Security of your CRA My Account and My Business Account
If your CRA user ID and password have been revoked
Some taxpayers may have received a notification that their CRA user ID and password have been revoked. Visit CRA user ID and password have been revoked for more information.
Protect your My Business Account
Monitor your My Business Account for any suspicious activity, which can include unsolicited changes to banking, mailing address, unauthorized appointment or changes of representatives or benefit applications made on your behalf.
Business owners who suspect their account has been compromised can report it to the CRA or call to talk to an agent on our Business Enquiries line at 1-800-959-5525 (between 9:00 a.m. and 6:00 p.m. local time, Monday to Friday), 1-866-841-1876 for Yukon, Northwest Territories and Nunavut or if they are outside of Canada and the U.S., at 613-940-8497 (between 9:00 a.m. to 6:00 p.m., Monday to Friday, EST).
The Government of Canada, like other government and private sector organizations, faces ongoing and persistent security threats to its online services. Over the past few years, the Canada Revenue Agency (CRA) has noticed an increase in activity by unauthorized third parties attempting to gain access to taxpayers’ CRA accounts.
If you are concerned about or suspect unauthorized access to your CRA account, we are here to help. We are continually working to protect taxpayer information and to prevent online security incidents.
On this page
If your account is compromised
If you believe your My Account, My Business Account or Represent a Client account(s) have been compromised, please see the information below.
Receiving a letter from us
We are sending letters by registered mail to individuals and businesses affected by incidents of suspected unauthorized access. If you receive a letter notifying you that your account has been compromised, follow the instructions in the letter.
Reporting suspicious activity on your CRA online account
If you notice changes to your CRA account information that you did not request, or if you think information has been compromised, report it to the CRA. This can include communication from the CRA regarding changes to your account that you did not authorize. You can report suspected unauthorized access using one of the following options:
Use the online Web form
Call the CRA
Automated phone system:
1-800-265-2577 (in Canada)
1-613-221-3176 (outside Canada)
Live call with an agent:
1-833-995-2336 (Individual accounts)
1-800-959-5525 (Business accounts)
1-800-959-8281 (Trust accounts)
What this means for you
If your account information has been compromised, your online CRA account(s) may have been accessed by an unauthorized individual. As a result, the CRA will take the following actions.
If you are an individual, we will:
- disable access to your account(s) and you will receive a call or letter with instructions on how to validate your identity to regain access
- assess whether you are entitiled to be offered credit protection services free of charge
- temporarily stop sending any benefit and credit payments to you until your identity has been validated and access to your account has been restored
- work with you to restore your personal information and ensure you are not held liable for fraudulent claims and payments made on your account (this includes ensuring fraudulent claims do not impact you next tax filing season)
If you are a business, we:
- may temporarily stop payments to your business pending validation of your account
- may disable any applicable web access codes which allow for electronic filing of information returns
- will work with you to re-activate your business account, resume payments intended for your business and request new access codes, if applicable
- will notify you if the personal information of your employees may have been accessed without authorization
How the CRA will contact you
As soon as the CRA becomes aware of an alleged incident of identity theft or suspects an account could be the target of a bad actor, we take swift and immediate precautionary measures.
Incidents of suspected unauthorized access
We send letters by mail to individuals and businesses who have been affected by unauthorized access.
The letter provides information on how to validate your identity to restore access to your account, and how we are helping those affected by these incidents. For individuals, this may include access to free credit protection services.
Suspected identity theft
In cases of suspected identify theft, we may call you or write you a letter asking for details about your file and request documents to validate your identity and personal information.
This could include a:
- copy of government identification (such as a driver’s license, passport, or birth certificate)
- proof of address (such as a utility, phone, or internet bill, or tax-related document)
- bank statement or letter from financial institution confirming your direct deposit information
If you’re suspicious about a call or letter that you’ve received that is requesting information from you, here’s how to know it’s really the CRA.
How to prevent future incidents
- Make sure we have your correct email address at all times. Email notifications from the CRA let you know when important changes are made on your account. These notifications can act as an early warning for potential fraudulent activity.
- Change your user IDs and passwords. We encourage you to make a practice of regularly changing your user IDs and passwords, as well as your security questions and answers.
- Use unique and complex passwords. Always use unique passwords for your CRA and online banking accounts. Do not reuse the same password for different accounts or systems.
- Create a PIN. We suggest you set up a personal identification number (PIN) for your individual account to help confirm your identity for future calls with the CRA. You can set up a PIN in My Account or with the help of one of our general enquiries call centre agents.
- Monitor your account for suspicious activity. Check your online CRA accounts regularly for any suspicious activity. This includes unsolicited changes to your address and direct deposit information, or benefit applications made on your behalf.
- Make sure your personal and business information is up to date. The CRA may need to contact you to validate certain activities on your account that may be suspicious.
- If you are a business owner, verify the applicable federal, provincial, or territorial corporate registry to make sure that the list of directors and contact information are correct.
Scam prevention and the CRA
To know what to expect when the CRA contacts you, what we may or will not ask for, as well as examples of recent CRA-related scams, visit Scam prevention and the CRA.
Please note that if you believe you have received a scam call by someone posing to be the CRA, our General Enquiries are here to help.
Individual Tax Enquiries can be reached at 1-800-959-8281.
Business Inquiries can be reached at 1-800-959-5525.
- Date modified: