Security of your CRA My Account and My Business Account
Revoked CRA user ID and password
Some taxpayers may have received notification that their CRA user ID and password have been revoked when attempting to log in to their CRA account. Visit CRA user ID and password have been revoked for more information.
Impacted individuals can continue to file their income tax return online using NETFILE certified software, and can apply for emergency benefits once a different login method is used, or a new CRA user ID and password is established. If you are unable to use this online option, please call the CRA.
Protect your business account by monitoring your My Business Account for any suspicious activity, which can include unsolicited changes to banking, mailing address, unauthorized appointment or changes of representatives or benefit applications made on your behalf. Visit Security of your CRA account for tips on securing your account.
Business owners who suspect their account has been compromised can call the CRA to talk to an agent on our Business Enquiries line at 1-800-959-5525 (between 9:00 a.m. and 6:00 p.m. local time, Monday to Friday), 1-866-841-1876 for Yukon, Northwest Territories and Nunavut or if they are outside of Canada and the U.S., at 613-940-8497 (between 9:00 a.m. to 6:00 p.m., Monday to Friday, EST). For information on protecting yourself against identity theft and fraud, go to canada.ca/taxes-fraud-prevention.
The Government of Canada, like other government and private sector organizations, faces ongoing and persistent security threats. Over the past few years, the Canada Revenue Agency (CRA) has noticed an increase in activity by unauthorized third parties attempting to gain access to taxpayers’ CRA accounts.
If you have been affected by a security incident, we’re here to help. We are continually working to protect taxpayer information and to prevent future security incidents.
If your account is compromised
If you believe your My Account, My Business Account or Represent a Client account has been compromised, here is some information that can help you.
If you receive a letter from us
We are sending letters by registered mail to individuals and businesses affected by security incidents. If you receive a letter notifying you that your account has been compromised, follow the instructions in the letter.
If you notice suspicious activity
Be sure to regularly monitor your online accounts for suspicious activity. This can include unsolicited changes to your banking, address, business or personal information, or benefit applications made on your behalf. Sign up for email notifications to monitor changes in your CRA accounts.
What this means for you
If your account has been compromised, your online CRA account(s) may have been accessed by an unauthorized individual. As a result, the CRA will take the following actions.
If you are an individual, we will:
- disable access to your account(s) and you will receive a letter with instructions on how to validate your identity to regain access
- assess whether you need to be offered creditor protection services free of charge
- temporarily stop sending any benefit and credit payments to you until your identity has been validated and access to your account has been restored
- work with you to restore your personal information and ensure you are not held liable for fraudulent claims and payments made on your account (this includes ensuring fraudulent claims do not impact you next tax filing season)
If you are a business, we:
- may temporarily stop payments to your business pending validation of your account.
- will disable any applicable web access codes which would have allowed for electronic filing of Canada Emergency Wage Subsidy (CEWS) applications and/or information returns.
- will work with you to re-activate your business account, resume payments intended for your business and request new access codes.
- will notify you if the personal and taxpayer information of your employees may have been accessed without authorization.
How the CRA will notify you
We are sending letters by mail to individuals and businesses who have been affected by a security incident. If you suspect your account may have been compromised, and have not received a letter or have recently moved, contact us.
The letter provides information on how to validate your identity to restore access to your account, and how we are helping those affected by these incidents. This includes access to free credit protection services.
How you can contact the CRA
If you suspect that your CRA account was compromised:
Call the CRA at: 1-800-959-8281
Select the option “report suspected fraud or identity theft” to prioritize your call to speak to a specialized agent as quickly as possible.
Call the CRA Business Enquiries line at: 1-800-959-5525
If you have concerns about a call or email you received about a payment:
Call the Canadian Anti-Fraud Centre at: 1-888-495-8501
How to prevent future incidents
- Change your user IDs and passwords. We encourage you to make a practice of regularly changing your user IDs and passwords, as well as your security questions and answers.
- Use unique and complex passwords. Always use unique passwords for your CRA and online banking accounts. Do not reuse the same password for different accounts or systems.
- Create a PIN. We suggest you set up a personal identification number (PIN) in CRA My Account or with the help of one of our call centre agents, to help confirm your identity for future calls with the CRA.
- Sign up for email notifications. We recommend you enable “Email notifications”. This service notifies taxpayers by email if their address or direct deposit information have been changed on CRA records. These notifications can act as an early warning for potential fraudulent activity.
- Monitor your account for suspicious activity. Check your online CRA accounts regularly for any suspicious activity. This includes unsolicited changes to your address and direct deposit information, or benefit applications made on your behalf.
- Make sure your personal and business information is up to-date. The CRA may need to contact you to validate certain activities on your account that may be suspicious.
Report a problem or mistake on this page
- Date modified: