Tax seasons scams are getting harder to spot

Tax season brings a steady flow of emails about T3 slips, refunds, and account updates. This year is no different, but some of those messages are not what them seem.

According to the Government of Canada, threat actors are using this period to send emails that closely resemble Canada Revenue Agency (CRA) communications. Because these messages reflect what many Canadians expect to receive, they can be difficult to identify as fraudulent.

These emails are designed to feel routine. This may include:

• Subject lines such as Your 2025 T4 Is Ready for Download, New Tax Documents Posted to Your CRA Account, or Important: Action Required on Your CRA File
• Sender names that appear to come from the CRA. For example, the sender may use Canada Revenue Agency Notification or CRA Secure Mail Delivery
• Attachments or links prompting you to access tax documents

In some cases, attachments are password-protected and encourage users to open the file to retrieve their information.

These messages are not random. The government of Canada notes that they follow a consistent pattern designed to feel familiar.

An email prompts you to open a document or click a link. From there, you may be directed to a webpage that looks like a CRA sign-in portal. These pages can be hosted on legitimate platforms, which makes them harder to identify.

You may then be prompted to download a file. That download can trigger additional activity in the background, including the installation of software that allows access to your device.

In some cases, attackers use tools that resemble legitimate IT support software. This approach can make the activity difficult to distinguish from normal system use while allowing ongoing access, monitoring, and control.

The timing is a key factor in making these emails convincing.

During tax season, many people expect to receive updates, documents, or requests for action. These messages are designed to mirror that activity closely, which makes routine actions such as opening a file or clicking a link feel safe.

Not every request you receive during tax season will be legitimate. Taking a moment to verify unexpected or unusual messages can help reduce your risk. The Government of Canada highlights several steps to help reduce risk during tax season. These actions align with broader best practices for identifying and responding to suspicious activity.

For individuals

• Be cautious of unsolicited emails related to tax documents, refunds, or account updates
• Avoid clicking links in unexpected messages and navigate directly to official websites
• Verify the sender and context before opening attachments
• Be aware that files hosted on trusted platforms may still be malicious
• If a message creates urgency or asks you to act quickly, take a moment to verify it before responding

For organizations

• Monitor for unusual remote-access activity, especially outside of normal IT support windows
• Watch for unfamiliar or unauthorized software installations, including remote-management tools
• Strengthen email filtering and attachment controls to identify malicious files, scripts, and confusing content
• Limit or closely monitor scripting activity that may be used to download or execute additional files
• Review outbound network activity for connections to unfamiliar or newly observed domains
• Use known indicators of compromise, such as flagged URLs or file signatures, to support detection and response efforts
• Educate employees on common phishing tactics, particularly those tied to seasonal events like tax filing

If you receive a message that seems unusual or urgent, avoid using the contact details provided in the email. Instead, confirm the request through trusted source and official channel.

Understanding how these scams unfold can help you recognize potential risks earlier, especially during high-volume periods such as tax season.

If you want to better understand how to protect your organization or strengthen your approach to cyber security, connect with the MNP Digital team to learn more.