Phishing Scams in Canada
Canadian phishing attacks target CRA, Service Canada, Canada Post, and major banks — with tax season and CERB-related campaigns among the highest-volume attacks reported to the Canadian Anti-Fraud Centre.
Part of: Phishing
Last reviewed: 1 June 2026
Canada experiences significant phishing activity concentrated around its major government services — the Canada Revenue Agency (CRA), Service Canada's Employment Insurance and CPP systems, and Canada Post. The pandemic period saw a sharp increase in CERB and CRA benefit phishing that subsequently transitioned into general CRA impersonation fraud.
Canada's bilingual population means phishing campaigns run in both English and French, with French-language campaigns targeting Quebec often using more locally specific CRA and Revenu Québec branding.
How this scam works on Canada
CRA phishing peaks in February–April (RRSP contribution season and T4 filing) and claims either that the recipient has a refund available or owes an outstanding balance. The linked page collects CRA My Account credentials or direct banking information.
Canada Post phishing follows the same pattern seen in the UK and Australia — small customs or redelivery fee requests — but uses Canada Post branding specifically and targets Canadian postal codes.
Service Canada phishing campaigns impersonate EI and CPP payment notifications, claiming that payment is ready but account details must be confirmed to process the deposit.
Common red flags
- CRA email or text claiming a refund is available and requires bank details
- Canada Post SMS about a delivery held for a customs or redelivery fee
- Service Canada message about a payment requiring account confirmation
- Any government message with a link asking for SIN number or banking details
- Email with CRA letterhead and a link — the CRA uses My Account for digital communication, not links in emails
How to protect yourself
- Access CRA only through My Account at canada.ca/my-cra-account — never via email or text links
- Report suspicious CRA communications to 1-800-959-8281 or the CRA phishing line
- Forward phishing SMS to 7726
- Report to the Canadian Anti-Fraud Centre at antifraudcentre.ca
- Enable multi-factor authentication on CRA My Account
How to report it
- Report to the Canadian Anti-Fraud Centre at antifraudcentre.ca or 1-888-495-8501
- Report CRA impersonation to the CRA directly
- Contact your bank immediately if financial details were entered
Frequently asked questions
How do I verify whether a CRA or Canada Post message is real?
The CRA does not send emails or texts with links asking you to 'claim' a refund or pay a debt via e-transfer, gift cards, or crypto, and it will never threaten immediate arrest. Canada Post redelivery issues are handled through canadapost-postescanada.ca directly, not a link in an unsolicited text. When in doubt, go to the official site directly rather than clicking a link.
Where do I report phishing scams in Canada?
Report phishing and fraud to the Canadian Anti-Fraud Centre (CAFC), which tracks scam patterns nationally including CRA and Canada Post impersonation. Also report suspicious texts to your mobile carrier and contact your bank immediately if any financial information was compromised. These reports help build the picture authorities use to warn others, even when individual recovery isn't guaranteed.
What should I do if I clicked a fake CERB or tax-related link?
Contact your bank immediately if you entered any banking or card details, and change your CRA My Account password if you used those credentials on the fake page. Report the incident to the Canadian Anti-Fraud Centre. Monitor your CRA account and bank statements closely for any unusual activity in the following weeks.
Does the CRA ever email links to claim a refund?
No. The CRA communicates through My Account and postal mail. They do not send emails with links to claim refunds or with links requiring you to enter banking information. Any such email is phishing — do not click any links and report to the CRA.