Of all the organizations we deal with at least once a year, the Canada Revenue Agency (CRA) would seem to be a hard target for cyber-crime. The federal department takes pains to make its portal and taxpayer information secure with multi-factor authentication. But taxpayers themselves may unwittingly give criminals the keys to their CRA accounts.

“Even with the best systems in place, if consumers aren’t wary about what identification data they have, they could get compromised,” warns Carl Davies, Head of Fraud and Identity at Equifax Canada. Fraud artists aren’t just trying to get their hands on your tax refund; they see the CRA as a repository of personal data they can sell or use to steal your identity—for example, by taking out credit or applying for government benefits in your name. “Criminals are trying to get into your CRA account in order to collect personal information to leverage that information to commit fraud, either at the CRA or other institutions,” Davies says.

How scammers get your personal information

Think it would be hard for someone to hack into your data? Davies recalls a family member once passing along a seemingly innocuous chain message on Facebook. The holiday-themed message asked users to combine their pet’s name with their mother’s maiden name to come up with their “elf name.” It had hundreds of replies.

“It’s a scam,” Davies says. The message was a way for criminals to obtain two of the most common pieces of information used by the CRA, as well as financial institutions, for people to recover access to their accounts.

But you don’t have to fall for a scam like this to make yourself vulnerable to identity theft.

“If I’m on social media and I’m putting out my full name, my date of birth, pictures of my home, where I live, that’s really a problem,” Davies says. “Now a fraudster has everything they need in order to indicate to the CRA that yes, this is actually me.” They can answer security questions, reset passwords and more. Once scammers get into your CRA account, they can obtain still more personal information, including financial information. For example, they can extrapolate your income, which gives them a sense of how much money they can borrow in your name without raising red flags.

How to protect your CRA account from identity theft

Minimizing the risk of fraud through your CRA account starts with being cautious about the personal information you share online. Here are some other steps Davies recommends:

Use a complex password for your CRA My Account. “Make it hard to guess,” he says. Better yet, use a password manager to come up with and keep track of passwords for different accounts.

“Make it hard to guess,” he says. Better yet, use a password manager to come up with and keep track of passwords for different accounts. Check your credit report regularly. Take a look every month. It will reveal any attempts to apply for credit using your identity, valid or not.

Take a look every month. It will reveal any attempts to apply for credit using your identity, valid or not. Never log into your CRA account using public Wi-Fi. Criminals using the same unsecured network can hack your device and steal your info. Never log into apps and accounts using public internet services, either. Your home network will generally be secure.

Criminals using the same unsecured network can hack your device and steal your info. Never log into apps and accounts using public internet services, either. Your home network will generally be secure. Watch out for phishing scams. Don’t respond to unexpected calls, text messages or emails purportedly from the CRA. Change your phone settings so that only calls from your contact list come through. (Everyone else can leave a message.) And before you call, confirm the correct phone number online. If the agency is genuinely trying to reach you, a tax agent would have no problem with your contacting the CRA directly.

What to do if your CRA account has been hacked

If you suspect your CRA account has been breached, here’s what to do:

Notify the CRA immediately by phone or online.

Contact all the financial institutions you have accounts with, as well as any where a third party has attempted to set up an account in your name (this will be on your credit report).

Change the passwords on your CRA, bank and other financial accounts.

Davies has spoken to many victims of fraud, including Canadians who received calls, emails and text messages supposedly from the CRA. Many victims admitted to sensing something was amiss, even before the fraud took place, but followed through with the scammers’ requests.

“Trust your instincts,” Davies advises. “If something doesn’t feel right, just stop what you’re doing. If you don’t trust it, hang up, and call or email the CRA directly.”

How to contact the CRA If you’re calling from Canada or the United States: 1-800-959-8281

If you’re calling from another country: 1-613-940-8495

If you use a teletypewriter: 1-800-665-0354

If you use the Canada Video Relay Service: 1-800-561-6393

