Phishing Season Is Here – Do Your Employees Know What To Look For?


Tax season is one of the most active times of the year for cybercriminals – without the right IT security support, your business could be an easy target.

It’s that time of year again – the CRA, tax agencies, and finance professionals across the country are once again urging everyone to be on the look-out for scams as they file this year’s taxes.

The most popular and effective type of cybercrime scam this time of year is phishing. Phone calls are made, and emails are sent to targets that appear to be from reputable sources in order to access and steal sensitive information such as passwords, account details, credit card numbers, social insurance numbers, and more. It doesn’t take as much as you may think for a cybercriminal to convince a target that they are a superior in order to persuade employees to give them money, data, or crucial information.

How Can You Pick Out A Phishing Call Or Email?

Effective IT security often comes down to simply knowing what to look for. The most recent trends and patterns in phishing scams include:

  • Phone calls from a “CRA employee” asking for personal information the agency already has on file.
  • Phone calls that advise that money is owed to the CRA and should be paid immediately using pre-paid credit cards or gift cards.
  • Emails that appear as urgent warnings telling recipients to update their online financial accounts as quickly as possible.
  • Emails that tell recipients to click a hyperlink and download important documents or contracts.
  • Emails that offer a tax refund once that recipient has verified their identity with private information.

In a nutshell? Cybercriminals will do whatever it takes to seem like they’re an official or familiar source. They will research you and your employees on social media, copy a superior’s email signature, scare the employee into action with a false sense of urgency, and more, just to get the recipient to act without thinking. Once the target has divulged private information, clicked a malicious link, or downloaded malware, the cybercriminal has won. This inevitably leads to extensive damage to the business where the recipient works, or to the recipient themselves.

How Can You Keep Your Business Safe?

So what’s the answer? What can the average business professional do to keep themselves and their company safe when criminals are employing sophisticated and sneaky methods designed to get targets to cooperate quickly? Your smartest move would be to educate and test your employees on your business’ IT security best practices and general cybercrime knowledge. Make sure they understand that they need to:

  • Stay Alert: No task is ever so urgent or so important that they can’t take the time to confirm the request first, especially if it involves giving out information or executing a potentially risky task.
  • NEVER Give Out Private Information: Entities like banks, government agencies, and the CRA will never under any circumstances contact anyone to confirm sensitive information. They already have your account numbers, social insurance number, and your passwords. If an email from a superior or external contact asks for that info, it is likely a scam, so always take the time to confirm the request by phone or in person, using contact information from a source other than the suspicious email.
  • Check Before They Click: Hovering your cursor over a link will show you where that link is actually taking you. Often, cybercriminals will send out what looks like the right link (, but when you hover over the link with your mouse, it actually will show something different ( If the two links don’t match up, do not click.
  • Check Up On Unexpected Email Attachments. If an email pops up from a familiar sender with an attachment that you weren’t expecting, call them or send them an email to confirm that they actually sent the file. Be sure to send a new email – if you reply to the suspicious one, you’ll be contacting the hacker, not your colleague.

All of this isn’t to say the security of your business falls entirely on your teams’ shoulders. As a business owner, you need to:

  • Invest In Advance Cybersecurity: Employee awareness may be a key component of good overall security, but that doesn’t make solutions like spam filters and firewalls any less vital. Tools like these can help keep dangerous emails out of your employees’ inboxes in the first place and protect your network from infections and intrusions that can compromise sensitive data and lead to thefts and fraud.
  • Enforce A Strong Password Policy: More often than not, employees choose to stick with passwords that are simple and easy to remember, which leaves them more vulnerable to hackers. Ensure that your staff is using passwords that include letters, numbers, symbols, multiple cases, and are at least 8 – 10 characters in length. Don’t just trust your employees to follow these guidelines; make sure they understand why you’ve put these policies in place, and that there will be consequences if they’re not followed.

Remember – cybercriminals keep going back to the same old tricks because users keep falling for the same scams over and over without ever learning from the experience.

Making mandatory network security education routine for your entire team – management included – has proven again and again to be the most reliable and effective way to stop a phishing attempt.

Don’t wait for another major scam or cyber attack to start making the rounds to decide it’s time to work on your staff’s cybersecurity awareness. The sooner you make scam and fraud awareness part of your company culture, the further ahead of the next phishing attempt your team will be.

Give us a call or email us to learn more about how these scams work, and what expert cybersecurity support can do to ensure you and your staff stay safe this tax season.