• Home
  • /Learn
  • /Common Tax Phishing Schemes in 2023 and Beyond
background image


Common Tax Phishing Schemes in 2023 and Beyond


Are you aware of the most common tax phishing schemes in 2023 and beyond?

With a 61% increase in tax phishing schemes being recorded in 2022 (and 2023's statistics being close behind), it's never been more crucial for you and your organization to keep on top of cybersecurity-related employee awareness training.

Firstly, What is Tax Phishing?

Phishing is generally carried out through unsolicited emails, phone calls, texts, or websites that lure victims into providing personal and financial tax information. Tax-related scams commonly include anti-tax law, home-based business, trust, and off-shore schemes.

Today, our ethical hackers outline several different types of tax scams you should be aware of in 2023 and beyond (and how to avoid them):

#1: Email Phishing

Email phishing scams are tricky because they often seem to come from credible sources. The first red flag is that they ask you to enter personal information: the problem is that the website collecting the information is fake.

These websites are often from banks, credit card companies, online retailers, or government agencies. Sometimes these websites look almost identical to the legitimate ones, so it can be challenging to decipher the crime. Government agencies like the CRA do not ask for personal information by email.

Do not open links from untrusted sources.

#2: Phone Phishing

By now, most of us have been on the receiving end of a call from the “Canadian Revenue Agency” about an apparent urgent matter regarding the state of our taxes. The purpose of these calls is to trick the victim into providing sensitive information, like credit card numbers and even social insurance numbers that could later be used for malicious activities without the owner’s consent.

While these calls may seem scary and convincing if you do receive one, know that government agencies would never contact you by phone. It is better to approach every unknown call cautiously than to blindly provide personal information.

If you receive a call, step away from the call for a moment and consider the following:

  • Is the call from an unknown or random local phone number?

  • Is there a way you could reach them later?

  • Is the caller demanding information with a sense of urgency?

  • Is the call threatening – for example, are they saying that you could end up in jail if you do not oblige?

These four points are key indicators that you may be being targeted by a phone phishing scheme.

#3: SMS Phishing

"Smishing" is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals...especially regarding taxes.

The term “smishing” is a combination of “SMS”—or “short message service,” the technology behind text messages—and “phishing". Via smishing, scammers may pretend to be police officers, IRS representatives, or other government officials. These smishing texts often claim the victim owes a fine or must act to claim a government benefit.

For example, at the height of the COVID-19 pandemic, the Federal Trade Commission (FTC) warned of smishing attacks that offered tax relief options. When victims followed the links embedded in these texts, threat actors stole the victims' social security numbers and other information they could use to commit identity theft. 

Basic Anti-Phishing Strategies to Implement ASAP

Here are some other tips to protect yourself and your information, on and offline:

  • Never provide personal information to untrusted sources via the Internet, email, or phone

  • Be suspicious if you are ever asked to pay taxes or fees to the CRA on lottery or sweepstakes winnings. You do not have to pay taxes or fees on these winnings

  • Keep your passwords, access codes, and PINs secret and change them regularly when you can

  • Avoid using easily guessable passwords

  • Choose who you file your taxes with carefully. They are also the target of scammers. Always review your return

  • Only contribute to registered charities. You can verify charities on the CRA website: cra.gc.ca/charities

  • Be cautious before you click on any email links from untrusted sources

  • Use caller ID but don’t rely on it. Scammers can edit this information

  • Protect your social insurance number

  • Shred unwanted documents and make sure that documents with your name and sin are secure

  • Immediately report lost or stolen credit or debit cards


At Packetlabs, protecting your information is what we do. With an exceptionally trained team and a robust testing methodology, we go beyond checkboxes to understand your unique cybersecurity needs.

Download our free Phishing for Initial Access webinar recording to learn more about how to protect yourself and your organization from tax-related scams year-long.

Have Questions? Need a Quote?

Contact our team today to see how we can help improve your security posture. Get a no-obligation quote and a copy of our sample report to help you get started.