← All insights Insights

Tax-Season Phishing: How Fake CRA Emails Target Canadian Businesses

May 8, 2026 · Kapa Canada

Every tax season, a familiar wave of scam messages hits Canadian inboxes: emails and texts claiming to be from the Canada Revenue Agency. Some promise a refund, others threaten penalties — and for a business, the cost of falling for one can be far higher than for an individual. Here’s how CRA phishing scams work and how to stop them.

What the CRA will never do

The single most useful thing your team can know is what the real CRA does not do. The CRA will not:

  • Email or text you a link to “claim” a refund or log in.
  • Ask for personal or business information by email or text.
  • Demand immediate payment by e-transfer, gift cards, or cryptocurrency.
  • Threaten you with immediate arrest or deportation.
  • Use aggressive or threatening language to pressure you into acting.

If a message does any of these, it’s a scam — no matter how official it looks.

Common lures aimed at businesses

Scammers tailor their hooks. The ones aimed at businesses often involve:

  • A refund or rebate notification — “you are owed a GST/HST refund, confirm your details.”
  • An amount owing — a fake balance with a payment link and a tight deadline.
  • A locked account warning for CRA My Business Account.
  • Payroll or benefits messages designed to reach finance and HR staff.

The goal is usually one of three things: stolen login credentials, a fraudulent payment, or malware delivered through an attachment or link.

How to spot a fake

Train your team to pause and check:

  • The sender address. Look past the display name to the actual email address.
  • Links. Hover before clicking — does the address match an official CRA domain?
  • Urgency. Threats and tight deadlines are designed to stop you thinking.
  • Generic greetings and small wording errors.
  • Any request for information, payment, or login credentials.

When in doubt, don’t use the link. Go directly to the CRA website and sign in to My Business Account yourself, or call the CRA using a number from their official site.

What to do with a suspected scam

Don’t click, don’t reply, and don’t forward it around the office as a curiosity. Report it to the CRA and to the Canadian Anti-Fraud Centre, then delete it. If someone has already clicked or entered information, act quickly — our guide on what to do after a phishing click walks through the first hour.

Protecting the business, not just the inbox

Awareness is the first layer, but it shouldn’t be the only one. Businesses that weather tax-season phishing well also have:

  • Multi-factor authentication, so a stolen password isn’t enough on its own.
  • Email filtering that catches most malicious messages before staff ever see them.
  • A clear reporting path, so a suspicious email becomes an early warning instead of a quiet click.
  • Endpoint detection, to catch what happens if a link does get clicked.

CRA-themed scams spike at tax time, but the same techniques run all year. If you’d like help making your business resilient to phishing, contact our team.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us