CRA "Tax Refund" Scam Canada (2026): how the phishing attack works and how to spot it

Why CRA impersonation is Canada's largest government scam

Between February and the end of April, the entire Canadian adult population is, for several weeks, actively thinking about taxes. Roughly 31 million Canadians file a return every year. That collective attention is exactly the cognitive backdrop scammers want, because any CRA-shaped message arriving during that window plausibly maps onto a real concern the recipient already has. The Canadian Anti-Fraud Centre (CAFC), run jointly by the RCMP, the Ontario Provincial Police, and the Competition Bureau, tracks fraud loss by category, and CRA impersonation has been the largest single government-fraud line item every year since 2018.

The 2024 CAFC public statistics show more than $50 million in confirmed losses from CRA-impersonation fraud, across roughly 38,000 reports. The CAFC itself estimates that only 5 to 10 per cent of fraud is ever reported, which puts the realistic Canada-wide loss closer to $500 million to $1 billion per year from CRA scams alone. Service Canada, the CRA, the RCMP, and provincial cybercrime units have all issued repeated public warnings since at least 2018, and the volume keeps growing because the operational cost of running the scam is close to zero and the conversion rate is high enough to keep paying.

Filing season is also followed by a second vulnerability window. Canadians who already filed are waiting on refunds. Canadians who owe are anxious about their balance. Both groups click any CRA-looking message that promises resolution. The volume spikes around the April 30 filing deadline, persists through the GST/HST credit and Climate Action Incentive Payment cycles in July and October, and runs at a lower steady baseline year-round.

How CRA refund phishing actually works (the three delivery channels)

The same underlying scam is delivered through three different channels, each tuned to a different victim profile. Recognising the channel matters because the giveaways differ.

Channel 1: SMS text refund

The most common channel. A text arrives, often from a 1-833 or 1-844 number or a short code, with wording such as: "CRA: You are eligible for a tax refund of $428.50. Click to claim within 24 hours: cra-refund.ca/claim/8x2j." The dollar amount is small enough to feel like a plausible real refund (not a suspiciously round number like $5,000) and specific enough to feel official. The 24-hour deadline creates urgency. The link leads to a fake page styled like canada.ca that harvests Social Insurance Number, date of birth, banking details, and often a driver's licence upload.

Channel 2: Email refund or GST/HST credit notice

The email channel targets desktop users and is usually styled to mimic the canada.ca visual identity: the Government of Canada wordmark, the red maple-leaf header, the CRA logo, and the standard Adobe Caslon Pro footer text. Subject lines: "Your CRA Refund Notification 2026," "Important: GST/HST credit recalculation," "Climate Action Incentive Payment Eligibility Review." The body claims the recipient is owed money and includes a "Claim Refund" button that links to a lookalike domain. Some variants include a fake PDF attachment with the CRA letterhead that opens a credential-harvesting page when clicked.

Channel 3: Aggressive arrest-threat voicemail (the Bitcoin variant)

This is the variant responsible for most of the $50M+ in 2024 losses, because the average loss per victim is much higher than the SMS or email variants. A pre-recorded voicemail, often using a Canadian English or sometimes a thickly-accented robotic voice, leaves a message such as: "This is the Canada Revenue Agency. A criminal fraud investigation has been opened in your name for tax evasion. A warrant has been issued for your arrest. To avoid immediate arrest by the RCMP, return this call at 1-XXX-XXX-XXXX and resolve the outstanding amount by Bitcoin transfer or Interac e-Transfer to the CRA settlement officer." When the victim calls back, a human operator (usually working from a call centre overseas) walks them through buying Bitcoin at a crypto ATM, gift cards at a pharmacy, or sending an Interac e-Transfer to a "settlement account." Losses per victim routinely run $5,000 to $50,000 and have been documented above $200,000 in some CAFC cases.

The CRA explicitly addresses this variant on the official canada.ca/en/revenue-agency/corporate/scams-fraud.html page: "The CRA will never threaten you with arrest or a prison sentence. The CRA will never ask for payment by Interac e-Transfer, bitcoin, prepaid credit cards, or gift cards from retailers such as iTunes, Amazon, or others." If the caller mentions any of those, the call is a scam by definition.

Common templates in active rotation 2026

The exact wording rotates, but the underlying templates are stable. If your incoming message matches one of these, treat it as a scam by default and do not engage.

Template 1: The $428.50 refund

"CRA: Your 2025 tax assessment shows an overpayment of $428.50 CAD. To deposit your refund, confirm your banking information within 24 hours: [lookalike link]." The amount varies (often $387, $428, $612, $897 to feel calculated rather than round), but the structure is identical: small amount, short deadline, click to claim. The page asks for SIN, date of birth, full address, financial institution, transit number, account number, and sometimes a driver's licence image upload framed as "identity verification under the Canadian Anti-Money Laundering Act."

Template 2: Fraud investigation, send Bitcoin

"This is Officer [Random Name] with the CRA criminal investigations division. An arrest warrant has been issued against you for tax fraud. Failure to resolve within 2 hours will result in RCMP officers attending your residence. Settlement may be made by Bitcoin or Interac e-Transfer to the case officer." Aggressive, fear-driven, designed for elderly Canadians and newer immigrants who may be less familiar with Canadian due process. The real CRA never threatens immediate arrest, never works with the RCMP on individual collections in this manner, and never accepts Bitcoin or e-Transfer.

Template 3: GST/HST credit recalculation

"Government of Canada: Your GST/HST credit has been recalculated. You are owed an additional payment of $312.74 CAD. Confirm your direct deposit details to receive payment within 3 business days: [lookalike link]." Targets lower-income Canadians who legitimately receive quarterly GST/HST credit payments and would consider an extra payment plausible. The real GST/HST credit is paid automatically on the schedule published at canada.ca, deposited to the account already on file, and never requires re-verification.

Template 4: Fake Climate Action Incentive Payment

"Canada Revenue Agency: Your Climate Action Incentive Payment (CAIP) of $245.00 is ready for deposit. Update your banking information to receive payment: [lookalike link]." The CAIP (now branded as the Canada Carbon Rebate) is a real quarterly payment for residents of provinces under the federal carbon pricing system. Because most eligible Canadians have actually received CAIP or CCR payments in the past, the fake version feels familiar. Real CAIP payments are automatic for anyone who has filed a tax return; no banking update is ever required outside CRA My Account.

Template 5: Identity verification under "new CRA security measures"

"Canada Revenue Agency Security Notice: Suspicious activity detected on your account. Verify your identity within 48 hours to avoid account suspension: [lookalike link]." This variant inverts the user's relationship to the threat. The user is told the protective action is to click; in reality, clicking is the attack. The page harvests the SIN and full identity profile, which the scammer then uses to attempt to actually access the victim's real CRA My Account or to file a fraudulent return under their SIN.

Template 6: COVID-era CERB or CRB "overpayment" repayment scam

"CRA: A review of your 2021 CERB benefits shows an overpayment of $2,847. To avoid garnishment of wages, resolve immediately: [lookalike link]." Recycled pandemic-era bait. Some Canadians did receive legitimate CERB or CRB repayment notices and consider the message plausible. Real CERB/CRB repayment notices are mailed on paper letterhead, give months of due process, and are payable through CRA My Account or by cheque to the Receiver General for Canada, never via a clickable link.

Lookalike CRA domains in 2026 rotation

The real CRA web property is canada.ca/en/revenue-agency. Real CRA online services live at canada.ca/cra-my-account and my-cra.gc.ca. The .gc.ca and canada.ca domains are both restricted to the Government of Canada and cannot be registered by scammers. Phishing destinations therefore land on lookalike domains, on free hosting providers, or on shortener chains.

Pattern 1: CRA or Canada keyword on a non-government TLD

Any URL that contains "cra," "canada-revenue," "canada," "gc," or "tax-canada" but is NOT on the .gc.ca or canada.ca domain is a scam. Examples in active 2026 rotation:

• cra-refund[.]ca
• canada-revenue[.]online
• gov-tax-canada[.]net
• cra-canada-refund[.]com
• my-cra-refund[.]ca
• canada-gst-credit[.]com
• cra-gc[.]online
• climate-rebate-canada[.]ca

Note that .ca is a Canadian country-code TLD available to anyone with a Canadian address or business presence, so it is NOT a sign of government legitimacy on its own. Real Government of Canada domains end in .gc.ca or are subdomains of canada.ca. Plain .ca is a regular consumer TLD that scammers register every day.

Pattern 2: CRA on free hosting providers

• cra-refund[.]vercel[.]app
• canada-cra[.]netlify[.]app
• cra-verify[.]pages[.]dev
• cra-canada[.]github[.]io
• gst-credit-ca[.]web[.]app

Free hosting platforms (Vercel, Netlify, Cloudflare Pages, GitHub Pages, Firebase Hosting) take minutes to provision and provide automatic HTTPS. Attackers push the fake page and start sending texts within an hour. The hosting provider typically removes reported phishing within 4 to 24 hours, but the campaign already ran during that window.

Pattern 3: "gc" or "canada" embedded as a subdomain on a private TLD

• cra[.]gc-canada[.]com
• my-account[.]canada-gc[.]net
• cra[.]canada[.]gov-services[.]com
• refund[.]gc-ca[.]online

The trick: put "gc" or "canada" somewhere in the URL, but not as the real TLD. On a phone the URL bar truncates, so the relevant part (the actual TLD on the right) is hidden until you scroll. The real TLD is the rightmost label before the first single forward slash, so in cra.gc-canada.com/login the actual TLD is .com and the domain owner is gc-canada.com, a private registration.

Pattern 4: URL shorteners hiding the destination

• bit.ly/cra-refund-2026
• tinyurl.com/cra-claim
• t.ly/CRArefund
• rebrand.ly/canada-tax

Shorteners hide the real destination until you click. SMS previews on iOS and Android do not unwrap shortener chains. Hovering on a phone is impractical. The click itself is the attack.

How real CRA communication actually works

The simplest defence is knowing what genuine CRA contact looks like. Memorise these facts (all of them are published on the official canada.ca/en/revenue-agency/corporate/scams-fraud.html page):

• The CRA never asks you to claim a refund by clicking a link. Real refunds are deposited automatically to the bank account already on file in CRA My Account, or mailed as a paper cheque to your address of record. No link, no claim form, no time limit.
• The CRA never demands payment by Interac e-Transfer, Bitcoin or other cryptocurrency, prepaid credit cards, or gift cards. Real CRA payments are made through CRA My Account, online banking via your financial institution's CRA bill-payment payee, by cheque to the Receiver General for Canada, or in person at any Canadian financial institution. Any other payment method is a scam.
• The CRA never threatens immediate arrest, deportation, or RCMP officers attending your residence. Real CRA collections involve months of due process, multiple written notices, formal appeal rights under the Income Tax Act, and Tax Court proceedings before any enforcement action.
• The CRA does not use email or text to communicate sensitive personal or financial information. Sensitive correspondence arrives by mail at the address you have registered with the CRA. The CRA may occasionally send a generic email or text saying "a new message is available in your CRA My Account," but it will never include the message content, banking links, or refund details directly.
• The CRA does not ask for your SIN, credit card number, banking password, or driver's licence by phone, email, or text. Identity verification happens inside CRA My Account once you have logged in by your own action.
• Real CRA call-display can be spoofed. Even if your phone display shows "Canada Revenue Agency" or a 1-800 number that looks legitimate, the call itself can be a scam. Hang up and call CRA back at the official numbers listed on canada.ca to verify.

How to verify a suspicious CRA message in 10 seconds

You do not need to memorise every URL pattern. Use this short routine on any CRA-shaped message:

1. Do not click the link, do not call the number in the message. Both the link and the callback number are attacker-controlled. Treat the entire message as inert and unverified.
2. Open a fresh browser tab and type canada.ca/cra-my-account directly. Do not search "CRA" in Google or Bing; search results can include scam ads at the top that look like sponsored official listings. Type the address. Bookmark it for future use.
3. Sign in to CRA My Account. If there is a real refund, a real GST/HST credit adjustment, a real CCR payment, or a real notice, it will appear in your account messages. If your "approved refund" is real, the amount and deposit date will be visible. If the account shows nothing matching the text or email, the message is fake by definition.
4. For specific notice or balance questions, call the CRA at the verified numbers published on canada.ca. CRA Individual tax enquiries: 1-800-959-8281. CRA Benefits enquiries: 1-800-387-1193. CRA Business enquiries: 1-800-959-5525. Look those numbers up on canada.ca itself; never trust a phone number provided in the suspicious message.
5. Report the phishing attempt. Forward suspicious emails to the CAFC reporting tool at antifraudcentre-centreantifraude.ca or call the CAFC at 1-888-495-8501. Report to the CRA directly at canada.ca/en/revenue-agency/corporate/scams-fraud/report-scams-fraud.html. Forward suspicious SMS to 7726 (the universal SMS spam shortcode that works on all Canadian carriers including Bell, Rogers, Telus, Freedom, and Videotron).

If you want a second opinion on a specific link, paste it into the SafeBrowz URL checker. The checker unwraps URL shorteners, checks domain age (most CRA phishing destinations are less than 30 days old), runs the URL through community blacklists, and returns a verdict in a few seconds. No login required.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including the Canada Revenue Agency, Service Canada, and Government of Canada wordmarks, with Cyrillic and Punycode homograph variants) plus community whitelist and blacklist, all running directly inside the extension before the page renders. Catches the cra-refund.{tld}, canada-revenue.{tld}, gov-tax-canada.{tld}, and my-cra.{free-host} pattern families instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus a curated list of high-risk TLDs and free-hosting providers. URL shorteners are unwrapped server-side so the verdict runs against the real destination rather than the shortener interstitial.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds. If a page renders the Government of Canada wordmark, the red maple leaf header, the CRA logo, or text such as "Canada Revenue Agency refund verification" on a domain that is not canada.ca or *.gc.ca, the page is flagged as government impersonation. The same layer catches Service Canada, IRCC, ESDC, and provincial government phishing in the same way.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

What to do if you already clicked or entered information

If you clicked the link and the page opened, but you did not enter anything, you are probably fine. The page itself usually cannot install malware unless you also downloaded something. Close the tab, clear browser cookies for that domain, and move on. If you were prompted to download a file (a fake PDF "CRA refund form" is common), do not run it. If you already ran it, treat the device as compromised, disconnect from the internet, and run a full antivirus scan.

If you entered your Social Insurance Number:

• Place a credit freeze (also called a credit lock) with both Canadian credit bureaus. Equifax Canada offers a credit lock via the myEquifax dashboard, and a fraud alert by calling 1-800-465-7166. TransUnion Canada offers a fraud alert via 1-800-663-9980 or through the myTransUnion online portal. Both bureaus offer the fraud-alert step free; certain lock/freeze tiers may be subscription-based.
• Call Service Canada at 1-866-274-6627 to report a compromised SIN. Service Canada will flag your SIN file. Note: Canada does not normally reissue SINs, so the SIN itself is not replaced; instead, the file is monitored for fraudulent use.
• Sign in to CRA My Account and change your password. Enable multi-factor authentication. Review the "Authorised representatives" section and remove anyone you do not recognise.
• Contact the CRA's individual income tax enquiries line at 1-800-959-8281 to flag potential identity-theft activity on your CRA file. The CRA can apply additional review to any tax return filed under your SIN.
• File a report at antifraudcentre.ca or call the CAFC at 1-888-495-8501. The CAFC feeds reports to the RCMP, OPP, and provincial cybercrime units.
• Consider filing a report with your local police if a material financial loss has already occurred.

If you entered banking information (transit, institution, account number):

• Call your bank's fraud line immediately. The number is on the back of your debit card or on your most recent statement; do not search for it online because fake "bank support" listings exist.
• The bank will usually freeze or close the compromised account and open a new one with fresh numbers. PADs (pre-authorised debits) take longer to dispute than card fraud, so speed matters.
• Monitor the account daily for at least 90 days for unauthorised debits, including small "test" debits that scammers use to verify the account is live.

If you entered credit card or Interac e-Transfer information:

• Call your card issuer's 24/7 fraud line (number on the back of the card). Cancel and reissue the card on the same call. Most Canadian issuers can add the replacement card to Apple Pay or Google Pay digitally on the spot so you can pay urgent bills while the physical card ships.
• Review transaction history for unauthorised charges and dispute anything suspicious. Canadian credit cards are governed by zero-liability protection for fraudulent transactions reported promptly.
• If you actually sent an Interac e-Transfer to the scammer, call your bank immediately. e-Transfers are reversible only if the recipient has not yet accepted the transfer. Once accepted, they are effectively irrecoverable.

If you sent Bitcoin or other cryptocurrency:

• Crypto transactions are not reversible. The funds are gone the moment the transaction confirms on chain.
• Report immediately to the CAFC at 1-888-495-8501 and to your local police. CAFC and the RCMP Integrated Cybercrime Unit occasionally recover crypto from exchange-held wallets if the scammer cashes out through a regulated exchange, but recovery is rare.
• If you bought the crypto at a Bitcoin ATM, report the ATM operator and the specific machine to the CAFC. Multiple ATM operators in Canada (now regulated by FINTRAC) cooperate with law enforcement on confirmed fraud reports.

Finally, sign in to CRA My Account in the weeks ahead and check for any tax return filed under your SIN that you did not file yourself. If one appears, contact the CRA Individual tax enquiries line at 1-800-959-8281 and request an identity-theft review of your file.

Why CRA phishing keeps working in Canada

The scam works because of three specific psychological levers, not because Canadian victims are careless.

Lever 1: Authority of the federal government. Canadians are conditioned from childhood to respond promptly to anything that looks federal. The CRA has the authority to garnish wages, levy bank accounts, and place liens on property under the Income Tax Act. That conditioning becomes a liability when scammers wear the CRA mask; victims react before they evaluate, exactly the response the scam needs.

Lever 2: Refund anticipation during March and April. The variants that promise a refund have a pre-built positive expectation working in their favour. The user already wants the refund to be real. A message confirming it feels like welcome news rather than a suspicious solicitation. Confirmation bias does most of the scammer's work.

Lever 3: New Canadians and language barriers. Canada admits roughly 500,000 new permanent residents per year, plus several hundred thousand international students and temporary workers. Many newcomers are unfamiliar with how Canadian government agencies actually communicate, and may not know that the CRA never asks for payment by Bitcoin. The aggressive arrest-threat variant is specifically tuned to this audience; CAFC data consistently shows newcomers and elderly Canadians as the two most over-represented victim groups.

Protection guide for Canadian taxpayers in 2026

A short checklist for individuals and families:

• Register for CRA My Account and enable multi-factor authentication. Real CRA messages live there; if you check the account and there is no matching message, the external text or email is fake by definition.
• Bookmark canada.ca/cra-my-account in your browser. Always navigate to CRA services from your own bookmark rather than from links in messages or search engine results.
• Add the CRA phone numbers to your contacts: Individual enquiries 1-800-959-8281, Benefits enquiries 1-800-387-1193. If you receive a suspicious call, hang up and dial back from your own contacts list.
• Educate elderly relatives and newcomers in the family. The arrest-threat voicemail variant disproportionately targets these groups. One conversation about "the CRA never asks for Bitcoin or gift cards" can prevent a five-figure loss.
• Install a phishing-detection browser extension such as SafeBrowz on every device used to access banking or CRA services. The extension blocks the destination page even if a family member taps a phishing link, so the credential harvest never happens.
• Forward suspicious SMS to 7726. All Canadian wireless carriers support this. Reports feed national anti-spam intelligence.
• Set up a quarterly check-in on your Equifax Canada and TransUnion Canada free credit reports. Catching unauthorised credit applications early is the single most effective recovery action.

Block CRA phishing destinations automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects CRA, Service Canada, IRCC, provincial government, and other Canadian government-impersonation phishing the moment the page loads. The core protection is free forever. Premium adds unlimited daily AI scans and wallet-drainer JavaScript detection for $14.99 CAD per year, or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. No install is required to check a single link; the free public URL checker handles one-off cases.

Frequently asked questions

Does the CRA ever send tax refund notifications by text or email?

No. The Canada Revenue Agency does not send refund notifications, payment requests, banking-update prompts, or identity-verification links by text message or email. The CRA may occasionally send a generic notice saying "a new message is available in your CRA My Account," but it will never contain the message content, refund amounts, banking links, or claim deadlines directly in the email or SMS. Refunds are deposited automatically to the bank account on file in CRA My Account, or mailed as a paper cheque. Any CRA-themed text or email asking you to click a link to claim a refund is phishing.

What does the CRA actually never do? (the official list)

Per the official scam-prevention page at canada.ca/en/revenue-agency/corporate/scams-fraud.html, the CRA never: threatens immediate arrest or police involvement, demands payment by Interac e-Transfer, Bitcoin or other cryptocurrency, prepaid credit cards, or gift cards, asks for personal or financial information by text or email, sends messages with links asking for banking or credit card information, uses aggressive language or pressure tactics, or schedules a meeting with you in a public place to take payment.

How do I report a CRA scam in Canada?

Report to the Canadian Anti-Fraud Centre (CAFC) at 1-888-495-8501 or via the online form at antifraudcentre-centreantifraude.ca. Report directly to the CRA at canada.ca/en/revenue-agency/corporate/scams-fraud/report-scams-fraud.html. Forward suspicious SMS messages to 7726 on any Canadian carrier (Bell, Rogers, Telus, Freedom, Videotron, Koodo, Fido, Virgin Plus, Public Mobile, Lucky Mobile). If you experienced financial loss, also file a report with your local police service. Reports feed RCMP, OPP, and provincial cybercrime intelligence and may help shut down active campaigns.

Will the CRA call me about an arrest warrant?

No. The CRA does not issue arrest warrants and does not coordinate immediate arrests with the RCMP over phone calls for individual taxpayers. Real CRA collections involve months of written notices, formal appeal rights under the Income Tax Act, and Tax Court of Canada proceedings before any enforcement. Any phone call or voicemail threatening immediate arrest, deportation, or RCMP officers attending your residence is a scam, regardless of what number the call display shows. Hang up. Call the CRA back at 1-800-959-8281 from your own contacts list to verify.

Can the CRA ask for payment by Bitcoin, e-Transfer, or gift cards?

No, under any circumstances. The official scam-prevention page at canada.ca explicitly states the CRA will never accept Bitcoin or other cryptocurrency, will never accept Interac e-Transfer, and will never accept prepaid credit cards or gift cards from retailers such as iTunes, Amazon, Google Play, Steam, or similar. Real CRA payments are made through CRA My Account, online banking via your financial institution's CRA bill-payment payee, by cheque to the Receiver General for Canada, or in person at any Canadian financial institution. Any other payment method demanded by phone, text, or email is a scam by definition.

I gave my SIN to a fake CRA site. What now?

Call Service Canada at 1-866-274-6627 to report a compromised SIN. Place a fraud alert with Equifax Canada (1-800-465-7166) and TransUnion Canada (1-800-663-9980); both offer the alert free. Sign in to CRA My Account and change your password, enable multi-factor authentication, and remove any unrecognised authorised representatives. Call the CRA at 1-800-959-8281 to flag identity-theft activity on your tax file. Report the incident to the CAFC at 1-888-495-8501. Monitor your credit reports for unauthorised applications and consider a paid credit-lock service for the next 12 months. Note that Canada does not normally reissue SINs; the compromised SIN is flagged and monitored rather than replaced.

Are .ca domains automatically safe because they are Canadian?

No. The .ca country-code TLD is available to anyone with a Canadian address, business presence, or eligible residency tie under the CIRA registration policy. Scammers register .ca domains every day, including domains specifically designed to impersonate the CRA such as cra-refund.ca and my-cra-refund.ca. Real Government of Canada domains end in .gc.ca or are subdomains of canada.ca. Plain .ca is a regular consumer TLD with no government association.

Can SafeBrowz block CRA phishing pages?

Yes. The SafeBrowz browser extension runs a three-layer check on every page you visit. Layer 1 is local pattern detection that catches CRA, Canada Revenue, gc-canada, and government-impersonation lookalikes on suspicious TLDs and free hosting providers, running offline inside the extension. Layer 2 queries community blacklists, Google Safe Browsing, PhishTank, and URLhaus, and unwraps URL shorteners so the verdict runs against the real destination. Layer 3 (Premium) runs an AI content scan that detects the Government of Canada wordmark, the red maple-leaf header, and CRA-impersonation copy in over 100 languages, including bilingual French and English phishing pages targeting Canadian taxpayers. The free public URL checker at safebrowz.com/url-check runs the same engine without requiring install; paste any suspect link and get a verdict in seconds.