Tax Tip - Tax season may be over for most Canadians, but threats to their personal information are not Français

OTTAWA, ON, June 2, 2026 /CNW/ - For most Canadians, tax season may be over, but fraudsters aren't taking a break from trying to get into your Canada Revenue Agency (CRA) account. Scammers operate year-round, and capitalize on pre-published payment dates for CRA-administered benefits and credits, or tax-filing season, to time their scams accordingly. 

The CRA continues to implement security measures to protect your information from cyber threats, including multi-factor authentication, and revoking CRA user IDs and passwords that have been obtained through sources external to the CRA (phishing schemes, third party data breaches).

Did you know: In 2025, the CRA proactively revoked over 50,000 CRA user IDs and passwords that were identified as potentially being available to threat actors?  

The CRA's continual vigilance combined with your cyber hygiene creates a strong barrier against those seeking to gain from fraudulent activities. The CRA recommends taking the following actions on a regular basis to keep your CRA account secure and protect your information.

Use a strong and unique password for your CRA account

It is important that your CRA account has a unique password that you do not use on any other accounts or devices.

If one or more of the following apply, it may be time for you to change your password:

• You use the same password on another website, account or device
• Your password contains personal information
• You have shared your password with someone else

The CRA account sign-in credential allows up to 64 characters to ensure that you can create stronger passwords and protect your account.

Visit the Cyber Security Establishment Canada webpage for tips on how to create strong and unique passwords.

Stay alert for email notifications

All individual users with a CRA Account are required to have an email address on file. The CRA sends email notifications when important changes are made on their account, such as address or direct deposit information.

If you receive an email notification, but have not authorized any changes, you should contact the CRA immediately.

Scam alert: The CRA recently identified a tactic where threat actors obtain sign-in information found through sources external to the CRA to gain access to your account. They use this information to make changes on your account and then send many unwanted emails to flood your inbox. This tactic buries important and legitimate emails you receive, such as notifications about important changes made to your account.

To help verify if you've been contacted by the CRA, visit Recognize a scam - Scams and fraud.

Regularly monitor your CRA account

The CRA encourages online account users to make it a habit to regularly check for unsolicited changes or suspicious activity. This may include changes to personal information, benefit applications made on your behalf, or changes to your tax return.  

Keep up-to-date on the latest scams

The CRA's scam alert page provides up-to-date information on fraudulent schemes that impersonate the CRA, including common tactics and tips on how to stay safe. We encourage Canadians to follow us on social media for the latest updates and to report suspicious activity.

Contacts

Media Relations
Canada Revenue Agency
613-948-8366
[email protected]

Stay connected

• Follow the CRA on Facebook
• Follow the CRA on X – @CanRevAgency
• Follow the CRA on LinkedIn
• Follow the CRA on Instagram
• Subscribe to a CRA electronic mailing list
• Add our RSS feeds to your feed reader
• Watch our tax-related videos on YouTube
• Listen to our Taxology podcast

SOURCE Canada Revenue Agency