2026 Tax Season Phishing Scams In British Columbia

Every February, something predictable happens across Canada. Millions of people start thinking about taxes. And thousands of criminals start thinking about those people.

Tax season is the single most productive window of the year for phishing attacks. The Canadian Anti-Fraud Centre reported that Canadians lost $704 million to fraud in 2025 — and authorities estimate that only 5% to 10% of fraud actually gets reported. The real number is likely several billion dollars.

For small businesses in Surrey, Langley, and the Lower Mainland, the risk is compounding. You’re not just a potential victim as a taxpayer. You’re a target as an employer, a payer of invoices, and a custodian of employee and client data. Attackers know this, and they’ve built their playbook around it.

Why Tax Season Is Different

Phishing works best when it rides an existing expectation. And between February and April, every Canadian expects to receive tax documents, CRA correspondence, and financial paperwork. That expectation is the exploit.

The Ontario Provincial Police issued a warning in March 2026 about a surge in CRA-themed scams — fake emails, deceptive text messages, and impersonation phone calls designed to steal personal and financial information. The OPP isn’t issuing that warning because these attacks are rare. They’re issuing it because they work.

Here’s what makes tax season phishing particularly dangerous for businesses: the attacks don’t just target the owner. They target anyone who touches money or data — your bookkeeper, your office manager, your payroll administrator. One employee clicking one link can open the door to everything.

The Three Attacks Hitting BC Businesses Right Now

1. Fake T4 and Payroll Emails

This is the corporate version of the CRA refund scam, and it’s more sophisticated.

An employee in your office receives an email that appears to come from your payroll provider or accounting software. The subject line reads something like “2025 Employee Tax Documents Ready” or “Updated T4 Slips — Action Required.” The email contains an attachment or a link to download what looks like a tax document.

On March 19, 2026, Microsoft Threat Intelligence published a report documenting a campaign that sent tax-themed phishing emails to approximately 100 organizations in manufacturing, retail, and healthcare. The emails used the subject line “2025 Employee Tax Docs” and contained a Word document attachment with a QR code pointing to a credential-harvesting page. Each document was customized with the recipient’s name, and the phishing URL contained their email address — meaning every employee received a unique, personalized attack.

This isn’t spray-and-pray anymore. It’s precision targeting at scale.

2. The CEO Payroll Request

This one is a classic business email compromise (BEC) attack, and tax season gives it a perfect cover story.

Your payroll administrator receives an email that appears to come from the owner or a senior manager. The message is short and urgent: “Can you send me copies of all employee T4s? Need them for the accountant before end of day.” The email address looks right. The tone sounds right. The request makes sense — it’s tax season, after all.

The FBI has identified this type of BEC attack as one of the most financially damaging cybercrime categories affecting organizations. BEC attacks increased 171% in 2025, with an average loss per incident exceeding $160,000 before recovery. In Canada specifically, the average BEC loss was $21,000 — lower than the global average, but devastating for a 15-person company in Langley.

The employee sends the T4s. Now the attacker has every employee’s full name, address, social insurance number, and income. That’s enough to file fraudulent tax returns, open credit accounts, and sell the data on dark web marketplaces.

3. CRA Impersonation — The Business Version

Most people think of CRA scams as those robocalls threatening arrest. Those still exist, but the business-targeted version is more subtle.

A business owner receives an email or text that looks like it’s from the CRA, stating there’s an issue with the company’s GST/HST remittance, payroll deductions, or corporate tax filing. The message includes a link to “resolve the issue” before penalties are applied. The fake CRA portal looks convincing. The business owner enters their credentials. The attacker now has access to the real CRA account — or worse, the login credentials the owner reuses across other systems.

The CRA itself published a warning in 2026 about AI-generated tax scams, noting that generative AI has become “the most prevalent type of AI used in relation to tax scams and fraud.” The old tells — broken English, fuzzy logos, clumsy formatting — are disappearing. AI produces clean, professional-looking fraud.

The AI Problem Is Getting Worse

A year ago, we wrote about AI-powered attacks in Canada’s 2025 Cyber Threat Assessment. Since then, the problem has accelerated exactly as predicted.

The Government of Canada’s October 2025 report on financial fraud stated that “artificial intelligence is making the problem worse by allowing fraudsters to produce more convincing impersonations, fake communications, and deceptive marketing tactics.”

For tax season specifically, that means:

Phishing emails that read like your accountant wrote them. AI can match tone, use correct terminology, and reference real deadlines. The days of spotting a scam by its grammar are over.
Voice cloning on phone calls. An attacker can clone someone’s voice from a few seconds of audio — a LinkedIn video, a voicemail greeting, a podcast appearance. Imagine your bookkeeper getting a call that sounds exactly like you, asking them to wire a tax payment.
Fake CRA portals that are pixel-perfect. AI can generate professional-looking websites in minutes. The phishing page your employee lands on may be indistinguishable from the real My CRA login.

A 2025 Insurance Bureau of Canada survey found that 72% of Canadian small business owners are concerned that AI and new technology will complicate cyber protection — up from 65% the previous year. They’re right to be concerned. But concern without action doesn’t stop an attack.

The Numbers That Should Keep Business Owners Up at Night

Here’s where things stand for Canadian small businesses heading into the 2026 tax season:

73% of Canadian small businesses have already experienced a cybersecurity incident (BDC).
Only 22% of Canadian SMEs carry any form of cyber insurance. Just 12% have a standalone policy (IBC, 2025).
Only 48% have implemented any form of cyber defense (IBC, 2025).
Only 45% have policies and training to help employees spot AI-generated scams (IBC, 2025).
Canadian businesses spent $1.2 billion on recovery from cyber incidents in 2023 — double the $600 million spent in 2021 (Statistics Canada).

Read those numbers together. Nearly three-quarters of small businesses have been hit. Fewer than half have any defenses. Fewer than a quarter have insurance. And the attacks are getting smarter every month.

Tax season just concentrates all of this into a six-week window where everyone is distracted, stressed, and dealing with legitimate financial paperwork that looks a lot like the fraudulent kind.

What Your Business Should Do Before April 30

You don’t need a six-figure security budget. You need a few specific things done right, done now.

1. Brief your team — specifically about tax season scams.

This isn’t a generic cybersecurity training. This is a 15-minute conversation with anyone who handles payroll, finances, or sensitive documents. Tell them what to watch for:

Any email requesting T4s, tax documents, or employee information — even if it appears to come from you.
Any “CRA” communication that includes a link or requests login credentials.
Any request involving urgency and money during tax season.

Establish a simple rule: any request involving tax documents, money transfers, or sensitive data gets verified by phone before anyone acts on it. Not by replying to the email. By picking up the phone and calling the person directly using a number you already have.

2. Lock down your payroll and accounting access.

Who in your organization can access employee T4s, social insurance numbers, and banking information? That list should be as short as possible. Every person on that list should have multi-factor authentication enabled. No exceptions.

If your payroll system allows it, set up alerts for bulk downloads or exports of employee tax documents. If someone downloads all your T4s at once, you want to know about it immediately.

3. Turn on multi-factor authentication everywhere.

If you’ve been putting this off, tax season is your deadline. MFA on your email. MFA on your CRA My Business Account. MFA on your accounting software. MFA on your payroll platform.

The Microsoft campaign we mentioned earlier specifically targeted credential theft. If those stolen credentials are protected by MFA, the attacker’s phishing page gets them a username and password that don’t work without the second factor. That’s the difference between a close call and a catastrophe.

4. Verify the CRA’s communication channels.

The CRA will never:

Send refunds via e-transfer or text message.
Ask for your social insurance number by email or phone.
Request banking details through email.
Threaten arrest or deportation.
Demand payment via cryptocurrency, gift cards, or prepaid credit cards.

Print that list. Put it next to the phone. Make sure every employee who answers calls or reads company email has seen it.

5. Check your CRA My Business Account directly.

If you receive any communication claiming to be from the CRA, don’t click the link. Open a browser, type canada.ca yourself, and log into your account directly. If there’s a real issue, it will be there. If it’s not there, the communication was a scam.

This one habit neutralizes the vast majority of CRA impersonation attacks.

The Insurance Gap

Here’s a number that deserves its own section: 78% of Canadian small businesses have no cyber insurance at all.

That means if a phishing attack during tax season leads to a data breach — employee SINs stolen, client records exposed, ransomware deployed — most small businesses are paying for the response, the recovery, the legal fees, and the regulatory penalties entirely out of pocket.

Under PIPEDA, if employee personal information (like the data on a T4) is disclosed through a phishing attack, businesses may be required to report the breach to the Privacy Commissioner and notify affected individuals. In British Columbia, PIPA imposes additional obligations.

Cyber insurance doesn’t prevent attacks. But it can be the difference between a business surviving a breach and shutting its doors. If you don’t have a policy, get quotes before tax season ends. Many insurers will require basic security measures — like MFA and endpoint protection — as a condition of coverage. Those requirements aren’t arbitrary. They’re the minimum.

The Real Cost Isn’t the Ransom

When people think about cybercrime costs, they think about ransom payments. The actual financial damage is broader and quieter.

A successful phishing attack on your business during tax season might cost you:

Direct financial loss from fraudulent wire transfers or misdirected payments.
Employee trust when their personal information is compromised because your systems weren’t secure.
Client trust if the breach extends to client data.
Regulatory costs from mandatory breach reporting under PIPEDA and PIPA.
Recovery costs. Canadian businesses spent $1.2 billion on cyber incident recovery in 2023. For a small business, even a fraction of that is existential.
Operational downtime while systems are investigated, cleaned, and restored.

The average BEC loss in Canada is $21,000. That’s the average. For some businesses, a single incident costs far more — and for a company with 10 to 20 employees, $21,000 is a brutal hit to absorb in a single event.

This Is a Seasonal Problem With a Year-Round Fix

Tax season scams peak between February and April, but the defenses that protect you during this window protect you all year. MFA doesn’t expire in May. Employee awareness doesn’t become irrelevant in June. Proper access controls on your payroll system don’t stop mattering after the filing deadline.

The businesses that get through tax season without incident aren’t the ones who panicked in March. They’re the ones who built basic security into their operations months ago and maintain it consistently.

That said, if you haven’t done those things yet, today is better than tomorrow. And tomorrow is better than the day after your bookkeeper clicks a link in a fake T4 email.

How Raxxos Protects Lower Mainland Businesses

At Raxxos, we manage IT and cybersecurity for small businesses across Surrey, Langley, and the Greater Vancouver area. During tax season, we see these attacks hit our clients’ inboxes every single day. The difference is that our clients have the defenses in place to stop them.

Here’s what that looks like in practice:

Email Security and Phishing Protection: Advanced filtering that catches fraudulent tax emails, CRA impersonation attempts, and BEC attacks before they reach your employees.
Multi-Factor Authentication Setup: We configure MFA across your email, accounting software, payroll platform, and CRA accounts — and we make sure it actually stays turned on.
Employee Security Awareness Training: Ongoing training that includes simulated phishing attacks so your team learns to recognize the real thing. We update the training scenarios for tax season every year.
Endpoint Protection: If someone does click a malicious link, endpoint detection catches the malware before it spreads.
24/7 Monitoring: We monitor your systems around the clock. If something suspicious happens at 11 PM on a Tuesday, we catch it before your team arrives Wednesday morning.
Incident Response: If something does get through, we have a response plan ready. Containment, investigation, recovery — all handled so you can focus on running your business.

We respond to support requests in an average of under 15 minutes. Our office is in Cloverdale, on the Surrey/Langley border, which means we can be on-site fast when you need us. And we price everything on a flat monthly rate per user — no surprise bills, no per-incident charges that punish you for calling when something looks wrong.

If your business doesn’t have these basics in place and tax season is making you nervous, we offer a free 30-minute IT consultation to assess where you stand. No obligation, no pitch. Just an honest look at your setup and what needs attention.

Book your free consultation or call us at (604) 260-6869.