featured 363964

Protect Your CRA Account from Phishing and Fraud

This article is part of a series on protecting the important information and people in your life from fraud and scams. Check back for more advice in future installments.

Among the organizations we interact with regularly, the Canada Revenue Agency (CRA) would seem like a difficult target for cybercriminals. The federal agency uses multi-factor authentication and other security measures to protect its portal and taxpayer data. Yet many people unintentionally hand over the keys to their CRA accounts by sharing or exposing the wrong pieces of personal information.

“Even with strong systems in place, consumers can be compromised if they’re not careful about what identification data they reveal,” says Carl Davies, Head of Fraud and Identity at Equifax Canada. Scammers aren’t only after tax refunds; they view CRA accounts as a trove of personal details that can be sold or used to assume someone’s identity—whether that’s applying for credit or claiming government benefits in another person’s name. “Criminals target CRA accounts to collect personal information they can leverage to commit fraud at the CRA or at other institutions,” Davies explains.

sponsored

Equifax Complete Protection

Equifax Complete Protection

Go to site

Equifax Complete Protection is a credit and cybersecurity service designed to help Canadians detect identity theft and respond more quickly.

  • Daily credit monitoring and alerts
  • Dark web scans for your personal data
  • Social media monitoring provided by ZeroFox

 

Subscription price: $34.95 per month

Equifax Complete Protection

Go to site

How scammers obtain your personal information

You might assume it’s difficult for someone to gather the data needed to hijack your accounts, but simple online behaviors often make it easy. Davies recounts a family member who shared a harmless-looking chain post on Facebook that asked people to combine a pet’s name with a mother’s maiden name to create an “elf name.” The post drew hundreds of replies.

“That’s a scam,” Davies says. The game was an easy way for fraudsters to collect two commonly used pieces of information that the CRA and many financial institutions rely on for account recovery and identity verification.

But you don’t have to fall for a whimsical prompt to be exposed. Oversharing on social platforms—posting full names, birthdates, photos of your home, or details about where you live—gives fraudsters the pieces they need to convince an institution that they are you.

“If someone can find your full name, date of birth and location online, they can often answer security questions or reset passwords,” Davies warns. Once scammers gain access to your CRA account, they can extract further personal and financial details. Even basic information like declared income helps them estimate how much credit they can fraudulently obtain in your name without immediately triggering alarms.

Steps to protect your CRA account

Reducing your risk starts with being careful about what you share online. Davies recommends several practical measures you can use to better protect your CRA My Account and your identity:

  • Use a strong, unique password for CRA My Account. Choose a password that’s hard to guess and different from passwords you use elsewhere. Consider a password manager to generate and store unique passwords for each account.
  • Check your credit report regularly. Review it monthly to spot any attempts to open credit in your name. Unexpected inquiries or new accounts can indicate identity theft.
  • Avoid logging into CRA or other sensitive accounts on public Wi‑Fi. Unsecured networks make it easier for attackers to intercept your login credentials. Use your home network or a secured connection instead.
  • Be alert to phishing attempts. Do not respond to unsolicited calls, texts or emails claiming to be from the CRA. Adjust your phone settings so only calls from known contacts ring through, and verify any phone numbers before calling back. If the CRA legitimately needs to reach you, an agent won’t object to you contacting the agency directly via official numbers.

If your CRA account is compromised: immediate actions

If you suspect your CRA account has been breached, act quickly. Follow these steps:

  • Notify the CRA right away by phone or through their official online reporting channels.
  • Contact all of your banks and other financial institutions to alert them and to review recent activity. Also check any institution where a third party attempted to open an account in your name—you’ll see those attempts on your credit report.
  • Change passwords on your CRA account, banking and other financial accounts immediately, and enable multi-factor authentication where available.

Davies has spoken with many people who received messages or calls that appeared to come from the CRA. In many cases, victims had doubts but proceeded anyway. His advice is simple: trust your instincts. If something feels off, stop, hang up, and contact the CRA directly using a verified number or official website.

How to contact the CRA

  • If you’re calling from Canada or the United States: 1-800-959-8281
  • If you’re calling from another country: 1-613-940-8495
  • If you use a teletypewriter: 1-800-665-0354
  • If you use the Canada Video Relay Service: 1-800-561-6393

Use credit monitoring to deter identity theft

Credit and identity monitoring services can be a useful addition to your fraud-prevention toolkit. These services alert you to changes on your credit file, flag suspicious activity on the dark web, and can help you react quickly if your information appears in risky places.

One such service—Equifax Complete Protection—offers daily credit monitoring, dark web scans, social media monitoring and device protection features. If your identity is stolen, the service provides identity restoration assistance and insurance coverage to help with some out-of-pocket costs associated with recovery (terms and availability vary by region).

Typical features of a monitoring service include:

  • Daily credit alerts for new accounts or inquiries on your credit report.
  • Dark web monitoring to check whether your personal information is being traded on hidden sites.
  • Social media monitoring to detect suspicious activity connected to your accounts.
  • Tools for encrypting data, managing passwords and protecting devices from phishing and malware.

Paid services vary in price and features. If you choose a subscription, review the details and ensure it fits your needs.

This article is sponsored.

This is a paid post produced by MoneySense with contributions from assigned freelancers. It aims to inform readers while also featuring a client’s product or service.

More on fraud and scams

  • Watch: 5 questions on identity theft
  • How to protect your small business from fraud
  • Relationship fraud and romance scams: what Canadians need to know
  • Mortgage fraud in Canada: how to protect yourself
  • How to protect yourself from identity fraud in Canada

Newsletter

Get free MoneySense financial tips, news & advice in your inbox.

subscribe now