A new CloudSEK investigation reveals a sprawling fraud network targeting Canadian citizens, deploying high‑fidelity impersonations of the Government of Canada, Air Canada and Canada Post to harvest personal and financial data at scale. The operation, part of the so‑called PayTool ecosystem, creates the illusion of federal legitimacy to lure victims before steering them to localised scams.
Victims are drawn in by SMS claims of unpaid fines and redirected to a fake Government of Canada portal where they select a province, after which they are handed to phishing sites such as paytool-bc-2025[.]com or ontarioticketpay[.]live. CloudSEK notes a cohesive infrastructure designed to simulate a central government service, with a long tail of generic domains kept in reserve to maintain campaign continuity when provincial pages are blocked.
The activity extends beyond government targets to the travel sector, with attackers registering typosquatted domains like aircanda-booking[.]com and air-canaada-booking[.]com to spoof Air Canada. Intelligence from dark web forums also points to a Phishing-as-a-Service model and a threat actor known as ‘theghostorder01’ selling specialised phishing kits aimed at harvesting high‑value data such as Interac e‑Transfer logins. 28 January 2026.