The protection of taxpayer information is of the utmost importance for the Canada Revenue Agency (CRA). In an era of increasing digital threats, the CRA employs a robust, multi-layered security framework designed to safeguard sensitive data and maintain the trust of Canadians.

Over the past few years, the CRA has noticed an increase in activity by unauthorized third parties attempting to gain access to taxpayers’ CRA accounts. Given the nature of our work, the CRA is a target of choice for threat actors; but, as scammers adapt their practices, so do we.

Comprehensive security framework

The CRA has robust systems and tools in place to monitor, detect and investigate potential threats, and to neutralize them when they occur.

The CRA regularly performs security risk assessments, including vulnerability scanning and penetration testing on the CRA’s digital services. The CRA also has various internal processes in place to prevent privacy breaches and to make sure that taxpayers' rights are protected. By conducting these assessments and adapting our approaches to respond to emerging risks, the CRA strengthens its defences against internal and external threats. In addition, the CRA has implemented proactive measures to protect the personal information of Canadians. These efforts include:

• Multi-factor authentication – requiring a one-time passcode every time you access the CRA sign-in services.
• Revoking at risk CRA user IDs and passwords – routine checks to identify CRA user IDs and passwords that may have been compromised. The CRA revokes the identified CRA user IDs and passwords (protecting their account from bad actors using these credentials) and provides impacted individuals with the information they need to regain access to their account.
• Mandatory email on file: email notifications when changes have been made to their account, including changes to their address and direct deposit information.
• Identity Protection Services: A single point of contact for individual taxpayers to resolve identity theft concerns.

The CRA also combines advanced data analytics and business intelligence gathered from many sources, including law enforcement agencies, financial institutions, and leads to support these efforts. We also collaborate with domestic and international partners to inform our security strategies. We thoroughly pursue potential fraud and have dedicated teams to promptly address these cases when they arise.

Incident response and identity protection

When the CRA becomes aware of a potential case of identity theft or suspects an account could be the target of a threat actor, immediate preventative measures are taken including locking the account to prevent transactions, and conducting an in-depth review. We directly contact affected individuals to inform them of the incident, outline our protective measures, and advise them on additional steps they can take to protect their account. For more information, see Info Sheet: How the CRA supports victims of identity theft.

Empowering Taxpayers

The CRA encourages Canadians to take an active role in protecting their accounts by regularly monitoring for suspicious activity, updating passwords frequently, and keeping contact information current. Through education on best practices, the CRA aims to foster a collaborative effort to maintain the security of personal and financial information.

To learn more, go to the Security Measures to protect taxpayer information from external threats web page.