Tax season, scam season: Don’t fall for CRA income tax email scams

Share This:

With tax season looming, cyber criminals are gearing up to take advantage of unsuspecting Canadians by posing as the Canada Revenue Agency (CRA), often requesting personal information or money in exchange for alleged overdue fees.

READ MORE: Tax season brings tax scams, warns CRA

These deceptive emails are often so-called phishing scams, a type of online identity theft often used by criminals to trick users into handing over personal data and online passwords.

Take for example this recent CRA email scam: The subject line reads “Tax Return File Overdue,” alleging one of more of the user’s tax returns are overdue or incomplete. The email then instructs the user to follow a link to find detailed information about money they may owe to the government.


A screenshot of an email scam sent to Global News.

A screenshot of an email scam sent to Global News.

The link takes the user to a webpage that look almost identical to the CRA’s website and asks them to fill out their personal information, including their credit card number, expiry and security code, as well as their social insurance number.

However, a close look at the URL reveals the user is not on the agency’s official website – a classic warning sign of a phishing scam.


A screenshot of the webpage mimicking the CRA’s website.

A screenshot of the webpage mimicking the CRA’s website.

The CRA will never:

– Ask you to provide your personal or financial information by email, text, or by clicking on a link
– Never asks for information about your passport, health card, or drivers licence
– Never shares your taxpayer information with another person
– Never sends payments using Interact e-transfer (they only send payments by direct deposit or cheque)
– Never requests payments by gift cards or pre-paid credit cards

See full story on Tax season, scam season: Don’t fall for CRA income tax email scams – National |

Additionally, the CRA will only send you notification emails if you have subscribed to the service and the email will only advise the user to go into their secure tax account to see relevant information.

But, just in case, there are a few surefire ways to recognize a phishing scam email from a mile away.

First – never be fooled by official names or logos. One of the most common ways that phishing scams will try to fool you is by using official company logos or insignias. In some cases, the email address or web address may look close to the company’s name, but is slightly altered or off by a letter.

READ MORE: How to recognize and avoid online phishing scams

Take, for example, the email below. Though the sender’s name clearly states “Canada Revenue Agency” the email address is not a government email (which usually ends in “”).


This tip is especially important: Never click on a link included in a suspicious email – and, if you do, never enter any personal information on the webpage.

Often attackers will use a legitimate web address in the hyperlinked text of the email, but once you click on the link it takes you to a malicious website.

But, if you are working on a computer, you can hover your mouse over the link – without clicking on it – and a small yellow box will appear showing the actual web address the link will take you to. If the link doesn’t match the hyperlinked text, it’s likely malicious.


An example of a malicious link.

An example of a malicious link.

If you are working on your smartphone and you tap to open the link, take a close look at the web address and see if it matches the webpage you are looking at.

For example, the recent CRA scam we looked at took us to a webpage designed to look just like the CRA’s website, but the URL did not match at all.


If you do receive what you believe to be a fraudulent email, you can report it to the Canadian Anti-Fraud Centre.