October is Cyber Month: Here’s how the Canada Revenue Agency protects your information

Every October, Cyber Month highlights the importance of safeguarding personal information from ever-evolving cyber security threats.

The security of taxpayer information is of the utmost importance for the Canada Revenue Agency (CRA) and we are continually enhancing our security measures to help prevent unauthorized access to taxpayers’ information.

Multi-factor authentication

The CRA implemented Multi-factor authentication (MFA) as a mandatory enhanced security measure for all individuals, businesses, and representatives who access the CRA sign-in services. Individuals are required to enter a one-time passcode every time they access the CRA sign-in services. For registration and more information, visit the Multi-factor authentication web page.

Revoking at risk CRA user IDs and passwords

To help prevent incidents of unauthorized access and safeguard taxpayers’ information, the CRA conducts routine checks and analyses to identify CRA user IDs and passwords that may have been obtained by unauthorized parties that are external to the CRA. As a preventative measure, the CRA revokes the identified CRA user IDs and passwords, and provides impacted individuals with the information they need to regain access to their account.

Identity Protection Services

The CRA established a dedicated Identity Protection Services (IPS) program to provide a single point of contact for individual taxpayers to resolve identity theft concerns. The IPS program reviews all cases of potential identity theft, dealing directly with identity theft victims to ensure that their taxpayer account is restored and remains protected from unauthorized activity.

Mandatory email on file

My Account users are required to have an email address on file with the CRA to help protect their accounts from fraudulent activity. This security feature allows individuals to receive email notifications when changes have been made to their account, including changes to their address and direct deposit information. If a user has received an email that an update has been made to their account, but they have not authorized any changes, they should contact the CRA immediately.

How taxpayers can protect their CRA accounts

In addition to the CRA’s ongoing security enhancements, there are several steps Canadians can take to protect their CRA accounts:

• Regularly monitor their CRA online accounts for suspicious activity such as unexpected account changes or benefit applications made without their consent. This practice ensures that any suspicious activity is promptly addressed.
• Passwords and security questions should be changed on a regular basis and remain confidential. User IDs and passwords should be unique to a CRA account and passwords must be complex so they cannot be guessed.
• Keep contact information (mailing address, email address, phone number) up to date as the CRA contacts taxpayers if suspicious activity is detected on their account.

What to do if a taxpayer’s account has been compromised

If an individual suspects that their CRA account has been compromised due to suspicious activity, report the incident to the CRA, inform other authorities (banks, credit bureaus, local police) and notify the Canadian Anti-Fraud Centre. If a taxpayer’s account information has been compromised, the CRA will take actions to secure their account.

Contacts

Media Relations
Canada Revenue Agency
613-948-8366
cra-arc.media@cra-arc.gc.ca