Security measures to protect taxpayer information from external threats
The protection of taxpayer information is of the utmost importance for the Canada Revenue Agency (CRA). In today’s increasingly digital world, the CRA continually takes steps to safeguard sensitive information against ever-evolving threats.
Ongoing security enhancements
Multi-factor authentication
The CRA uses Multi-factor authentication (MFA) throughout its sign-in services as a mandatory enhanced security measure. When prompted to enroll in MFA, users can select either the telephone, third-party authenticator app or passcode grid option.
Individuals need to enter a one-time passcode to access the CRA sign-in services when they sign in. Each code is good for a single sign-in session.
Mandatory email address on file
To help prevent taxpayers’ online accounts from unauthorized access, My Account users are required to have an email address on file with the CRA. Individuals that do not currently have an email address on file will be prompted to provide one upon sign in.
This security feature ensures individuals receive email notifications when important changes are made on their account, such as changes to their address or direct deposit information. Email notifications act as an early warning for potential unauthorized access. Canadians who receive these notifications, but have not authorized any changes, should contact the CRA immediately.
Taxpayers should be cautious of any communication that claims to be from the CRA and requests personal information such as a social insurance number (SIN), credit card number, bank account number, or passport number.
The CRA will not give or ask for personal or financial information by email and ask you to click on a link.
For more information on how to recognize CRA-related scams, visit Scam prevention and the CRA.
Personal Identification Number
As an added security measure, taxpayers can set a unique Personal Identification Number (PIN) for their account in order to identify themselves quickly and securely when calling the CRA.
Captcha
To help distinguish between human users and web robots, Captcha was implemented in all CRA portals. This security feature requires individuals to identify specific images before being granted access to our digital services.
Identity Protection Services
The CRA created the Identity Protection Services (IPS) program to better help suspected identity theft victims. The program also responds to suspicious account activity to protect individuals and their information before identify theft occurs.
The IPS program reviews all cases of potential identity theft, dealing directly with identity theft victims, to ensure that their online account is restored and remains protected from unauthorized activity.
Revoking at risk CRA user IDs and passwords
To help prevent incidents of unauthorized access and safeguard taxpayers’ information, the CRA conducts routine checks and analyses to identify CRA user IDs and passwords that may have been obtained by unauthorized parties. These CRA user IDs and passwords may have been obtained through sources external to the CRA such as email phishing schemes, third party data leaks, etc.
Identified CRA user IDs and passwords are revoked and instructions are made available to affected individuals through email notification on why their CRA user ID and password have been revoked, which includes instructions how to regain access to their CRA account.
Related topics
Page details
- Date modified: