Security of your CRA account
The Government of Canada, like other government and private sector organizations, faces ongoing and persistent cyber threats. Recent “credential stuffing” cyber incidents used passwords and usernames from previous hacks in other organizations to access CRA accounts. We’re here to help those who have been affected by the recent cyber incidents. We are working to protect taxpayer information and prevent future cyber incidents.
If your account is compromised
If you believe your account is compromised, or you don’t know if you’ve been affected by recent cyber incidents, here is some information that can help you.
How to know
If you receive a letter from us
We are sending letters by registered mail to everyone affected by the recent cyber incidents. If you receive a letter notifying that your account has been compromised, follow the instructions in the letter.
If your account is disabled
If access to your online account(s) is disabled, contact us as soon as possible, whether you have received a registered letter from us about your account or not.
If you notice suspicious activity
Be sure to regularly monitor your online accounts for suspicious activity. This can include unsolicited changes to your banking, address or personal information, or benefit applications made on your behalf. Sign up for email notifications to monitor changes in your CRA accounts.
What this means for you
If your account was compromised during the recent cyber incidents, your online CRA account may have been accessed by an unauthorized individual. As a result:
- The CRA will disable access to your account(s) and you will receive a letter by registered mail with instructions on how to validate your identity to regain access
- You will be offered credit protection services free of charge
- We will temporarily stop sending any benefit and credit payments to you until your identity has been validated and access to your account has been restored
- We will work with you to restore your personal information and ensure you are not held liable for fraudulent claims and payments made on your account (this includes ensuring fraudulent claims do not impact you next tax filing season)
How the CRA will notify you
We are sending letters by registered mail to people who have been affected by the recent cyber incidents. If you suspect your account may have been compromised, and have not received a letter or have recently moved, contact us as soon as possible.
The letter provides information on how to validate your identity to restore access to your account, and how we are helping those affected by these incidents. This includes access to free credit protection services.
How you can contact the CRA
If you suspect that your CRA account was compromised during the recent cyber incidents:
Call the CRA at:
Select the option “report suspected fraud or identity theft” to prioritize your call to speak to a specialized agent as quickly as possible.
If you have concerns about a call or email you received about a payment:
Call the Canadian Anti-fraud Centre at: 1-888-495-8501
How to prevent future incidents
- Change your user IDs and passwords. We encourage you to change your user IDs and passwords, as well as your security questions and answers as soon as possible.
- Use unique and complex passwords. Always use unique passwords for your CRA and online banking accounts. Do not reuse the same password for different systems.
- Create a PIN. We suggest you set up a personal identification number (PIN) in CRA My Account or with the help of one of our call centre agents, to help confirm your identity for future calls with the CRA.
- Sign up for email notifications. We recommend you enable “Email notifications”. This service notifies taxpayers by email if their address or direct deposit information have been changed on CRA records. These notifications can act as an early warning for potential fraudulent activity.
- Monitor your account for suspicious activity. Check your online CRA accounts regularly for any suspicious activity. This includes unsolicited changes to your address and direct deposit information, or benefit applications made on your behalf.
Report a problem or mistake on this page
- Date modified: