New Travel Scam Variant Targets Tourists Traveling to Canada

December 14, 2021

Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.

Canadian visa phishing email

Canadian Visa program-themed phishing email.

Discovering the Canadian Visa Phishing Attempt

On December 1, 2021, Abnormal intercepted the above email sent to a VIP recipient, reminding them that their Canada visa application had not been submitted and remained incomplete. Although both the sending domain and the one listed in the signature block have the appearance of quasi-legitimacy, the website canada-visa-online[.]org uses the theme "eTA Canada Electronic Travel Authorization" while the real version of the page says "Government of Canada." The sending email address info[@] is the same as the contact email listed on the bottom of the imitation website at canada-visa-online[.]org.

Canadian visa phishing site

Landing page for

The Canadian eTA approval system is an entry requirement for visa-exempt United States citizens and other foreign travelers entering by air, although various exemptions exist for mode of entry and country of origin. The application process can be completed online and electronically links the record to the traveler's passport. Applying costs $7 CAD (about $5.50 USD) to file and typically takes several days to be approved, although Immigration, Refugees, and Citizenship (IRCC) Canada advises travelers to apply before purchasing a plane ticket. All of this can be done at official Canadian government websites using a ".ca" top-level domain, similar to ".gov" in the United States.

Canadian visa phishing payment

Payment instructions from

Although the scam website appears to offer sufficiently detailed information about the travel requirement program, some of the instructions stick out as odd, like the references to paying the filing fee via PayPal. If you remember, this was the preferred payment method for the other travel fraudsters we covered.

Canadian visa payment method

Payment methods listed on

Additionally, the fraudulent website is harder to read and understand than Canada's legitimate site, undoubtedly by design. Another identical version of this scam page exists at, although nothing appears to be hosted at the domain used to send the email.

Canadian visa phishing paypal

Order summary page with PayPal payment.

This fraudulent website makes no distinction between itself and the legitimate Canadian authorities and offers its service for a whopping $99 application fee. After the travel applicant completes the detailed application specifying their place of birth, passport number, date of birth, and address, the scam service displays an order summary of the information entered with payment available via PayPal or credit card, which is processed by PayPal. This time, the merchant name is not displayed in the payment box, and the hopeful travel applicant has no insight into where their money has been sent.

The Fraudsters Behind the Canadian Visa Scam

The domains used for this scam are hosted at the IP address 67[.]227[.]191[.]40, which also hosts an interesting mix of websites using similar international travel themes. Some appear to have been active since 2019.

Domains we’ve linked to this group include the following:

  • canada-visa-gov[.]org
  • canada-visa-online[.]org
  • elevendimension-funds[.]com
  • host.indiaonlinevisa[.]in
  • i-visa[.]org
  • india-e-visa[.]in
  • india-knowlege[.]in
  • india-visa-online[.]com
  • india-visa-online[.]org
  • indiaonlinevisa[.]in
  • ivisango[.]com
  • new-zealand-visa[.]org
  • official-india-visa[.]com
  • official-turkey-visa[.]org
  • us-visa-esta[.]org
  • www.canada-visa-online[.]org
  • www.india-e-visa[.]in
  • www.india-knowlege[.]in
  • www.india-visa-online[.]com

No additional information is available on what the actors actually do with the sensitive personally identifiable information (PII) they collect. Still, we can hypothesize that it is likely not being used to apply for Canadian travel authorization.

Unfortunately, those that use this website to apply will likely never know that their money and information have been stolen—at least until they realize they never received their visa or worse, are denied entry into Canada upon arrival.

To learn more about how Abnormal stops these phishing attacks, request a demo today.

Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More