Canadian income tax filing deadlines are coming up (April 30), and COVID-19 continues to interrupt everyday life. Unfortunately, remote working arrangements and government relief programs are becoming targets for scammers to steal personal information and money. One particular scam related to financial firms and tax preparers is especially problematic, so be on the lookout if you’re a business providing these services or a customer of one of them.
We’ve got all the details you need to know about this type of scam and some basic steps you can take to protect yourself or your business.
Scammers are attempting to intercept emails that contain a Social Insurance Number (SIN) and then use the SIN to fraudulently apply for money from federal or provincial COVID assistance programs. Since people are doing more business remotely, like using email to send important tax documents to their accountants, tax preparers, or financial advisors, these businesses are explicitly targeted.
Email is not a secure method of sending information; if an email is intercepted in transit or the recipient’s email account is compromised, all data may be stolen.
Reports of this scam come from a variety of sources, which means the overall impact may be more significant but challenging to piece together. Some individuals saw unexpected money transfers into their accounts if they set up direct debit with the Canada Revenue Agency (CRA). Others have received notice of accounts created on credit monitoring service Credit Karma, which would allow a scammer to monitor activity related to the stolen SIN.
In all situations, it appears individuals either responded to a fake email that appeared to be from their financial adviser or may have provided information in response to a fraudulent email sent from a compromised account belonging to their financial adviser. If an attacker can gain access to an inbox belonging to your business, they can easily send messages and monitor the inbox for responses! Scammers will often take steps to cover their tracks, such as sending messages with a different reply-to address to redirect the response and avoid suspicion.
These attacks rely on social engineering, which manipulates an individual into disclosing information they otherwise would or should not. Attackers may use methods like a similar-sounding email domain to make a request for personal information seem legitimate. For example, email@example.com and firstname.lastname@example.org look deceptively similar — and for that matter, the “1” could be a stylized part of a logo or other branding, so we’re accustomed to unusual spellings like that. However, if Bob is a scammer, he can trick people into replying with documents that contain their SIN, then apply for COVID relief.
Social engineering is pernicious and relies on creating a believable or urgent pretext. In this case, the stressful situation of a global pandemic coupled with modifications we’ve made to routine tasks, like doing everything virtually instead of taking a box of papers down to an accountant’s office, is being exploited by scammers.
Taking advantage of stressed-out people in an unfamiliar situation is a hallmark of social engineering.
The most important takeaway for both individuals and businesses is this — never send sensitive, personal information via email. It’s not a secure communication method. Information like SIN, credit card details, medical information, etc., should always be communicated in a more secure way like a secure website, postal mail, or even a phone call.
As an individual, you should never respond to a request to share information like this via email, and as a business, you shouldn’t ask customers to email you these details. It seems obvious, but it sadly happens all the time.
Other steps you can take to protect yourself or your customers (if you’re a business) include:
Be alert for suspicious emails, especially if they ask for sensitive info or present a dramatic or urgent situation. Example: “Please reply within 2 hours; otherwise, your tax bill will be delinquent!”
Enable MFA (Multi-factor Authentication) anywhere and everywhere it’s supported, including your email provider and government sites like Canada Revenue Agency (CRA).
Verify requests for information or unusual emails by calling the sender to double-check.
Be vigilant for suspicious activity in your inbox, especially messages that you didn’t open being marked read and archived. Attackers who’ve compromised an inbox will often try to cover their tracks.
For more ways to stay vigilant about cybersecurity, be sure to download the Coalition Cybersecurity Checklist, sign up for Coalition’s security webinars, and check out our blog for more current events, tips, and explainers.