« Weaving Tangled Webs | Main | Sending Spam to Myself »

November 18, 2008

The U.S. Internal Revenue Service isn't the only taxing authority to be abused by scammers (here, here, and here). The Canadian equivalent, the Canada Revenue Agency, is also on scammers' hit lists.

Here's one I saw today:

From: security@cra-arc.gc.ca
Subject: Canadian Revenue Agency - Online Refund Form

Canada Revenue Agency
Online Refund Form
 

After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 386.00.

Please submit the tax refund and allow us 3-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here>>
 
Copyright Canada Revenue Agency. All rights reserved. www.cra-arc.gc.ca

Astute Canadian recipients would be suspicious with the Subject: line, which refers to the agency as "Canadian," rather than the start of its official name, "Canada." The body of the message gets it right.

The link, of course, was not to the agency, but to a domain originally registered through EstDomains (ugh) by a person claiming to be in Russia.

Although the site was quickly taken down, the template obviously exists for repeat transmissions of this phishing spam when they set up the site elsewhere. While the CRA may, indeed, find that a citizen is due a refund, the announcement won't come in the way of an email message with absolutely no reference to the recipient's name as it appears on the tax return. For what it's worth, in the U.S., the IRS simply mails you a check or direct deposits a refund before you're even aware that you were due the refund. There is no form to fill out to claim your refund. They have all—and I mean all—necessary personal identity information without you having to supply an ounce of data in some stupid form.