Your company is participating in a Cyber Security Education Program.


This Tax Information Phishing Attack included the following social engineering techniques:


  1. Email name included your company name (example: <hr director>@yourcompany.com)
  2. Email name includes <fake email> to appear as the "real" email used
  3. Subject to appear critical or official (example: CONFIDENTIAL: Tax Information)
  4. Time bound / Urgent email (example: ... confirm within 24 hours.)
  5. Attack executed when tax related information is expected to lower your suspicion.
  6. Use of your HR or Office Manager signature block, if your email filters didn't detect it.


How to spot this was a phishing email:



  1. From email address ("real" at end; after <fake email>) is some random domain not associated with your company or any software product used (example: @vpn-access.host is not associated with your company or Revenue Canada)
  2. The link provided references a domain not associated with your company (example: cbsa-asfc-bc.ca); however a domain which resembles a government agency may have been used.
  3. This email was/may have been filtered and in your junk mail folder.


“An employee is either an asset to your cyber security or a risk.”