The Canada Revenue Agency (CRA) is warning Canadians to be on high alert as scammers continue to circulate fraudulent text messages claiming recipients are entitled to government refunds or e-transfers.
Authorities say the scam is spreading across Ontario and other parts of Canada, exploiting people’s hopes of receiving money from the government. The messages typically claim that the CRA has sent a tax refund or e-transfer worth hundreds of dollars and urge recipients to click a link to access the funds.
Cybersecurity experts warn that these messages are designed to manipulate people into revealing personal and financial information. The tactic, commonly known as “smishing” (SMS phishing), uses psychological pressure and the promise of easy money to lure victims into clicking malicious links.
According to the CRA, there is only one circumstance under which the agency will send a text message. The CRA will send text messages solely for the purpose of delivering a multi-factor authentication (MFA) security code when taxpayers are accessing CRA online services. The agency does not send text messages about tax refunds, benefit payments, outstanding balances, or requests for personal information.
Many scam messages instruct recipients to reply with the letter “Y” to unlock an encrypted link or activate the refund process. Others ask users to select their financial institution before funds can supposedly be deposited. Security experts caution that replying to such messages is just as dangerous as clicking the link itself.
Modern smartphones often disable links received from unknown numbers as a security measure. When a recipient replies to a message, even with a single character such as “Y” or “N,” the device may treat the sender as a trusted contact, enabling the links and weakening built-in protections. Additionally, responding confirms to scammers that the phone number is active, making the individual more likely to be targeted in future fraud attempts.
If a victim clicks the fraudulent link, they may be redirected to a fake website that closely resembles a legitimate government or banking portal. There, scammers attempt to steal banking credentials, passwords, credit card details, and other sensitive information. In some cases, the websites may install malicious software capable of monitoring online activity, stealing files, and compromising entire devices.
The CRA reminds Canadians that it will never send refunds through Interac e-transfer and will never demand payment through cryptocurrency, prepaid credit cards, gift cards, or similar methods. Legitimate CRA representatives will also never threaten arrest, deportation, imprisonment, or use aggressive language to pressure taxpayers into making immediate payments.
The agency further emphasizes that it will never request personal or financial information through text messages, voicemail, email, Facebook Messenger, WhatsApp, or other instant messaging platforms.
Canadians who receive suspicious messages are encouraged to delete them immediately without clicking any links or responding. Anyone who believes they may have been targeted or victimized by a scam should contact their financial institution, local police service, and the Canadian Anti-Fraud Centre as soon as possible.
As online fraud becomes increasingly sophisticated, officials advise Canadians to verify all communications directly through official government channels and to remain cautious of any unexpected message involving money, refunds, or urgent requests for personal information. In the digital age, a few moments of caution can prevent significant financial and personal losses.