ‘s’ at the end means that any data sent over that connection is encrypted and cannot be read by hackers,” Mah said. If the website you’re using doesn’t begin with https, don’t use it to file your tax return.

Frauds account for more than half of all police-reported cybercrime incidents, according to Statistics Canada.

“During tax season, it’s important to keep in mind a few things that the CRA will never ask you for,” Mah said.

The government won’t send an email asking you to divulge personal or financial information, call you and ask for monetary payment right away, or send any documents or forms unless you specifically requested them.

“The only exception is if you call the CRA to request a form or a link for specific information. Then an agent will forward the information you are requesting to your email during the telephone call.”

Cybercriminals are crafty, but you can outsmart them by staying vigilant and watching for these scams, said Mah.

Phone calls: If someone calls you claiming to be from the CRA, be skeptical. The CRA will never call you demanding immediate payment without having first mailed a bill. They’ll also never ask for a credit or debit card number via email or phone call, and they won’t threaten to arrest you if you don’t pay them.If you receive a fraudulent phone call, don’t give out any personal or financial information. Hang up and report the call to the Canadian Anti-Fraud Centre. If you believe you’ve been a victim of tax fraud, follow these steps, Mah advised.

Phishing emails: Phishing attacks can come in the guise of a tax refund. Claiming that you’re entitled to a tax refund, cybercriminals will often send mass phishing emails that ask you to click on a link, download an attachment or divulge sensitive information. These fraudulent emails look real, right down to the logo and signature. Watch out for unsolicited emails, texts, social media posts or fake websites.

“Think before you click, and never give out your personal information via email,” Mah said.

Online tax preparation fraud: Most accountants provide honest services, but some disreputable individuals may target unsuspecting taxpayers, resulting in refund fraud and possibly identity theft. The CRA requires that anyone filing a tax return must have the accountant sign it with their tax preparer identification number, Mah noted.

Alternatively, accountants could be the victim of cybercrime themselves, potentially compromising your data. In the United States, the IRS has reported instances of identity thieves hacking online accounts of tax preparation firms and using the clients’ information to file fraudulent refund requests, Mah said. When the IRS deposits the refund into the clients’ bank accounts, cybercriminals pose as a collection agency and contact those clients, demanding the money be “returned” to an account owned by the hackers. 

“Always keep an eye on your bank account,” he cautioned. “If you receive a refund you didn’t request, contact the CRA immediately. If someone calls you claiming to be from a collection agency, be skeptical and don’t give any personal or financial information over the phone.”