Phishing: What’s in a fraudster’s tacklebox?

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

Phishing  is one of the easiest ways for fraudsters to steal log in credentials, personal information or even infiltrate corporate networks. Fraudsters will use mass email and text message campaigns to send messages that appear to be from recognized institutions, companies or government agencies. These emails may claim that you need to update  your account or that money is ready to be deposited.

The CAFC also receives many reports of phishing scam variations where the message contains malicious links or attachments. These emails or texts may appear to be a receipt from a purchase, delivery notification or a fraudulent notice to appear in court. If the link  or attachment is clicked, your computer or device can potentially be infected with malware .

Financial institutions are often impersonated by fraudsters in an attempt to make their frauds sound more convincing. Phishing scams often target businesses luring employees to open an attachment or click on a link, which can potentially allow access to the company’s network , lead to ransomware  or spear phishing  attacks.

What’s in a fraudster’s tacklebox?

Impersonation and spoofing:

  • Fraudsters will pretend to be a familiar business, organization or financial authority requesting something from you or offering you a refund
    • They’re able to change the way their email address and name appear in your inbox

Refunds and E‑transfers:

  • Fraudsters will spark excitement by providing a reason for offering you a refund or e‑transfer, “just click the link and enter your credentials and/or financial information” – don’t let the temptation trick you!

Mass messaging:

  • Phishing messages are sent in mass with the hopes that at least a few will be lucrative – it’s likely you are targeted by one every day

What’s in your tacklebox?


  • Spelling mistakes in communications from someone claiming to be a legitimate organization should be a red flag but because of how many approvals organizational messaging needs to go through, there shouldn’t be any spelling errors


  • The Government of Canada will never send funds by email or text message – this is certain
    • If you get a message like this, report it to the CAFC


  • If you get an unsolicited email or text asking you to click a link or open an attachment – don’t do it!
  • If unsure, research the contact information for the company and reach out directly to them
    • Don’t use the contact information provided in the message
  • Never click on a link or attachment from an unsolicited message
  • Set-up multifactor authentication for all online accounts


  • Businesses should implement cyber security training for new employees

This article was originally sourced from