Phishing scam impersonates Canadian tax agency ahead of Canada Day
Preparing for Canada Day festivities resulted in a tax scam
Even if the deadline for filing your taxes in Canada has already passed on May 2n/a, 2022, some people may have applied late or are still waiting for their refund. Maybe that’s why I received a phishing email yesterday claiming to be from the Canada Revenue Agency (CRA) and promising a refund of nearly C$500:
Aside from user error [email protected] like the email sender address, it’s not how the CRA communicates. If you are using a My Service Canada Account, you should expect to receive a notification that looks like this:
Understanding how phishers abuse links in emails, the CRA has adopted the wise strategy of not providing links in official correspondence and instead asking customers to navigate to the official website on their own.
However, if you click on the “Interac e-Transfer Autodeposit” button, you are redirected from a malicious link hosted on standyjeno[.]uh to malicious subfolder cra_ca_service hosted on oraclehomes.com:
The operators behind this campaign have done a pretty good job of creating a legit-looking page, but there are still signs of a scam. For example, the footer of a legitimate page looks like this:
Also, the menu items on the phishing page lead nowhere:
Clicking on “Jobs” simply fills the URL with the value of the identifier HTML element attribute for “Jobs”.
Then, if you click the “Continue” button on the homepage, the next page asks for your personal information, including your social insurance number, date of birth, and mother’s maiden name – indeed, everything a phisher would need for identity theft. :
If a victim then clicks the “Continue” button, the next page asks for your credit card information:
The last page incorrectly confirms that your refund will be deposited into your credit card account within 5-10 business days:
Finally, you are redirected to a legitimate CRA web page:
The same redirect occurs if you attempt to navigate directly to the cra_ca_service site subdirectory.
ESET blocks these threats as a phishing attempt:
Phishing in perspective
According to the ESET Threat Report Q1 2022, around a third of phishing URLs detected in the first four months of 2022 impersonated financial organisations. But there are other popular contenders for phishing lures, such as fake Facebook and WhatsApp login pages and websites posing as messaging services and gambling platforms:
Although in this case the malicious operators targeted Canadians’ credit card and personal information, phishing can encompass a variety of purposes such as ransomware downloads, banking trojans, cryptojacking malware and botnet deployments. Therefore, keep the following tips in mind to spot and avoid this threat:
- Determine if the alleged sender normally communicates via email in this manner.
- Rather than clicking on links in an email, it is better to manually navigate to the official website of the apparent sender.
- Check for obvious errors in the email. For example, why would the Canada Revenue Agency send you an email [email protected]?
- Always be wary of sharing your personal and financial information with any web page.
- Familiarize yourself with the CRA Scam Alerts Pageespecially with the samples fraudulent emails impersonating the CRA.