Canadian Tax Phishing Is in Season and Old Kits Are Being Refreshed

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The Canadian government has decided to move the tax-filing deadlines for their citizens, as well as to lift any late-submission penalties. The reason for this move is the COVID-19 pandemic, and this is actually something that is happening in many countries right now. In response, the tax phishing actors who have been waiting to act back in April have just started to activate, as the new dates were set between June 1, 2020, and August 31, 2020. That said, Canadian citizens, especially those who expect tax returns and refunds, are advised to be extra careful with email communication.

According to a report by Cyren researchers, the phishing actors are using an old phish kit that has been somewhat refreshed, and which was purpose-built for Canada. The kit was first spotted being circulated in 2018, but since most of the affiliate banks that receive tax refunds in the country remain the same, it still does the trick without the need for a lot of modification work. The package that contains the kit is named “covid.zip,” and it contains various useful (for the actors) files like the index.htm shown below.

canadian_phish_01

Source: Cyren Blog

The goal of the phishing actors is to trick the email recipients into entering their bank account details. Supposedly, the targets are requested to do that to “update their bank details” in order to be ready for the reception of the tax return. If the victims don’t find the timing, or even the very request suspicious, they may end up entering their card CVV, ATM PIN, and even the answers to their security questions. This information is never requested at any other point than the registration, while the ATM PIN is a strictly personal piece of data that no one but the owner should know.

phishing page

Source: Cyren Blog

If clicking an email URL or embedded button in the message leads you to any of the following domains, you are getting phished.

If you want to ensure that your bank has an active status on your account and that you don’t need to do anything like updating your information, visit your bank’s website directly. There, the only thing you’ll need to enter is your username, password, and maybe also answer a security question. If you have already fallen victim to these attacks, contact your bank immediately, reset your credentials, set up new security questions, and activate two-factor authentication if available. Remember, similar highly-targeted campaigns are set up in other countries, too, so the danger is not limited to Canada.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: