It's February. Tax season is ramping up. Your accountant is getting busier. Your bookkeeper is pulling documents. Everyone's thinking about T4s, T4As and deadlines.

Here's the part nobody puts on the calendar: the first real tax-season headache usually isn't a form. It's a scam.

And there's one that shows up before April 30 even gets close because it's easy, believable and aimed straight at small businesses. You might already have it sitting in someone's inbox.

The T4 Scam: How It Works

Here's the setup:

Someone in your company (usually whoever handles payroll or HR) gets an email that looks like it's from the CEO, owner or a senior exec.

The message is short and urgent:

"Hey, I need copies of all employee T4s for a meeting with the accountant. Can you send them over ASAP? I'm slammed today."

It looks normal. The tone sounds right. Tax season is busy, so the urgency feels natural. The request seems reasonable.

So, your employee sends the T4s.

Except the email wasn't from the CEO. It was from a criminal using a spoofed address or a look-alike domain.

And now that criminal has every employee's:

• Full legal name

• Social Insurance Number (SIN)

• Home address

• Salary information

Everything needed for identity theft. Everything needed to file fraudulent tax returns before your employees do.

What Happens Next

Here's how victims usually find out:

Your employee files their tax return. It gets rejected: "Return already filed for this Social Insurance Number."

Someone already filed in their name. They already claimed their refund. Already got the money.

Now your employee is dealing with the CRA, credit monitoring, identity theft protection and months of paperwork because of a document they didn't even know they sent.

Multiply that by your entire payroll. Now imagine explaining to your team that their personal information was compromised because someone fell for a fake email.

That's not just a security problem. That's a trust problem. An HR nightmare. A potential lawsuit. A reputation hit.

Why This Scam Works So Well

This isn't a Nigerian prince email. It doesn’t look fake at first glance.

It works because:

The timing is perfect. T4 requests are expected in February. Nobody questions why someone would ask for them now.

The request is reasonable. It's not "wire $50,000" or "buy gift cards." It's something that actually does get shared during tax season.

The urgency feels normal. "I'm slammed today, can you send this quick?" doesn't raise red flags in a busy office.

The sender looks legitimate. Criminals research targets. They know the CEO's name. Sometimes they know your accountant's name. They make it look real because they did their homework.

Employees want to be helpful. Especially to the boss. Urgency overrides verification.

How to Protect Your Business (Before This Lands)

The good news: this scam is preventable. And it takes policy + culture more than fancy tech.

Make a "no T4s via email" rule. Period. No exceptions. T4s and other sensitive payroll documents do not leave your building through email attachments. If someone asks for them via email, the answer is "no," even if it looks like the CEO.

Verify any sensitive request in a second channel. Phone call. In person. Chat. Anything other than replying to the email. Use a number you already have, not one in the message. It takes 30 seconds. Can save months of cleanup.

Do a 10-minute tax-scam huddle now. Not later. Not "when we get closer." Tell your payroll/HR people: "These are about to spike. This is what they look like. This is what we do." Awareness is cheap insurance.

Lock down payroll and HR systems. Multi-factor authentication (MFA) on anything that touches employee data. If someone's credentials get phished, MFA is the last door they'll slam into.

Make verification a culture, not a burden. The employee who calls to double-check a request from the CEO should be praised, not made to feel paranoid. When questioning is rewarded, scams have nowhere to hide.

That's it. Five rules. Simple enough to implement this week. Strong enough to stop the first wave.

The Bigger Picture

The T4 scam is just the opening act.

Between now and April 30, expect a flood of tax-themed attacks:

• Fake CRA notices demanding immediate payment

• Phishing emails disguised as tax software updates

• Spoofed messages from "your accountant" with malicious links

• Fraudulent invoices timed to look like tax expenses

Criminals love tax season because everyone's distracted, everyone's moving fast and financial requests don't seem unusual.

Businesses that get through tax season clean aren't luckier. They're prepared.

They have policies. They have training. They have systems that catch suspicious requests before they become disasters.

Is Your Business Ready?

If you've already got policies in place and your team knows what to look for, great. You're ahead of most small businesses.

If not, now is the time. Not after the first scam hits.

If this sounds like your business, book a 15-minute Tax Season Security Check.

We'll review:

• Payroll/HR access and MFA

• Your T4 verification rules

• Email protections that catch spoofing

• The one policy tweak most businesses miss

If it doesn't sound like you, awesome. But you probably know a business owner it does sound like. Forward them this article. It might save them a very expensive headache.

Book your 15-minute Tax Season Security Check

Because tax season is stressful enough without identity theft on top of it.