Avoiding CRA Tax Scams: What Canadians Need to Know

Posted on August 9, 2021 - by Michael Vickers - in Building Your InfoSec Program

avoid CRA tax scams

Recently, it has become more confusing dealing with the Canada Revenue Agency (CRA) because of the increase in scams and phishing attacks being orchestrated to defraud you. We’re here to help you protect yourself.

Identity theft and cybersecurity scams have become incredibly lucrative. According to the US Department of Justice’s Bureau of Justice Statistics 9% of people have experienced identity theft, with an average cost to victims of roughly $930 in 2018. The bureau also states that 70% of identity theft victims experience financial loss. Here in Canada, according to stastita.com, there were 12.46 incidents of identity theft per 100,000 people, with phishing scams accounting for roughly 91% of cybersecurity crimes. Now that we know the stats and how prevalent these situations are, let’s look at how the CRA interacts with taxpayers, what scams exist, and how to protect yourself and your business.

How and Why the CRA Will Contact You

The CRA and its many departments have a variety of ways to contact taxpayers. Here are the top reasons CRA will contact you:

  1. Your tax filings are past due
  2. To notify you of your Notice of Assessment
  3. You have a tax balance owing
  4. To begin an Audit

That’s the why now the how. We know that the CRA will contact taxpayers by mail, but there is a common misconception that the CRA will not contact you by phone or email. In the case of phone calls, this is not true at all. CRA agents will attempt to contact you by phone and for some departments, phoning a taxpayer is the first point of contact. In regards to emails from CRA, you will only get them if you registered for electronic notifications, and the email is simply saying to you have mail in your My Account inbox. 

Information the CRA Will and Will Not Ask You For

Now that we know how and why CRA will contact you, let’s review what information CRA agents will ask for and what they will not ask for.

  1. When CRA contacts by phone, they will need to confirm your identity as well for privacy reasons, which means they will ask for basic information such as date of birth, your home address, and possibly three digits of your SIN but never the full number.
  2. During contact with taxpayers and while completing their work, CRA may ask for certain financial information, such as bank statements, pay stubs, and income statements, to complete their work. This information won’t be requested until your identity has been confirmed and you are comfortable speaking with them.
  3. The CRA will not text you.
  4. The CRA will not ask taxpayers for identifying information on documents such as a passport, health card, or driver’s license. They have enough personal information on hand to identify you.
  5. They will not email taxpayers a link to your refund (nor any link you have not specifically requested). They will also not ask taxpayers to pay their debt in gift cards.
  6. CRA approaches contact with taxpayers in a respectful manner and will not be aggressive towards taxpayers, nor will they threaten to arrest taxpayers or report you to the police while initially contacting a taxpayer. Do some cases the CRA deals with end up with criminal charges and possible jail time? Yes. Do they threaten this at the initial point of contact? Absolutely no.

Current CRA Tax Scams and How to Protect Yourself

As we have discussed earlier, identity theft and cybercrimes are on the rise, but what are the current CRA tax scams, how are they targeting the CRA and taxpayers, and how can we protect ourselves?

According to the Competition Bureau of Canada, criminals are using spyware, viruses, hacking, and phishing to obtain “credit card information, bank account details, full name and signature, date of birth, social insurance numbers, full addresses, mother’s maiden name, online usernames and passwords, driver’s license number, and passport numbers.”

The more commonly known scams are phone calls and emails where the criminal attempts to have the taxpayer believe that they are speaking to the CRA and to have them provide personal or financial information and/or send money or gift cards. Here is a list of the different types of scams and frauds according to the CRA.

In summary, the CRA does not ask for gift cards, provide links to pay debt, threaten jail time, or ask deeply personal questions over the phone. 

Handling Your Tax Information Securely 

According to CRA’s own data, over 91% of taxpayers used electronic means to file their 2021 income tax returns, giving bad actors more potential targets to launch attacks against. You need to be extra cautious when handling your information online. Here are some helpful tips for handling your personal and tax information online:

  • Avoid working on your tax return while using public wifi, as these connections are less secure and more vulnerable to cyber-attacks.
  • Use strong passwords for all of your accounts, combining letters, numbers, and special characters, while avoiding common words and phrases or identifying information. A password manager is a great tool to help generate and manage sophisticated passwords or phrases.
  • Make an effort to install your computer updates before filing your taxes. Filing your taxes on a computer without the latest software updates can leave you vulnerable to attacks. We cover how to set up auto-updates for Mac and Windows.
  • When choosing a software website, verify the sites you visit use SSL (Secure Sockets Layer) encryption. Make sure the URL begins with “HTTPS,” not just “HTTP.”
  • Back up your return and data you uploaded to an external drive and print copies. Afterwards delete everything on the device you used to file with after you have completed your return. This will allow you to have access to the information going forward but protects you in case you are hacked or fall victim to a phishing scam.

Reject and Report CRA Tax Scams

As we have gone over tell-tale signs of a CRA tax scam, the ways CRA will contact you, and what information CRA will ask of you, you can also ask CRA for information to verify themselves as agents or to weed out scams. Anytime CRA contacts you, that agent will have a badge/ID number that can be requested by taxpayers to verify the agent’s identity. If you are worried that a call from CRA is a scam, ask for their badge or ID number and the number to CRA’s general inquiries line where you can verify the identity of the person you are speaking with and then call them back.

If you believe that the contact you received is fraudulent, delete the emails, end the phone calls, and then contact the CRA directly to report the fraudulent activity directly. CRA is always trying to stay ahead of the efforts being made, and part of that is having taxpayers report the issues. To end off, do not feel bad if you become a victim of a CRA tax scam; the CRA itself fell victim to fraudulent activity over the last year. It can happen to anyone, but stay aware, get secure, and be prepared.

Get Secure with Securicy

The best way to begin securing your business is to educate yourself and your employees on the best practices for cybersecurity. Our platform offers security awareness training so you can learn to recognize pesky phishing scams and develop a robust security program to make your company safer and more productive. You can learn more about how our information security management platform can help you meet security requirements on our Product page.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.

Try Securicy Free