Malware and Phish Alert - Canada Revenue Agency

Threat Level: High
Threat Type: Phishing / Malware
Advisory Date: 07/13/2023

Description

There is currently an email message circulating that has been received by multiple users with the subject  "Track your Tax Refund." or similar.  The message appears to be from "Canada Revenue Agency", with the address "tax.contact@cra.ca" The message reports that you are eligible to recieve a tax refund.

This message is not legitimate.  Do not click on this link or enter credentials. The message appears as:

From: Canada Revenue Agency <tax.contact@cra.ca>
Subject: Track your Tax refund.
To: username@uregina.ca

Canada Revenue Agency

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund.

Please track your refund.
Continue to Sign-In Partner [link to external website not run by CRA].
My Account allows you to track your refund, view or change your return, check your benefit and credit payments, view your RRSP limit, set up direct deposit, receive online mail, and so much more.

© Copyright 2017, Canada Revenue Agency

Impact

The link to the provided in the email address attempts two seperate attack vectors.

1.  The website attempts to infect any visitor with malware.  Malware is a catch-all term for various malicious software, including viruses, adware, spyware, browser hijacking software, and fake security software.

Once installed on your computer, these programs can seriously affect your privacy and your computer's security.  In this case, the website will attempt to infect your workstation with MAL/HTMLGen-A.

2.  Redirects you a fraudlent CRA Portal which requests credentials. Phishers use many different tactics to lure you, including email and web sites that resemble well-known, trusted institutions. A common phishing practice involves spamming recipients with a fake message under the name of a trusted institution. The purpose of this fake message is to trick you into providing personal information, such as user name and password.

Most of these messages were marked as spam, but several reached end user inboxes.

Resolution

If you received this message, please delete it immediately if you have not already done so. This message did NOT come from CRA.  If you inadvertently clicked a link and entered your credentials, please change your password right away to something you have not used recently:
  • Go to the Information Services homepage at http://www.uregina.ca/is and click "Change Password" in the Quicklinks on the right side.
  • Additionally, if malware protection is not installed, up to date/current, or is not running, it is recommended that you ensure a malware scan has been completed.

Resources

See the Phishing Resources page.

See the Malware Resources page.

See CRA's fraud protection page.

See Canadian Anti-Fraud Centre's Tax Scams page.

Please contact the IT Support Centre if you require assistance:

Phone 306-585-4685
Email IT.Support@uregina.ca
Webform http://www.uregina.ca/is/forms/ticket.html

In person at ED 137 or Archer Library Main Floor Commons