How to Spot Phishing Scams in 2026: Red Flags - tech-insider.org

Emma Roy June 5, 2026 27 min read Key takeaways The old advice to look for typos no longer works. AI now writes phishing messages in flawless English and French, with correct logos and a believable tone, so the reliable tells in 2026 are an unexpected request, manufactured urgency, and a sender or link address that does not match the real organisation. Verify on a second channel before you act. If a message claims to be your bank, the CRA, or a courier, do not use the number or link it provides. Hang up, close the message, and reach the organisation yourself through its official app, a typed web address, or the number on the back of your card. The CRA never sends e-Transfers, and never texts or emails a link to claim a refund. Interac e-Transfer is not a payment method the CRA uses, so any message offering a tax refund or benefit by e-Transfer is a scam, full stop. Phishing has spread well beyond email. Smishing by text, vishing by phone with AI-cloned voices, and quishing through tampered QR codes are all rising fast in Canada, and each one is engineered to make you rush past your own judgement. If you are caught, speed limits the damage. Change the exposed password immediately, call your bank’s fraud line, report to the Canadian Anti-Fraud Centre, and place a fraud alert with Equifax and TransUnion. Acting within hours, not days, is what stops a single slip from becoming months of cleanup. Phishing used to be easy to laugh off. The misspelled prince, the email from a bank you do not use, the link that screamed fake. That era is over. In 2026 the messages arriving in Canadian inboxes and on Canadian phones are polished, personalised, and timed to land exactly when you are likely to believe them, the week your tax refund is due or the afternoon you are expecting a parcel. The Canadian Anti-Fraud Centre logged more than 112,000 fraud reports and over 704 million dollars in losses in 2025, and it openly estimates that only 5 to 10 percent of fraud is ever reported, so the real figure dwarfs that. Phishing, the act of tricking you into handing over a password, a code, or money, sits underneath a huge share of it. This guide explains how the scams actually work now, the red flags that still hold up when the spelling no longer gives anything away, and the specific shape these attacks take in Canada, from CRA refund texts to fake Interac e-Transfer notices. It also walks through exactly what to do in the first hour if you realise you have been caught. If you want to harden your accounts at the same time, our guide to setting up two-factor authentication is the natural companion piece. What phishing actually is in 2026 Phishing is social engineering with a digital delivery. At its core it is a con: the attacker pretends to be someone you trust, a bank, a government agency, a courier, an employer, even a family member, and manufactures a reason for you to do something you would not normally do. That something is almost always one of three actions: click a link to a fake login page, hand over a code or password directly, or send money. The technology around it has changed enormously in a decade, but the psychology has not. It still works by borrowing authority and adding pressure. What has changed is the quality and the reach. Generative AI has stripped away the clumsy grammar that used to betray a scam, so a phishing email now reads like it came from a real communications team, often in fluent English and French to match a Canadian audience. The same tools personalise at scale, pulling your name, your city, or a recent purchase from a data breach to make the message feel addressed to you specifically. And phishing is no longer confined to email. It arrives by text message, by phone call, through QR codes, in messaging apps, and inside social media notifications, which is why understanding the underlying trick matters more than memorising the signs of any single channel. It helps to hold one idea firmly: phishing succeeds by getting you to react rather than think. Every design choice in a phishing message, the countdown, the threat of a suspended account, the small dollar figure that feels too trivial to question, exists to push you into acting before your slower, more skeptical brain catches up. Once you internalise that the whole game is about rushing you, the single most powerful defence becomes obvious, and it is not technical. It is the decision to slow down and verify before you do anything a message tells you to do. Why the old advice stopped working For twenty years the standard guidance was to watch for bad spelling, broken grammar, and ugly formatting. That advice is now actively dangerous, because it trains people to trust any message that looks clean, and clean is exactly what modern phishing is. Security researchers reporting through 2025 and 2026 describe attackers using the same large language models the rest of us use, producing messages with accurate branding, natural phrasing, and no tells of the kind people were taught to spot. A polished email is no longer evidence of legitimacy. If anything, the absence of errors should prompt the same scrutiny as their presence once did. The other casualty is the idea that you can judge a message by how professional it feels. Attackers now clone entire websites pixel for pixel, register lookalike domains, and copy the exact wording of a real bank or government notice. They buy or generate logos, spoof sender names so the display reads Canada Revenue Agency or your bank’s name, and even replicate the tone and signature of internal company emails. The surface is no longer where the truth lives. Two things still betray a phishing attempt reliably, and both sit underneath the polish: the actual address a message comes from or links to, and whether the request itself makes sense. This is why the reliable red flags in 2026 are behavioural and contextual rather than cosmetic. Was the message unexpected? Does it create urgency or fear? Does it ask you to confirm credentials, move money, or act outside normal channels? Does the real sender address, revealed by tapping or hovering on the name, match the organisation it claims to be? Those questions survive the AI upgrade because no amount of polish can change the fact that a legitimate bank does not text you a login link, and a real courier does not need your card details to redeliver a parcel. The rest of this guide is built around questions like these. The five channels: email, SMS, voice, QR, and apps Phishing is best understood by its delivery channel, because each one carries a different feel and exploits a different blind spot. Email phishing is the original and still the most common, used for everything from fake invoices to spoofed login alerts. SMS phishing, known as smishing, has grown explosively because a text feels personal and urgent, the screen is small enough to hide a suspicious link, and people are conditioned to tap fast. Voice phishing, or vishing, uses a phone call to apply pressure in real time, and in 2026 it increasingly features AI-cloned voices that can imitate a bank agent’s cadence or even a relative. Two newer channels round out the picture. QR-code phishing, sometimes called quishing, hides a malicious link inside a printed or on-screen QR code, exploiting the fact that you cannot read a web address with your eyes before your camera opens it. Reports through 2025 describe QR phishing rising several times over, with scammers placing fake QR stickers over genuine ones on parking meters, restaurant menus, and posters. Finally, app and platform phishing arrives inside the services you already trust, a direct message on a social network, a fake notification in a messaging app, or a bogus alert inside a marketplace, where the surrounding interface lends the scam borrowed credibility. The table below summarises how each channel typically reaches Canadians and the single habit that defends against it. Notice that the defence is similar across all five, because the underlying trick is the same. The channel changes, the psychology does not. Channel Common Canadian lure What it wants Your one defence Email phishing Bank security alert, fake invoice, parcel fee Login on a fake page, or a payment Check the real sender address, never click the link to log in Smishing (SMS) CRA refund, Canada Post or courier fee, e-Transfer notice Tap a shortened link, enter card or bank details Do not tap; open the official app or type the address yourself Vishing (voice) Bank fraud department, CRA, tech support, grandchild in trouble A code, a password, or an urgent transfer Hang up and call back on the number on your card or bill Quishing (QR code) Parking meter, restaurant menu, poster, delivery slip Open a fake site after scanning Inspect the sticker, type the official address instead App and platform Marketplace buyer, social DM, fake login prompt Credentials or a moved conversation off-platform Keep the conversation on the platform, verify independently Email phishing: the red flags that still hold up Even though the writing has improved, email remains the channel where you have the most tools to verify, because an email carries metadata a text does not. Start with the sender. The display name is meaningless on its own, since anyone can set it to read Interac or RBC or Government of Canada. What matters is the actual address behind it, which you reveal by tapping the sender name on a phone or hovering over it on a computer. A message that claims to be from a Canadian bank but comes from a free webmail address, a string of random characters, or a domain with an extra word bolted on is spoofed, no matter how perfect the body text reads. Links are the second checkpoint, and the rule is to inspect before you click, never after. On a desktop, hover your cursor over a link without clicking and read the real destination that appears at the bottom of the window. On a phone, press and hold the link to preview where it actually goes. Watch for lookalike domains that swap or add a character, use a different ending, or bury the real bank’s name inside a longer address that belongs to someone else. When in any doubt, do not click at all. If the email says your account needs attention, open your banking app or type the bank’s address into your browser yourself, and check from there. Beyond sender and link, a cluster of behavioural signals still gives phishing away. The message is unexpected. It manufactures urgency, a payment on hold, an account about to be suspended, a refund that expires today. It asks you to confirm a password, a card number, a SIN, or a one-time code, none of which a legitimate organisation requests by email. It may carry an unexpected attachment, often disguised as an invoice or a delivery slip, which can install malware the moment it opens. And it pushes you toward a single click as the only way to resolve a problem it has invented. Any one of these is a reason to stop; two or more together is as close to certain as you need. The real sender address, not the display name, does not match the organisation it claims to be. A link preview shows a lookalike or unrelated domain, or the message insists you log in through it. The message is unexpected and creates urgency, fear, or a deadline measured in hours. It asks you to confirm a password, card number, SIN, or one-time code, which no legitimate body does by email. There is an unexpected attachment, especially one posing as an invoice, receipt, or delivery notice. Smishing: phishing by text message Text-message phishing has become one of the most effective tactics aimed at Canadians, and the reasons are built into the medium. A text feels intimate, it arrives with a notification you are trained to check immediately, and the small screen makes it far harder to inspect a link or spot a wrong address. The Canadian Centre for Cyber Security has warned specifically about sophisticated smishing campaigns targeting people across the country, often impersonating couriers, banks, and government services. The links almost always hide behind a URL shortener, so the destination is invisible until it is too late. The Canadian flavours are predictable once you know them. There is the delivery scam, a text claiming a parcel is held pending a small fee or an address confirmation, timed to the constant flow of online orders. There is the bank-alert scam, a text warning of a suspicious transaction and inviting you to verify by tapping a link. There is the refund or benefit scam, dressed up as the CRA or a provincial program. And there is the fake Interac e-Transfer notice, which we treat separately below because it is so common in Canada. All of them share the same architecture: a believable pretext, a manufactured deadline, and a single link that leads to a credential-harvesting page. The defence against smishing is refreshingly absolute: never act on a link in an unexpected text. If a parcel text might be real, go to the courier’s official website or app and track the order from there. If a bank text might be real, open your banking app or call the number on your card. If the CRA appears to be texting you, remember that it does not send links to log in or claim money. You can also report scam texts in Canada by forwarding them to 7726, which spells SPAM on a keypad, helping carriers identify and block the campaigns. Forward, delete, and verify on your own terms, and the smishing simply cannot reach you. Vishing: AI voice scams and the phone call Voice phishing brings the pressure of a live human, and in 2026 that human may not be human at all. AI voice cloning has matured to the point where a few seconds of recorded speech can reproduce a person’s tone, accent, and rhythm convincingly, and security reporting describes voice-phishing incidents climbing several times over in just a few years on the back of it. Two patterns dominate. In the institutional version, a caller claims to be from your bank’s fraud department, the CRA, or a tech-support line, and uses urgency and authority to extract a code, a password, or a transfer. In the family-emergency version, the caller imitates a grandchild or relative in sudden trouble and begs for money to be sent quietly and fast. What makes vishing dangerous is that it removes your time to think and adds the weight of a real conversation. A scammer on the line can answer your questions, sound reassuring, and apply steady pressure in a way no email can. They may already know fragments of your information, gleaned from a breach or an earlier text, and they use those details to sound legitimate. A favourite move is to ask for the one-time code your bank just sent you, framing it as a verification step, when in reality they triggered that code by trying to log into your account and need you to read it out so they can get in. The rules for the phone are short and they are non-negotiable. No legitimate bank, government agency, or company will ever ask you to read out a one-time passcode, a full password, or a PIN over the phone, so any caller who does is a fraudster regardless of how official they sound. If a call rattles you, hang up. Then call the organisation back yourself on a number you trust, the one on the back of your card, on a paper statement, or on the official website, not a number the caller gave you. For the family-emergency call, agree a private code word with relatives now, and always verify a distressing request by reaching the person through their own known number before you move a cent. On the phone A real bank or agency A vishing scammer Asks for a one-time code Never asks you to read one out Asks for the code to finish logging into your account Asks for your full password or PIN Never asks for either Pressures you to confirm it for verification Reaction to a callback Welcomes you hanging up to call back Insists you stay on the line, says there is no time Payment method requested Uses your normal banking, no rush Demands e-Transfer, gift cards, or crypto immediately Tone over time Patient, fine with you verifying Escalates urgency, fear, or secrecy Quishing: when the scam is a QR code QR-code phishing exploits a simple gap in human perception: you cannot read a QR code with your eyes. Where a suspicious link can be inspected before clicking, a QR code hides its destination until your camera has already opened it, which is precisely what makes it useful to attackers. Reports through 2025 describe quishing as one of the fastest-growing techniques, with QR phishing attempts multiplying several times over in a single year, partly because the codes slip past email filters that scan for text-based links and partly because people scan them with little suspicion. The attacks come in two broad forms. The digital version embeds a QR code in an email or document, often framed as a way to view a secure message, confirm a delivery, or complete a payment, sending you to a fake login page when scanned. The physical version is more striking: scammers print QR stickers and place them over legitimate ones in the real world, on parking meters, restaurant tables, event posters, and delivery notices. You think you are paying for parking or viewing a menu, and instead you land on a clone site asking for your card details. Because the surrounding object looks normal, the trust transfers to the code on top of it. Defending against quishing means treating a QR code like any other unverified link. Before you scan one in public, look closely at it: is it a sticker placed over something else, is it peeling at the edges, does it sit oddly on the surface? After scanning, read the web address your phone previews before you proceed, and be deeply skeptical if it asks for payment or login details that the situation does not obviously require. The safest habit of all is to bypass the code: type a parking provider’s or restaurant’s official address yourself, or use their app, rather than trusting a square of ink you cannot read. The Canadian context: CRA scams Few lures are deployed against Canadians as relentlessly as the impersonation of the Canada Revenue Agency, and the volume surges around tax season and benefit-payment dates. The scams arrive by text, email, and phone, and they fall into two psychological camps: the carrot and the stick. The carrot promises money, a tax refund or a benefit you can claim by clicking a link or confirming your banking details. The stick threatens punishment, an overdue balance, a penalty, even arrest, unless you pay immediately. Both are designed to override caution, one with the thrill of unexpected money and the other with fear. The single most useful fact a Canadian can hold about CRA scams is what the real agency will never do, because it draws a bright line that catches almost every fake. The CRA does not send text messages or email links asking you to log in or to claim a refund. It does not demand payment by Interac e-Transfer, by gift card, or by cryptocurrency. It does not threaten you with immediate arrest or deportation over the phone, and it does not ask for personal information by text. Genuine CRA contact directs you to log into your own My Account through the official channel, and the agency pays refunds by cheque or direct deposit, never by e-Transfer. Measure any CRA message against that list and the scams light up. If a message or call appears to be from the CRA, the safe response is to disengage and verify independently. Do not click, do not call back on a supplied number, and do not pay. Instead, log into your CRA My Account yourself by typing the official address or using the verified app, where any genuine balance, refund, or notice will appear. The CRA publishes a regularly updated list of current scam tactics and recent examples on its own site, and reviewing the official guidance on how to recognise a scam at canada.ca is time well spent before the next tax season. When in doubt, treat silence and a self-initiated login as the correct answer. The Canadian context: Interac e-Transfer and bank scams Interac e-Transfer is woven into daily Canadian life, which is exactly why scammers have built an entire genre of phishing around it. The classic version is a fake e-Transfer notification: an email or text that mimics the familiar deposit notice, complete with Interac branding, telling you that you have received money and inviting you to click to deposit it. The link leads to a counterfeit page styled like your bank’s login, and whatever credentials you type go straight to the fraudster. New Brunswick’s financial regulator has issued active alerts about precisely this, and the messages have grown convincing enough that the branding alone is no longer reassurance. A second, more insidious pattern targets the e-Transfer process itself. Because a transfer sent to the wrong place is fast and usually irreversible, criminals work to intercept it. If you send money using a weak security question with a guessable answer, a pet’s name visible on social media, a common word, an attacker who has compromised an inbox or guessed the answer can claim the funds before the intended recipient. Worse, some victims are tricked by an earlier phishing step into revealing the security answer directly. The money moves, and getting it back is difficult precisely because the system is built for speed. Protecting yourself takes a handful of firm habits. Treat any unexpected e-Transfer notification with suspicion, and never click to deposit; open your banking app or online banking directly and check for the deposit there. When you send a transfer, use a security question whose answer only the recipient could know, never send the answer in a follow-up message, and turn on Interac autodeposit so incoming funds land automatically with no question to intercept. Switch on your bank’s transaction and fraud alerts so you are notified the instant money moves, and you become your own early-warning system. If you receive a genuinely fraudulent Interac phishing message, you can forward it to [email protected] so the security team can work to take the infrastructure down. The table below distils the e-Transfer rules into a quick reference. Situation What a scam looks like The safe habit Incoming e-Transfer notice Email or text with a deposit link, urgent wording Do not click; open your banking app and check directly Sending money Pressure to send fast to a new contact Use a security answer only the recipient knows; never share it Security question Guessable answer like a pet or common word Choose something private; turn on autodeposit to skip it CRA refund by e-Transfer Any e-Transfer claiming to be from the CRA Ignore it; the CRA never uses e-Transfer Confirmed phishing message Fake Interac branding and login page Forward to [email protected], then delete How to verify a suspicious message safely When a message lands and something feels off, the goal is to confirm or dismiss it without giving the potential scammer anything. The governing principle is the out-of-band check: verify through a completely separate channel from the one the message arrived on. If an email claims to be from your bank, do not reply to it or click its link; instead open your banking app or call the number printed on your card. If a text says a parcel is held, do not tap the link; go to the courier’s official site and enter your tracking number. The message and the verification must never share a path, because a path the scammer controls can confirm its own lie. Resist every shortcut the message offers, because the shortcuts are the trap. The phone number in a suspicious text routes to the scammer. The link in a suspicious email leads to their clone. The reply button connects you to them. Legitimate organisations are entirely comfortable with you reaching them through their published channels, and none of them will penalise you for hanging up to call back or for logging in directly rather than through a link. If a caller or message tries to keep you from doing exactly that, with claims that there is no time or that you must stay on the line, you are almost certainly being scammed, and that pressure is itself the clearest possible signal. Verify on a different channel than the one the message came in on, every time. Reach the organisation through its official app, a typed web address, or the number on your card or statement. Never use a phone number, link, or reply button supplied by the suspicious message itself. Log into accounts directly to check for genuine alerts, rather than clicking through a message. Treat any pressure to stay on the line or act immediately as confirmation of a scam, not a reason to comply. Two technical habits reinforce the human one. Turn on two-factor authentication, ideally with an authenticator app or a passkey rather than text-message codes, so that a stolen password alone is not enough to get into your accounts. And use a unique password for every important account, kept in a password manager, so that one phished credential cannot unlock the rest of your life. Neither replaces the instinct to verify, but together they mean that even a successful phish often hits a wall. What to do in the first hour if you are caught Falling for a phishing scam is not a moral failure, and panicking helps no one. What matters is speed, because the damage from a phished credential or a fraudulent transfer compounds with time, and the first hour is where you can still limit it. Work through the steps in order of exposure. If you handed over a password, the password is the emergency. If you gave card or banking details, the money is the emergency. If you only clicked a link or opened an attachment, the device is the emergency. Triage to whichever fits, and act rather than freeze. Start by changing the exposed password immediately, and if you reused that password anywhere else, change it there too, because attackers test stolen credentials across many sites. Do this from a device you trust. Next, if any financial information was involved, or if money has moved, call your bank’s fraud line right away, using the number on your card, and tell them exactly what happened; they can freeze cards, halt transfers where still possible, and watch the account. Then report the incident to the Canadian Anti-Fraud Centre, by phone at 1-888-495-8501 or through its online reporting tool, and to your local police if you have lost money or your identity is at risk. Reporting matters even when recovery is uncertain, because it feeds the intelligence that takes scam networks down. After the immediate containment, protect your identity for the longer haul. Place a fraud alert on your file with both Canadian credit bureaus, Equifax and TransUnion, so new credit applications in your name face extra scrutiny, and watch your accounts and credit closely in the weeks that follow. If you clicked a link or opened an attachment, run a full scan with reputable security software and consider that the device may need cleaning. Get Cyber Safe, the federal public-awareness program, maintains a clear step-by-step page for victims of phishing at getcybersafe.gc.ca, and it is worth following alongside your bank’s guidance. The checklist below is the one to keep somewhere you can find it fast. Change the exposed password at once, and anywhere else you reused it, from a trusted device. Call your bank’s fraud line on the number on your card if any financial detail was shared or money moved. Report to the Canadian Anti-Fraud Centre at 1-888-495-8501 or online, and to local police if money or identity is at stake. Place a fraud alert with Equifax and TransUnion, and monitor your accounts and credit. If you clicked a link or opened an attachment, scan the device with reputable security software. Protecting the people around you Phishing is not only a personal problem, and some of the people most exposed are the ones least likely to read a guide like this. Older relatives are targeted heavily by vishing and the grandparent emergency scam, where a cloned or distressed voice begs for money to be sent immediately and secretly. Newcomers to Canada are targeted with immigration and CRA threats that play on uncertainty about how official processes work. Teenagers and young adults face scams through social media, gaming platforms, and marketplace deals. Spreading a few simple defences through your household and family is one of the highest-value things you can do. Keep the shared advice short enough to remember under pressure. No real bank or government agency asks for a password, a PIN, or a one-time code, so anyone who does is a scammer. Money sent by e-Transfer, gift card, or cryptocurrency is effectively gone, so any urgent demand for those is a scam. And the universal escape hatch works for everyone: when in doubt, stop, do not act on the message, and reach the organisation or person yourself through a number or app you already trust. Agree a family code word for emergencies so a panicked call can be checked in seconds. Make it normal to ask. A great deal of fraud succeeds because the victim is embarrassed to check, worried about looking foolish or about getting in trouble, and the scammer exploits that isolation by insisting on secrecy. Tell the people you care about that you would always rather field a question about a suspicious message than help them clean up after a scam, and mean it. A household where it is routine to pause and say does this look real to you is a household phishing struggles to penetrate, because the one thing every scam needs is a target acting alone and in a hurry. Reporting phishing in Canada and why it matters Reporting can feel pointless when the money may be gone and the scammer is anonymous, but it is anything but. The Canadian Anti-Fraud Centre is the national clearing house for fraud intelligence, and the reports it gathers, even from people who lost nothing, are what let investigators map campaigns, warn the public, and disrupt the networks behind them. Because only an estimated 5 to 10 percent of fraud is ever reported, each report is disproportionately valuable; it fills in a picture that is otherwise mostly blank. You can reach the Centre by phone at 1-888-495-8501 or through its online reporting system. There are channel-specific reports worth making too, and each one feeds a different defence. Scam text messages can be forwarded to 7726, the short code that spells SPAM, which helps your carrier identify and block the source. Fraudulent Interac e-Transfer phishing can be forwarded to [email protected] so the security team can take down the fake infrastructure. Phishing emails impersonating a specific bank or company can usually be forwarded to that organisation’s own abuse or phishing address, often listed on its security page. And if you have lost money or your identity is compromised, file with your local police as well, since that creates the formal record you may need for banks, the credit bureaus, and any insurance claim. Reporting also protects the next person. Every campaign that gets flagged, every fake domain that gets taken down, every number that gets blocked, raises the cost and lowers the reach of the operation, which means fewer messages landing on someone less prepared than you. Treat reporting not as a long-shot attempt to recover your own loss but as a civic act that strengthens the whole system, and the few minutes it takes become easy to justify. The combination of a national report, a channel-specific report, and a police file where warranted is the full set, and it is worth doing while the details are fresh. Building habits that make phishing fail Tools matter, but durable safety comes from a small set of habits practised until they are automatic, because phishing is engineered to defeat people who are improvising in the moment. The foundational habit is the pause. When any message asks you to click, log in, pay, or share a code, stop for the few seconds it takes to ask whether you expected this, whether it is rushing you, and whether the request makes sense. That deliberate beat is where almost every scam falls apart, because almost every scam depends on you not taking it. Layer the technical habits underneath. Turn on two-factor authentication everywhere it is offered, leading with your email, since the inbox is the master key that can reset everything else, and prefer an authenticator app or a passkey over text-message codes. Use a password manager so every account has a unique, strong password and a single phished credential cannot cascade. Keep your devices and apps updated so known vulnerabilities are closed. Switch on transaction alerts with your bank so fraudulent movement surfaces in seconds. None of these is difficult, and each one narrows the gap a successful phish can slip through. Finally, normalise verification as a default rather than a special precaution. Reach organisations through their official apps and your own saved bookmarks instead of through links. Type addresses for anything involving money or login. Keep the conversation on the platform where a marketplace or social contact insists on moving it elsewhere. Talk about scams openly with your household so that checking is routine, not awkward. Phishing thrives on speed, secrecy, and isolation, and a person who habitually slows down, verifies independently, and asks others denies it all three. That is what genuine protection looks like in 2026, and it costs nothing but a moment’s attention. The verdict Phishing in 2026 is better dressed than it has ever been, and that is precisely why the defence has shifted from spotting mistakes to questioning requests. You will not reliably catch the modern scam by hunting for typos, because there are none. You will catch it by noticing that a message is unexpected, that it is rushing you, that it wants a credential or a payment, and that the address behind it does not match the name on the front. Hold those questions, verify on a separate channel before you act, and the overwhelming majority of attacks aimed at Canadians simply do not work, no matter how polished they look. If you do nothing else, adopt three rules. First, never click a link or call a number from an unexpected message to reach your bank or the CRA; reach them yourself through an app, a typed address, or the number on your card. Second, remember that the CRA never uses Interac e-Transfer and never texts a login link, so those messages are always fake. Third, if you are caught, move fast: change the password, call your bank, report to the Canadian Anti-Fraud Centre, and place a fraud alert with the credit bureaus. Pair those habits with two-factor authentication and a password manager, talk about scams with the people around you, and you will have built the kind of everyday skepticism that no amount of AI polish can talk its way past. Frequently asked questions How can I spot a phishing message now that they have no spelling mistakes? Stop relying on spelling and look at behaviour and addresses instead. Ask whether the message was unexpected, whether it is creating urgency or fear, and whether it wants a password, a code, a card number, or a payment, because legitimate organisations do not request those by message. Then check the real sender address by tapping or hovering on the name, and preview any link before clicking. A perfectly written message that fails those tests is still a scam, and in 2026 the polish itself should prompt extra caution rather than less. Does the CRA ever send refunds or contact people by Interac e-Transfer? No. The Canada Revenue Agency does not use Interac e-Transfer at all, so any message offering a tax refund or benefit by e-Transfer is a scam without exception. The CRA also does not text or email a link to log in or claim money, and it does not demand payment by gift card or cryptocurrency or threaten immediate arrest. It pays by cheque or direct deposit and directs you to log into your own My Account through the official channel. If you are unsure about a real balance or refund, log in yourself rather than acting on any message. I clicked a link in a phishing text. What should I do right now? Act quickly and in order of exposure. If you entered a password, change it immediately and anywhere you reused it, from a trusted device. If you entered card or banking details, call your bank’s fraud line on the number on your card at once. Report the incident to the Canadian Anti-Fraud Centre at 1-888-495-8501 or online, and place a fraud alert with Equifax and TransUnion. If you also opened an attachment or the link installed something, run a full scan with reputable security software. Speed in the first hour is what limits the damage. What is the difference between phishing, smishing, vishing, and quishing? They are the same con delivered through different channels. Phishing classically means email; smishing is phishing by SMS text message; vishing is voice phishing over a phone call, increasingly using AI-cloned voices; and quishing hides the malicious link inside a QR code you scan. The pretext and the goal are identical across all of them, to make you click, share a code, or send money, which is why the same defence works for each: do not act on the message itself, and verify through a separate official channel you reach yourself. Are AI voice scams really able to imitate someone I know? Yes, and it is a real and growing risk in Canada. Modern voice-cloning tools can reproduce a person’s tone and speech from a short sample, and scammers use this both to impersonate bank or government agents and to mimic a relative in a fake emergency. The defences are simple and effective: never share a one-time code, password, or PIN over the phone, hang up and call back on a trusted number to verify any urgent request, and agree a private code word with family so a distressing call can be checked in seconds before any money moves. Where do I report phishing in Canada, and is it worth doing? It is genuinely worth it, because reports feed the intelligence that disrupts scam networks and warns others, and only an estimated 5 to 10 percent of fraud is ever reported. Report to the Canadian Anti-Fraud Centre at 1-888-495-8501 or through its online tool. Forward scam texts to 7726, which spells SPAM, so your carrier can block the source, and forward fraudulent Interac e-Transfer messages to [email protected]. If you lost money or your identity is at risk, file with your local police as well to create a formal record for your bank and the credit bureaus. Related reading How to set up two-factor authentication in Canada Best VPN in Canada for 2026 How we test and our editorial standards Reviewed by Emma Roy for the Tech Insider Canada editorial team. We research independently and reference public guidance from sources such as the Canadian Anti-Fraud Centre, Get Cyber Safe, and the Canada Revenue Agency. Scam tactics, reporting channels, and official processes change over time, so confirm current details through the organisation’s own site before acting. This article is general security information, not personalised financial or legal advice. Emma Roy Emma Roy writes about consumer hardware, smartphones and home tech for Tech Insider Canada, always with Canadian pricing and local availability in mind. She has tested hundreds of devices and prizes clear, no-nonsense recommendations. View all articles