Canadian Anti-fraud Centre name used in phishing campaign

The name of the Canadian Anti-fraud Centre, a clearing house for police for fraud reports of all types, is being used for a phishing scam.

The centre (CAFC), run by the RCMP, the federal Competition Bureau and the Ontario Provincial Police, discovered earlier this week that a threat actor is sending out emails, claiming to be from the agency, warning that it has received a complaint about the recipient. To see details the recipient is asked to click on a link.

What’s worrisome is that the sender’s email appears to be a legitimate CAFC address. However, people smart enough to read the header information would see the real sender is not from the CFAC.

In addition, the link in the message goes to a site called “mountainbuffalo,” clearly not a CFAC or Canadian government website.

screenshot of phishing letter impersonating the Canadian Anti-fraud Centre
Screenshot of phishing message pretending to be from the Canadian Anti-fraud Centre

The CFAC quickly sent out a tweet warning people not to fall for the scam. The centre never includes links in email messages.

“Unfortunately, everyone is at risk of being spoofed, whether by phone [in call display] or by email,” Jeff Horncastle, the CAFC’s acting communications and client outreach officer, said in a Friday morning interview.

The centre isn’t an investigative agency, so it can’t say what happens when a victim clicks on the link in the fake email.

However, usually scams like this are after personal information that can be used later for identity fraud. A victim might be asked for their date of birth or Social Insurance number to confirm their identity. Then that information might be used to make counterfeit ID.

It’s not hard for scammers to spoof a company or person’s email address, Horncastle said, which is why it’s important for people to turn on the ability of their email system to display the full header information of senders.

Sometimes the fraudster will only spoof the name of the sender (for example, John Widget), but the email address in the angled brackets following the name will give away that it’s a fake (for example “John Widget <[email protected]>” would be suspicious).

In this case The “no-reply[at]antifraudcentre[dot]ca” is one of the CAFC’s real email addresses. However, looking at the header information would reveal the message didn’t really come from the centre.

Header information, which shows who really sent an email, can be accessed in a number of ways. In Gmail, open a message. click on the three vertical dots beside the Reply arrow and choose “Show original.” On, find three horizontal dots and choose “View message source.”

Screen shot of Gmail showing three dots for accessing a special menu
Find and click on the three dots beside the Reply arrow ….
Screen shot of Gmail menu
… and click on “Show original”


In the desktop version of Outlook, the process is different: Here’s how to do it.

You should also find a way in any email application to enable — if it isn’t there already — a drop-down arrow or menu beside or beneath the sender’s name that will show more detailed information about the real sender’s address.

Screen shot showing arrow that will lead to real message sender's address
Clicking on the arrow will also show message header information

Email users should regularly check the headers of all senders, not just those in messages that look suspicious, said Horncastle, particularly if the messages contain links. As an extra step, call to confirm the person really has sent that message — but don’t use the email address or the phone number in a message you’re suspicious about.

If the link in the message isn’t detailed, as the one in the CFAC phony message is, hover your mouse under the link and the full URL will show at the bottom of the browser.

So far the centre has received fewer than 10 reports about this fraudulent message, he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.