Don't click that link!

The rise of online tax scams has one expert concerned as tax season approaches and online scammers pump out eerily convincing emails.

"I'm concerned because we haven't really seen this level of quality from the criminals in the past," cybersecurity expert Chester Wisniewski told CTVNews.ca in a phone interview on Friday.

Wisniewski says within the last decade, scams pretending to originate from the Canada Revenue Agency (CRA) or involving what looks like an official Interac e-Transfer email have become extremely sophisticated, as the network of criminals creating these scams continues to grow.

He says international scammers have made it a point to even follow Canadian spelling in their emails to make it more believable to Canadians, making it more difficult to find the warning signs of a phishing scam.

"There's no longer the telltale signs that most people look for that something's wrong. They don't look amateur, they don't have spelling errors or grammatical problems," he said.

Phishing email

Those behind phishing and spear phishing scams either pretend to be a generic, known business or organization, or they act as a targeted business that an individual has current ties to; like the banking institution they use on a daily basis. According to the , 9,000 phishing and spear phishing scams were reported to the CAFC in 2021, amassing $54 million in victim losses.

Wisniewski says these scams have evolved from small groups of criminals to entire networks where criminals can buy and sell their services to send and create these fake emails. He explains a job in this marketplace could look like a personal being hired to create a bank's logo and write the email in the main language of the country being targeted. It could also involve hiring a person to rent out a computer, which is then used to send out phishing scams to the most victims as possible.

"The people that do each job in the criminal ecosystem have got very, very good at it and that's increasing the success rate of the criminals being able to steal larger amounts of money," he said.

STAYING PROTECTED, ESPECIALLY AMID CORPORATE HACKS

it will never demand immediate payment or send a link with your refund amount online, and it will only contact individuals to notify them of a new message, followed by directions to go to their CRA portal.

Wisniewski says because the CRA will only approach individuals online for message notifications, it can be easier to detect fraudulent activity from scammers pretending to be the CRA. However, he says, he's concerned with emails from scammers pretending to be banking institutions or targeted businesses, especially after recent cybersecurity attacks.

Indigo was recently affected by a cyberattack that impacted the bookstore chain's website and electronic payment system. While it's still unknown if customer data was impacted, Wisniewski explains similar cyberattacks that gain access to customers' personal data could make email scams more believable.

Phishing email

"We do see them impersonate name brands after these big hacks, where they now know all these people have a Marriott Rewards number or they know that people have an Indigo account," he said.

"As a result, this lends more credibility to something you're used to interacting with."

Ultimately, Canadians need to be on alert for suspicious and unsolicited as scammers get a head start on tax season, Wisniewski said.

He recommends not clicking any links for payments you're not expecting, or if you're being sent an email from the CRA, go directly to your CRA account, rather than clicking any links, to see if the message is in fact authentic.

"I would expect that we will not only continue to see them, we'll likely see more of them, in more frequency, as we get closer to tax day," he said. 

Canadians can file their 2022 taxes starting Feb. 20, 2023 and the deadline for most Canadians is April 30, 2023.