Tax season is upon us: T4s are out, accountants are booked solid, and the filing deadline is just weeks away. In all the craze, it’s easy to forget about online security — and that’s exactly what cybercriminals are counting on.
Many cybercriminals try to take advantage of tax season by attempting to lift your personal information so they can cash in on a refund request or steal your identity. Cybercriminals are crafty, but you can outsmart them by staying vigilant and watching for these tricks.
Be on the Lookout For:
- Direct Deposit Phishing Attacks
A new scam has been affecting a number of employers:
• First, an employee receives an official-looking email from what appears to be a trusted service or resource. The email asks the employee to click a link and access a website.
• On the website, the employee is prompted to confirm their data by providing their real username and password.
• Cybercriminals then use that login information to access the employee’s payroll portal and reroute their direct deposits to bank accounts owned by the cybercriminals.
These fraudulent emails look real, right down to the logo and signature. Many employers do not discover this phishing attack until their employees begin reporting that they haven’t received their paycheques. These phishing emails are specifically targeted to employees only.
Remember: think before you click, and never give out your personal information via email! Forward any suspicious looking emails to IST at firstname.lastname@example.org
- General Phishing Emails
Some phishing attacks are not targeted to a specific group of people. Cybercriminals will often send mass phishing emails that ask recipients to click on a link, download an attachment, or divulge sensitive information. Watch out for unsolicited emails, texts, social media posts, or fake websites that may lure you in and prompt you to share valuable personal and financial information.
Learn more about how to spot a phishing attack.
- Online Tax Preparer Fraud
Most tax preparers provide honest services, but some disreputable individuals may target unsuspecting taxpayers, resulting in refund fraud and/or identity theft. The CRA reminds anyone filing a tax return that the preparer must sign it with his or her preparer tax identification number.
Alternatively, your tax preparer could be the victim of cybercrime themselves, potentially compromising your data. In the US, the IRS has reported instances of identity thieves hacking online accounts of tax preparation firms and using the clients’ information to file fraudulent refund requests. When the IRS deposits the refund into the clients’ bank accounts, the cybercriminals pose as a collection agency and contact those clients, demanding the money be “returned” to an account owned by the hackers.
Always keep an eye on your bank account. If you receive a refund you did not request, contact the CRA immediately. If someone calls you claiming to be from a collection agency, be skeptical, and do not divulge any personal or financial information over the phone.
- Phone Calls
The CRA will never call you demanding immediate payment without having first mailed a bill. They will also never ask for a credit or debit card number via email or phone call, nor will they threaten to arrest you if you don’t pay them. If someone calls you claiming to be from the CRA, be immediately skeptical.
If you receive a fraudulent phone call, do not divulge any personal or financial information. Hang up and report the call to the Canadian Anti-Fraud Centre. If you believe you’ve been a victim of tax fraud, follow these steps.
How to Stay Safe:
Update, Patch, and Tighten Cybersecurity: To avoid being a victim of cybercrime, make sure that the operating system and software on all your desktop computer, laptop, and mobile device are up-to-date. Download an antivirus and internet security program if you don’t already have one. And if you’re filing your taxes through mobile, ensure that your phone or tablet has all the latest updates and is running a cybersecurity program.
- When in Doubt, Throw it Out: Cybercriminals are good at what they do, and many times, the phishing emails they send us look legitimate. However, just because something looks real doesn’t mean it is. If you receive an email that seems suspicious, even if you know the source, play it safe and delete it.
- Think Before You Act: Be wary of communications that implore you to act now, especially if you are told you owe money to the CRA and it must be paid immediately. Cybercriminals prey on our emotions, and invoking a sense of urgency is a common tactic. Keep an eye open for any urgent or threatening language.
- Use Complex Passwords: Passwords that are are too short or simple are easy for a cybercriminal to crack. Choose a password that is at least eight to ten characters long and consists of a mix of numbers, special characters, and upper and lowercase letters.
Get tips on selecting a secure password.
- Exercise Caution When Using Public WiFi: Public WiFi networks are convenient, but unfortunately, they are not secure. Anyone can gain access to a public network to compromise your Internet traffic, monitor your activity, and steal your personal information.
- File Taxes from a Secure Website: Before you file a tax return online, ensure that the website begins with https, not http. The extra “s” at the end means that any data sent over that connection is encrypted and cannot be read by hackers. If the website you’re using doesn’t begin with https, then don’t use it to file your tax return.
Remember, the CRA will never do the following:
- send an email asking you to divulge personal or financial information;
- call you and ask for monetary payment right away;
- send any documents or forms unless you specifically requested them.
The only exception is if you call the CRA to request a form or a link for specific information. Then, a CRA agent will forward the information you are requesting to your email during the telephone call.
Don’t be a Victim:
While tax fraud is prevalent this time of year, online and phone scams can happen anytime. Stay vigilant year-round and follow the steps outlined by the Government of Canada to protect yourself from fraud and identity theft.
- National Cyber Security Alliance: https://stopthinkconnect.org/2stepsahead/resources
- Canada Revenue Agency: http://www.cra-arc.gc.ca/scrty/frdprvntn/menu-eng.html
- Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/