We all receive our fair share of spam, but when it comes to emails from the Canada Revenue Agency or any financial institution, it is important to be particularly vigilant. These types of emails can quickly become a significant threat, especially if they appear genuine and seemingly originate from a familiar source like the CRA or our bank. What is the best way to discern whether an email contains a malicious link or attachment, or if it’s an attempt to scam you out of money or obtain your personal or business information?
Understanding the nature of these threats helps you to identify and handle the types of communication – whether it’s merely an annoyance or a potential landmine waiting to detonate. Here are five key ways to recognize and safeguard yourself against CRA scams.
1. The sender’s address is odd.
The first giveaway that an email may be a scam is an odd or incorrect sender address. To see this, you have to make sure you check both the sender’s email address and their display name. Be wary of email addresses that look suspicious, contain typos, or deviate from the usual format. Another important thing to note is that The CRA will never send out emails or text messages with a link to your refund and they will never email or text you a link requesting that you click on it or fill in an online form with personal or financial information. If you receive a request of this nature, it is more than likely that it is a scam.
2. The sender doesn’t seem to know the recipient.
Is the recipient’s name spelled out in the email, and are you being addressed as you would expect from the sender? Does the signature match how this sender would usually sign their emails to you? For example, your bank or the CRA usually does not address you in generic ways like “Dear customer.” If the email is legit and clearly intended for you, then they will use your full name.
3. Embedded links have odd URLs.
Always hover first over the links in the email. Do not click immediately. Does the destination URL match the destination site you would expect? Will it download a file? Are they using a link-shortening service? When in doubt, if you have a shortcut to the site of the company sending you the email, use that method instead of clicking the link in the email. There are a few requests that should always raise a red flag over email.
The CRA will never:
- Give or ask for personal or financial information by email and ask you to click on a link.
- Email you a link that demands you fill in an online form with personal or financial details
- Send you an email with a link to your refund.
- Demand immediate payment by a certain day or time.
- Threaten you with arrest or a prison sentence.
Your bank will never:
- Never demand that you disclose personal information such as your password, credit or debit card number, or your mother’s maiden name
- Ask for your account number
- Ask for your social security number
- Ask for your SSN or PIN
- Ask for your birthday or address
- Ask for you to fill out a form, click a link, or download an attachment
- Ask you to contact them at a new phone number not listed on the back of your card or on your bank’s official website.
4. The language, spelling, and grammar are “off.”
Is the email full of spelling errors, or does it look like someone used an online translation service to translate the mail into your language? Official communication with a bank institution or the CRA will not have grammatical or spelling errors. Additionally, an email from the CRA or the Bank will never have unprofessional, aggressive, or threatening language.
5. They are asking you to share a two-factor authentication code
Have you recently received an email or phone call from your bank or the Canada Revenue Agency urging you to disclose a two-factor authentication code that was sent to you? This should set off the loudest alarm bells. It’s important to note that reputable institutions will never request these codes through email communication. Such solicitations are likely part of a malicious attempt to gain access to your accounts.
What to do if you suspect a scam or fall for a scam email?
Receiving a phishing email from the bank or the CRA can be stressful. It can make you question the security of your accounts, especially if the scammer has some information about you already, like a name or account number. So what can you do if you suspect that you have received a scam email or if you have already fallen for one? There are a few steps you can take to ensure that you are safeguarding your sensitive information and protecting yourself.
- Update all of your bank accounts and email accounts with strong and unique passwords.
- Consider using passphrases with four or more random words and at least 15 characters.
- Do not reuse passwords on multiple accounts.
- Enable Multi-Factor Authentication and add additional security questions.
- Contact the bank or the CRA and let them know what has happened and what information the scammer has access to.
- Monitor your transactions for suspicious activity in any of your accounts.
- Delete or suspend inactive accounts prevents cybercriminals from using them to send phishing links to your contacts.
- If there are suspicious links or attachments, install antivirus software.
- Scan your device for viruses that may have been downloaded.
- Report the Incident to the Canadian Anti-Fraud Centre. Call 1-888-495-8501 for assistance.
- Report the incident to your local police department.
Staying vigilant and informed is the best way to protect yourself from email scams. Adopting these practices and staying aware of the common tactics used by scammers, can help you stay aware and prevent you from falling victim to phishing attempts. Do not be quick to provide personal information and always verify the legitimacy of the source of any unexpected or unusual communication. And If ever you are in doubt, contact the relevant institution directly using official contact information, rather than responding to the suspicious email.