Tax Season Scams Start Early: The T4 Email That Targets Toronto Firms First

February in Toronto: snowbanks, salted boots, and a calendar filling with slips and deadlines. While your team preps T4s, T4As, and RL-1s for cross‑border clients, threat actors are prepping something else: a scam timed perfectly for busy season.

The Play: “Can you send me the T4s ASAP?”

It lands in Payroll or HR. Looks like it’s from the Managing Partner or the owner. Short. Urgent. Totally plausible in February:

“Hey—need all employee T4s for a meeting with the accountant. Slammed today—can you email them over ASAP?”

The name checks out. The tone matches. And your team wants to help—so they attach the files.

Except it wasn’t the partner. It was a criminal using a spoofed address or look‑alike domain. Now they’ve got:

• Full legal names
• SINs
• Home addresses
• Compensation details

Everything needed to file fraudulent returns before your staff does—and to kick off identity theft.

How Victims Usually Find Out

An employee e‑files and gets rejected: “A return has already been filed for this SIN.” Cue hours with CRA, credit monitoring, and months of remedia

tion. Multiply by your whole payroll—and you’ve got a reputational mess on top of a security incident.

Why This Works (and keeps working)

• Perfect timing: February is peak T4 chatter. The ask feels normal.
• Reasonable request: Not “wire $50k.” It’s a real task that actually gets shared.
• Faux urgency: “I’m slammed—quick favour?” Busy season brain says yes.
• Convincing sender: Attackers research partners, managers, even your external accountant. The email feels right because it’s designed to.
• Helpful culture (without guardrails): People want to support leadership. Urgency overrides verification.

Five Moves That Block the T4 Scam

No new software required—just policy + culture, with a dash of IT hygiene:

1. Ban sensitive payroll via email. T4s never travel by attachment. If someone emails asking—even the MP—the answer is no. Use a secure portal or encrypted share with expiring links.
2. Verify in a second channel. Phone, Teams/Slack, or in person. Use a number you already have, not one in the message. 30 seconds now saves months later.
3. Run a 10‑minute “tax‑scam huddle.” This week. Show 2–3 real examples, define the rule of engagement (“pause, verify, then send”), and name a go‑to person for questions.
4. Lock down payroll/HR systems with MFA. If credentials get phished, MFA is the last door that won’t open.
5. Praise verification. The employee who double‑checks a partner’s request is a hero, not a hassle. Make questioning part of the culture.

The Bigger Picture: Busy‑Season Bait

Expect more of the same until April:

• Fake CRA/IRS notices demanding immediate payment
• Phishing dressed up as tax software updates
• Spoofed messages “from your accountant” with booby‑trapped links
• Look‑alike invoices timed to ride your tax‑related spend

Firms that glide through aren’t lucky—they’re prepared.

How Tech Fuel Shields Toronto Accounting Firms

We’re the MSP that actually knows your world. We:

• Enforce email authentication and impersonation protection
• Set up secure file‑sharing that’s faster than attachments
• Enable and enforce MFA on payroll/HR tools
• Train your team with realistic, Toronto‑flavoured phish tests
• Write short, usable policies people will follow in busy season

Result: fewer near‑misses, faster verifications, and a culture that treats security like client trust—non‑negotiable.

Ready to Pressure‑Test Your Defences?

Book a 10‑minute discovery call. We’ll review:

• Payroll/HR access + MFA
• Your T4 verification process
• Email protections that catch spoofing
• One policy tweak most firms miss

[Book your 10‑minute discovery call]