Be On Alert: Fake 'CRA' Emails Are Phishing for Your Financial Info

Some acquaintances told me they had recently received an email that claimed the Canada Revenue Agency (CRA) had a refund for them "after the last annual calculation of your fiscal activity." The odd wording is a tipoff: of course this was a phishing attempt – an email designed to gather financial information in order to pilfer your bank account.

Red Flags

You can spot many phishing e-mails by looking for the following red flags:

• There are typos, grammatical errors or a graphic that is fuzzy (pixelated) or otherwise sloppily created or copied. While many will belittle the government, they do try their best to communicate clearly and have people on staff and technology deployed to ensure few errors get out there.
• The payment method is suspect. You may be asked to deposit some money into a bank account registered to an individual or make a payment by credit card. The CRA only accepts payments to the Receiver General of Canada. They also do not take credit cards.
• They want to contact you directly. The CRA normally communicates via postal service, unless another arrangement had already been made.

• They say they want to give you money. The CRA does not usually track down people unless they believe that CRA is owed money. It is up to you to file the paperwork to get any refund owing, but woe unto you if you are behind on money you owe the CRA.
• They want you to do something in order to give you money. The CRA would either directly deposit into your bank account or send a cheque in the mail to your last known address; this is a good reason to make sure they have your current address.
• Non-standard or otherwise strange language. CRA payments are accompanied by a Notice of (Re)Assessment, not "the last annual calculation of your fiscal activity."
• Any email claiming to be from the government is suspect. The government has set up secure websites across different departments for messaging purposes, with user names, passwords and other security measures. E-mail is manifestly the least secure method imaginable.

Note that many of these red flags also apply to most, if not all, banks, credit unions, and other financial institutions.

Some fakes look real

Admittedly, some of these e-mails look fairly legitimate, including links to real webpages on the CRA website. However, they may also include attachments to "help" you fill out the forms; the attachments are, of course, extremely dangerous and should not be opened.

If you are ever unsure about any message in any medium that purports to be from the CRA, the CRA has a number at 1-800-959-8281 where you can confirm whether it is legitimate.

Related resources:

The CRA has some samples of fraudulent e-mails.

CRA: Don't be fooled by unsolicited e-mails or phone calls!

The government maintains the Canadian Anti-Fraud Centre website (formerly PhoneBusters).