Tax-Season Phishing: How Fake CRA Emails Target Canadian Businesses
Part of our guide: Phishing, scams & account security
Every tax season, a familiar wave of scam messages hits Canadian inboxes: emails and texts claiming to be from the Canada Revenue Agency. Some promise a refund, others threaten penalties — and for a business, the cost of falling for one can be far higher than for an individual. Here’s how CRA phishing scams work and how to stop them.
Why tax season — and why it doesn’t really stop
Scammers lean on tax season because it’s the one time of year everyone genuinely expects to hear from the CRA. A message about a refund or a balance owing doesn’t feel out of place in March or April, so people let their guard down. But while the volume spikes at tax time, CRA-impersonation fraud runs all year — benefit-payment lures, “reassessment” notices, and account-locked warnings show up in every month of the calendar.
It’s not just email
CRA impersonation comes through three channels, and your team should recognize all of them:
- Email phishing — a link to “claim” a refund or “verify” your account that leads to a fake CRA login page.
- Smishing (text) — a short SMS with a refund link or an urgent “amount owing” warning.
- Vishing (phone) — a caller posing as a CRA agent, often aggressive, demanding immediate payment or threatening arrest. Some spoof the call display to show a government-looking number.
The branding is increasingly convincing, too. AI tooling has cleaned up the spelling and made fake notices look polished, so the old “obvious typo” tell is fading — see AI-powered scams and deepfakes.
What the CRA will never do
The single most useful thing your team can know is what the real CRA does not do. The CRA will not:
- Email or text you a link to “claim” a refund or log in.
- Ask for personal or business information by email or text.
- Demand immediate payment by e-transfer, gift cards, or cryptocurrency.
- Threaten you with immediate arrest or deportation.
- Use aggressive or threatening language to pressure you into acting.
- Leave a voicemail demanding an urgent call back to settle a debt.
If a message does any of these, it’s a scam — no matter how official it looks. The real CRA communicates important matters largely through your secure My Business Account and by mail, and it will never rush you with threats.
Common lures aimed at businesses
Scammers tailor their hooks. The ones aimed at businesses often involve:
- A refund or rebate notification — “you are owed a GST/HST refund, confirm your details.”
- An amount owing — a fake balance with a payment link and a tight deadline.
- A locked account warning for CRA My Business Account.
- Payroll or benefits messages designed to reach finance and HR staff.
The goal is usually one of three things: stolen login credentials, a fraudulent payment, or malware delivered through an attachment or link. For a business the stakes are higher — a compromised My Business Account can expose payroll data and tax records, and stolen credentials are often the first step toward business email compromise.
What it looks like
A bookkeeper receives an email styled as a CRA notice: a GST/HST refund is ready, just confirm the business’s banking details to release it. The page looks like the CRA portal, so they enter the company’s My Business Account credentials and banking information. Nothing seems to happen — but the attacker now has the login, and real refunds can be redirected while the business is none the wiser. A genuine refund would simply appear in the account on file; it never requires you to “confirm” details through an emailed link.
How to spot a fake
Train your team to pause and check:
- The sender address. Look past the display name to the actual email address.
- Links. Hover before clicking — does the address match an official CRA domain?
- Urgency. Threats and tight deadlines are designed to stop you thinking.
- Generic greetings and small wording errors.
- Any request for information, payment, or login credentials.
When in doubt, don’t use the link or the phone number in the message. Go directly to the CRA website and sign in to My Business Account yourself, or call the CRA using a number from their official site. The same “stop and verify on your own channel” reflex defeats bank impersonator scams and phishing generally.
What to do with a suspected scam
Don’t click, don’t reply, and don’t forward it around the office as a curiosity. Report it to the CRA and to the Canadian Anti-Fraud Centre, then delete it. If someone has already clicked or entered information, act quickly — change the affected credentials, watch for unauthorized changes in My Business Account, and follow our guide on what to do after a phishing click, which walks through the first hour.
Protecting the business, not just the inbox
Awareness is the first layer, but it shouldn’t be the only one. Businesses that weather tax-season phishing well also have:
- Multi-factor authentication, so a stolen password isn’t enough on its own — including on your CRA and banking logins. Our guide on rolling out MFA covers it.
- Email filtering that catches most malicious messages before staff ever see them.
- A clear reporting path, so a suspicious email becomes an early warning instead of a quiet click.
- Endpoint detection, to catch what happens if a link does get clicked.
CRA-themed scams spike at tax time, but the same techniques run all year. If you’d like help making your business resilient to phishing, contact our team.