Security measures to protect taxpayer information

March is Fraud Prevention Month in Canada and around the world. The protection of taxpayers’ information is a top priority for the Canada Revenue Agency (CRA), and this annual campaign emphasizes the importance of being able to identify, prevent, and respond to fraud.

The CRA continues to enhance its security measures to protect Canadians from fraud and identity theft. As an added layer of security, the CRA also encourages Canadians to take a few steps of their own to further protect their personal information.

Multi-factor authentication

The CRA uses Multi-factor authentication (MFA) throughout its sign-in services as a mandatory enhanced security measure. When prompted to enroll in MFA, users can select either the telephone, third-party authenticator app or passcode grid option.

Individuals need to enter a one-time passcode to access the CRA sign-in services when they sign in. Each code is good for a single sign-in session.

Mandatory email address on file

To help prevent taxpayers’ online accounts from fraudulent activity, My Account users are required to have an email address on file with the CRA. Individuals that do not currently have an email address on file will be prompted to provide one upon sign in.

This security feature ensures individuals receive email notifications when important changes are made on their account, such as changes to their address or direct deposit information. Email notifications act as an early warning for potential fraudulent activity. Canadians who receive these notifications, but have not authorized any changes, should contact the CRA immediately.

Captcha

To help distinguish between human users and web robots, Captcha was implemented in all CRA portals. This security feature requires individuals to identify specific images before being granted access to our digital services.

How taxpayers can protect their information

There are a number of actions Canadians can take to improve their cyber safety. To help lower the risk of being affected by fraud and identify theft, Canadians are strongly encouraged to:

1. avoid reusing passwords for different systems and applications.
2. use unique passwords for both CRA and other online accounts and change these passwords regularly.
3. unique Personal Identification Number (or PIN) for their account in order to identify themselves quickly and securely.
4. monitor their online CRA account for any unsolicited changes or suspicious activity. 
5. make sure their personal and business information is up to date.

If a taxpayer notices unsolicited changes on their CRA account, or thinks their information has been compromised, they should immediately report it to the CRA. The CRA will take swift precautionary measures, such as:

• locking the account to prevent transactions
• conducting in-depth reviews
• contacting the potential impacted individuals.

Resources

• Security of your CRA My Account and My Business Account
• Security of Taxpayer Information
• Scam prevention and the CRA
• CRA scam alerts

Contacts

Media Relations
Canada Revenue Agency
613-948-8366
cra-arc.media@cra-arc.gc.ca

-30-