Phishing is a cyberattack where criminals impersonate trusted organizations (banks, Microsoft, Amazon, Canada Revenue Agency) via email, SMS, or fake websites to steal passwords, credit card numbers, or install malware. In 2026, phishing is the #1 cause of data breaches. You can spot phishing by checking the sender's email address, hovering over links before clicking, and looking for urgent or threatening language.
What Is Phishing? The Definition
Phishing (pronounced "fishing") is a type of social engineering cyberattack in which criminals disguise themselves as legitimate, trustworthy entities — a bank, the Canada Revenue Agency, Microsoft, Amazon, or even your own employer — to trick you into handing over sensitive information or clicking a malicious link.
The name comes from the fishing analogy: attackers cast wide nets of deceptive messages (bait) hoping victims will "bite." The information they are after includes passwords, credit card numbers, Social Insurance Numbers, banking credentials, or access to corporate systems.
Unlike hacking that exploits software vulnerabilities, phishing exploits human psychology. It works not because your computer has a flaw, but because the message appears completely believable. This is what makes it so dangerous and so prevalent.
How Phishing Works: Bait, Hook, Steal
Every phishing attack follows the same three-stage sequence, regardless of how sophisticated it appears.
The Bait — Crafting a believable message
The attacker creates an email, text message, or web page that convincingly impersonates a brand or person you trust. They copy logos, fonts, and writing styles. They spoof the sender address so it looks like it comes from noreply@amazon.com or support@microsoft.com. The goal is to make you believe the message is completely legitimate.
The Hook — Creating urgency or fear
The message uses psychological pressure to override your critical thinking. Common triggers include: "Your account will be suspended in 24 hours," "Unusual login detected — verify now," "You have a tax refund waiting — claim before April 30," or "Your parcel could not be delivered — update payment." Urgency bypasses skepticism. The more panicked you feel, the less carefully you read.
The Steal — Harvesting your data
You click the link. It opens a website that looks identical to the real one — same layout, same colors, same logo. You enter your username and password. The attacker now has your credentials. Some phishing links also silently download malware the moment you click, without you entering anything at all. Your information is then sold on the dark web, used to access your accounts, or leveraged for further fraud.
Types of Phishing Attacks
Phishing is not one single method. Attackers have refined it into several specialized variants, each targeting different channels and victims.
Email Phishing
The most common type. Mass emails sent to thousands of addresses impersonating banks, tech companies, or government agencies. Broad net, low personalization.
Spear Phishing
Highly targeted attacks directed at a specific individual. The attacker researches your name, employer, and colleagues to craft a convincing personalized message. Hit rate is far higher than generic phishing.
Smishing (SMS)
Phishing delivered via text message. Common examples: fake Canada Post delivery notifications, bank fraud alerts, or CRA refund links sent by SMS.
Vishing (Voice)
Phone-based phishing. Attackers call pretending to be CRA agents, Microsoft support, or your bank's fraud department. They create panic and extract information verbally.
Whaling
Spear phishing aimed specifically at executives (CEOs, CFOs). One successful whaling attack can authorize fraudulent wire transfers of hundreds of thousands of dollars.
Real 2026 Phishing Examples
These are the phishing campaigns most actively targeting Canadians right now. Recognizing their patterns is your best defense.
CRA Tax Season Scam
Subject line: "Important: Your 2025 Tax Refund of $847.00 Is Ready — Claim Now"
The email arrives from an address like refunds@cra-canada-revenue.net (note: not .gc.ca). It displays the CRA logo and a green "Claim Your Refund" button. Clicking it opens a fake CRA login page that harvests your My Account credentials and SIN. The real CRA never contacts you by email to offer refunds — they mail official letters or post notices inside your verified My Account portal.
Microsoft 365 Credential Theft
Subject line: "Action Required: Unusual Sign-In to Your Microsoft Account"
This email mimics a Microsoft security alert perfectly, including the sender address spoofed as account-security-noreply@microsoft.com. The "Review Recent Activity" button leads to a pixel-perfect clone of the Microsoft login page hosted on a domain like microsoft-security-verify.com. Once you log in, the attacker has your Microsoft 365 credentials, giving them access to your email, OneDrive, and potentially your entire organization.
Amazon Order Cancellation Scam
Subject line: "Your Amazon Order #114-7392810 Has Been Cancelled — Verify Payment"
A fake Amazon notification claims your recent order was cancelled due to a payment issue and asks you to update your credit card details. The link leads to an Amazon-lookalike page that captures your card number, expiry date, and CVV. Because most people have active Amazon orders, the hit rate on this type of attack is exceptionally high.
Think You May Have Fallen for a Phishing Scam?
IT Cares performs remote security audits and account recovery across Canada. We assess the damage, secure your accounts, and prevent the next attack.
How to Spot a Phishing Email: 7 Red Flags
No matter how convincing a phishing email looks, it almost always contains at least one of these warning signs. Train yourself to check before you click.
-
1The sender's email address does not match the brand The display name says "Amazon" but the actual address is
amazon-alerts@support-notifications.net. Always click or hover on the sender name to reveal the true address. Legitimate companies send from their own verified domains (e.g., @amazon.com, @microsoft.com, @gc.ca for CRA). -
2The link URL does not match the company's real domain Hover your mouse over any link before clicking. The URL shown in the bottom of your browser (or in a tooltip) is the real destination. Watch for tricks like
paypa1.com(number 1 instead of letter l),amazon-secure.support.com(amazon is a subdomain, not the main domain), or long random strings. -
3Urgent or threatening language "Act within 24 hours or your account will be permanently deleted." Legitimate companies do not create panic or issue ultimatums via email. If you feel rushed, that is the attack working as designed. Slow down, close the email, and navigate to the real company's website directly.
-
4Generic greetings instead of your name "Dear Customer," "Dear User," or "Dear Account Holder" rather than your actual name. Your bank, Amazon, and Microsoft all know your name and use it in legitimate communications. A generic greeting is a strong signal the message was mass-sent to thousands of addresses.
-
5Suspicious attachments An unexpected invoice, shipping label, or document attachment — especially .zip, .exe, .docm, or .xlsm files. Opening these can install malware immediately, even before you enter any credentials. If you did not request a document, do not open the attachment.
-
6Spelling, grammar, or formatting errors While AI has made phishing emails more polished, many still contain subtle errors: inconsistent fonts, low-resolution logos, awkward phrasing, or incorrect spacing. Compare the email to a real one from the same sender — small inconsistencies become obvious side by side.
-
7Requests for information the company already has Your bank will never ask you to "confirm your full account number and PIN via email." Nor will the CRA ask you to provide your SIN by clicking an email link. Any request to re-enter information a legitimate company already has on file is a definitive phishing signal.
What to Do If You Clicked a Phishing Link
Speed matters. The sooner you act, the more you can limit the damage.
Do not enter any information — close the tab immediately
If you clicked a link and a page opened, close it before typing anything. If you have already entered information, that data may already be captured, so move to Step 2 immediately.
Change your password on the legitimate site
Open a new browser tab and navigate directly to the real company's website (type the address yourself, do not use bookmarks from the phishing session). Change your password immediately. Use a unique, strong password — at least 16 characters.
Enable two-factor authentication (2FA)
Even if the attacker has your password, 2FA will block them from logging in without also having your phone. Enable it immediately on the compromised account and any other accounts using the same password.
Run a full malware scan
Some phishing links silently download malware without any visible sign. Download and run Malwarebytes (free version) immediately to detect and remove any infections. Do this even if nothing unusual seems to have happened — many malware variants are designed to be invisible.
Check for unauthorized account activity
Log into your account and review recent logins, transactions, sent emails, and connected apps. Look for anything you did not do. If your email was compromised, check for forwarding rules the attacker may have set up to silently copy all your incoming messages.
Contact your bank if financial information was involved
If you entered credit card numbers, bank account details, or online banking credentials, call your financial institution immediately. Ask them to flag your account for fraud monitoring and, if necessary, issue a new card. Canadian banks have dedicated fraud teams available 24/7.
Report the phishing attempt
Report to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca or 1-888-495-8501. Forward phishing emails to your email provider (Gmail: report phishing; Outlook: Junk > Phishing). Reporting helps protect other Canadians from the same campaign.
How to Protect Yourself Against Phishing
The best defense is a combination of technical tools and personal habits. Neither alone is sufficient.
Enable Multi-Factor Authentication (MFA) on Everything
MFA is the single most effective protection against phishing. Even if an attacker steals your password through a phishing site, they cannot access your account without the second factor — a code from your authenticator app or a push notification on your phone. Enable MFA on your email, banking, social media, and any work accounts. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) rather than SMS-based codes where possible, as SMS can be intercepted via SIM swap attacks.
Use a Password Manager
A password manager like Bitwarden (free), 1Password, or Dashlane has a built-in phishing defense most people overlook: it only autofills your credentials on the exact domain where you saved them. If you visit amazon-support-verify.com instead of amazon.com, your password manager will not autofill — giving you an instant red flag that something is wrong. It also generates unique, strong passwords for every site, so a breach on one account never exposes others.
Deploy Email Filtering
Most phishing emails never need to reach your inbox if proper filters are in place. Gmail and Outlook both have built-in phishing detection, but for business use, consider Microsoft Defender for Office 365 or Google Workspace's Advanced Phishing and Malware Protection. These tools use AI to analyze links, attachments, and sender reputation in real time before the email appears in your inbox.
Verify Requests Through a Separate Channel
If you receive an unexpected email from your bank, your employer, or any service asking you to take urgent action — verify it through a completely separate channel. Call the company's published phone number (found on their official website or on your card), log into your account directly by typing the URL, or contact the supposed sender by phone. Never click a link in a suspicious email to "verify" whether it is real.
Keep Software Updated
Phishing links sometimes deliver malware that exploits unpatched vulnerabilities in your browser, operating system, or plugins. Keeping Windows, macOS, Chrome, and Office fully updated closes the security gaps attackers rely on. Enable automatic updates wherever possible.
Worried Your Account Was Compromised?
IT Cares does security audits and account recovery remotely across Canada. We identify what was accessed, secure your accounts, and set up protections to prevent the next attack. Starting from $59.
Frequently Asked Questions
Spam is bulk unsolicited advertising — annoying but typically harmless. Phishing is a targeted fraud attack designed to steal your credentials, financial data, or install malware. Spam wants to sell you something; phishing wants to steal from you. Phishing emails are carefully crafted to look like messages from trusted organizations, whereas spam is usually generic mass mail with no attempt at impersonation.
Yes. Voice phishing is called vishing. Attackers call pretending to be from the Canada Revenue Agency, Microsoft support, your bank, or immigration authorities. They create urgency — "your account will be suspended" or "you owe back taxes and will be arrested" — to pressure you into revealing personal information or making payments. The CRA will never call you threatening immediate arrest, and Microsoft will never call you about a virus on your computer unless you contacted them first.
Act immediately: (1) Do not enter any information on the page that opened. (2) Disconnect from Wi-Fi if you suspect malware was downloaded. (3) Change your password on the real site right now — navigate there directly by typing the address. (4) Enable two-factor authentication on that account. (5) Check for unauthorized logins in your account activity. (6) Run a full antivirus scan with Malwarebytes. (7) If you entered payment details, call your bank's fraud line immediately.
Modern organizations use several layers of defense: email gateways that scan for malicious links and attachments, DMARC/DKIM/SPF email authentication to block spoofed sender addresses, AI-based behavioral analysis to flag unusual email patterns, regular security awareness training so employees recognize attempts, and endpoint detection tools that alert on suspicious web activity. Small businesses can deploy Microsoft Defender for Office 365 or Google Workspace's Advanced Protection for affordable coverage.
Yes. Phishing violates multiple Canadian laws including the Criminal Code (fraud, identity theft, unauthorized computer access), Canada's Anti-Spam Legislation (CASL), and PIPEDA privacy regulations. Penalties can include up to 14 years imprisonment for fraud over $5,000. CRA impersonation scams are specifically prosecuted under section 380 of the Criminal Code. Report phishing to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca or by calling 1-888-495-8501.
Comments
I received a CRA email last week claiming I had a refund of $1,200 waiting. It looked completely official — the logo, the formatting, everything. I almost clicked the link before a colleague warned me. This article explains exactly what I was dealing with. The tip about hovering over the link to see the real URL is what saved me. The actual destination was clearly not a .gc.ca address. Sharing this with my entire team.
I did click on a Microsoft phishing link and entered my work password before I realized what happened. Called IT Cares and they connected remotely within 20 minutes. They changed the password, checked my account for unauthorized access, found a forwarding rule the attacker had set up within minutes of getting my credentials, and removed it. They also set up MFA properly across all my accounts. I was panicking — they were calm and thorough. Could not have asked for better service.
Leave a Comment