Beware of Scammers Posing as CRA, Service Canada, Justice Department and Other Government Departments
Perhaps you have received a threatening call from CRA stating that you owe taxes and that CRA has commenced legal action against you, or a call from Service Canada threatening legal action. or perhaps Justice Department has warrant for your arrest. Or better yet you might have received an email from CRA telling you that there is a refund waiting for you and that you need to follow the link provided to claim your refund by entering your personal information at CRA website.
If above examples sound familiar then you have been targeted by a so called “phishing” attempt by scammers trying to get you to divulge your personal and financial information. Most computers these days are fairly secure and it is generally hard to crack your passwords and steal account information by intercepting encrypted information communicated from your computing device to your financial institution, online retailer etc. So most scammers these days rely on a lapse in security at financial institutions and other online service providers to steal passwords/account information from millions of customers. These are so called data breaches. Data breaches can occur for various reasons such as outdated security policies, unpatched vulnerabilities in software (i.e. zero day vulnerabilities) or just a system administrators not doing their job. Attacking large institutions requires sophisticated technical skills and resources and are harder to pull off, so most scammers turn to easier approach and use social engineering to get your information directly from you. Social engineering in information security contest is a method of psychological manipulation that plays on your fears, hopes and needs to manipulate you into doing things or unwittingly divulging information to the benefit of other potentially malicious parties (i.e. scammers).
For example lets say you have not filed taxes in several years, in the back of your mind you know you should have filed taxes and that realisation but you haven’t and it is eating at you every day. Suddenly you receive a call from CRA threatening legal action or trying to collect money you owe. The call came out of nowhere and you might panic and provide your personal information to the person on the other end of the line. This is an example of scammers preying on your fears to get a hold of your SIN or bank account number. Scammers know that there are people out there who have not filed their taxes and live in fear of CRA so they will cast a wide net and call as many people as they can, knowing that there will be a few people out there that fear CRA will fall for their call. So one could argue if you are filing taxes on time you will likely know what you owe or perhaps you already made a payment to CRA so you would be less likely to fall for the scam. However that is not always true since even people with perfect tax compliance still fall for these scams. This partly might be due to two reasons:
- CRA has the public image problem. Most people view CRA as this draconian government department with power to take your money and assets and put you in prison so people are generally apprehensive when dealing with CRA so scammers use that fear to steal money or information from people.
- Public lack of knowledge of how tax system works and CRA policies and procedures and how CRA interacts and communicate with public/taxpayers.
Since scammers are adept at manipulating your fears, hopes, needs so what is one to do in order to avoid being scammed.
If you are a victim of a data breach at your bank, online retailer change passwords immediately. Also if you use the same credentials (which you should not) for other online services change those passwords too. You might have used your gmail/apple account to sign up for various internet services (i.e. Netflix) those services will be at risk as well. If you suspect your account credentials might have been compromised in data breach you can use the following website https://haveibeenpwned.com/ to verify if your information has been compromised. Also you might want to sign up for credit monitoring with credit rating agencies and identity theft protection services such us LifeLock, Identity guard etc.
If you receive a phone call from CRA or some other government department here are some facts that you should know in order to determine if you are dealing with CRA or some scammer posing as CRA:
- CRA will never call you at random. If CRA is calling then there must be a pre-existing reason for their call such as ongoing audit/review, balance owing, returned mail, unfiled tax returns etc. You will most likely be aware that CRA has a pending issue before your phone call as they would have informed you via letter if there are any issues with your CRA file. CRA will usually not call you unless they sent you a letter beforehand. CRA will never use automated messages when they call. There will be a live person on the other end of the line. Also CRA Agents will provide you with their agent number, if they don’t give you an agent number you can ask the agent to give you their number which they are obliged to do so. The number is usually in a format XXXXXXXX followed by suffix BC, ONT, PRI, ATL depending on the region of country they are calling from. Fake agent will likely not be aware of the fact that CRA agents have ID numbers and even if they do they will likely not use a correct suffix at all. So one easy way to identify scammers is to ask for agent number.
- CRA prefers to communicate on paper and fax primarily since like any other good government department they prefer paper trail. If you have not filed tax returns CRA will send you multiple written requests, if you owe money they will send you statement of account and remittance vouchers, if you are selected for audit/review they will send you a letter. Usually in those letters there will be phone number for department or auditor so CRA will not call you out of blue.
- CRA generally does not send or accept emails from public. You cannot email CRA as CRA does not accept external emails to avoid some hapless CRA employee opening malicious email attachment and infecting their computer network with viruses. You will only receive email notifications from CRA if you have signed up for My Account or My Business Account service on CRA website. For example when you file your taxes CRA will notify you by email to log in into your MyAccount service and view/download your notice of assessment. The email from CRA will say specifically to log into your My Account service and will not provide a link to follow. Scammer emails will often contain a link to click on and follow to a spoofed website that looks like CRA website and encourage you to enter your user name and password.
- CRA will pay refund ONLY by cheque and direct deposit. CRA will never ask you for any financial information and will never send any emails for you to claim your refund.
- If you owe money to CRA, CRA will never ask you to pay by cash, meet agent in a public place to make payment, or accept payment in Bitcoin or gift cards from retailers . CRA will send you remittance vouchers included with your notice of assessment, statement of account etc, which you can pay by cheque, online banking or CRA MyPayment service.
- Above all CRA is just a government agency and they are not out to get you and threaten you at random. CRA has clear policies and procedures and that does not include random threatening phone calls. You really have to go out of your way for CRA to commence legal action. Should you ever find yourself in position where CRA is out to get you it will be for reasons of tax avoidance, evasion, filing delinquency, large debts owed to CRA and in that case you will be aware of it as avoidance and evasion are conscious choices and don’t happen by accident. In that case CRA will be sending numerous letters followed by valid phone calls and perhaps even a visit from RCMP. In that case you might want to retain a lawyer.
So what to do if you get a random call or an automated message purportedly from CRA – simply hang up. If you are wondering if you hanged up on a legitimate call from CRA then record the number (if you have caller ID) and then call CRA - which you can do by calling 1-800-959-8281 (individuals) or 1-800-959-5525 (businesses). You can talk to an agent and tell him/her that you have received a suspicious call and ask to verify the phone number you recorded. Agents can search their internal directory and can tell if the call originated from one of CRA departments. In addition to checking phone number, you should ask agent to check in your account to see that everything is in order. Above all use common sense – if you have been filing and paying taxes on time then CRA will not call you to pay or threaten legal action. If you have not received any written communications from CRA you will not receive a random call from CRA.
For further information please consult CRA website pager on fraud and scams https://www.canada.ca/en/revenue-agency/corporate/security/protect-yourself-against-fraud.html