OTTAWA, ON, Dec. 17, 2025 /CNW/ - During tax season, threat actors ramp up their efforts to attempt to access taxpayers' accounts at the Canada Revenue Agency (CRA) to file fraudulent tax returns and benefit claims.

To protect your personal information from increasing threats and unauthorized third parties, the CRA is continually introducing and improving its security measures.

Improving account security through multi-factor authentication (MFA)

The CRA uses MFA to enhance the security of online accounts. This process requires users to enter a one-time passcode every time they sign in.

Important update: Starting in February 2026, CRA account users will be required to have a backup MFA option on file, such as a passcode grid or third-party authenticator app. This measure will further strengthen the security of CRA accounts and prevent users from getting locked out during the MFA process. To add this extra layer of security now, and to avoid possible delays or issues when filing your tax return, sign into your CRA account and follow the steps to update your MFA settings.

Revoking at-risk user IDs and passwords

The CRA proactively revokes CRA user IDs and passwords that may have been obtained by unauthorized third parties through external sources. Additionally, user IDs and passwords that have been unused for a prolonged period of time are revoked to prevent them from being misused by threat actors.

Taking down phishing websites

Over the past year, the CRA and its partners have successfully taken down hundreds of fraudulent websites attempting to impersonate the CRA for malicious purposes. As these fake websites may appear more frequently over the coming months, taxpayers should be extra cautious and make sure they're using official CRA sources to get their information. To avoid fraudulent websites:

• confirm that the CRA web address either starts in Canada.ca or ends in cra-arc.gc.ca
• do not click links in texts or emails as links can lead to fake websites
• type the official website address directly into the website browser

More information on how to identify fake websites can be found on Recognize a scam.

Steps you can take to protect your CRA account

The CRA's constant vigilance combined with good individual cyber habits creates a strong barrier against those seeking to gain from fraudulent activities.

Not only during tax season, but year-round, the CRA encourages Canadians to:

• regularly change their password
• keep contact information up-to-date
• monitor their accounts for suspicious activity

For more information, visit Protect your CRA accounts.

Additional resources 

• Multi-factor authentication (MFA) (The CRA will update this page in early February 2026)
• Scams and fraud
• Online disinformation

Contacts

Media Relations
Canada Revenue Agency
613-948-8366
cra-arc.media@cra-arc.gc.ca

Stay connected

• Follow the CRA on Facebook
• Follow the CRA on X – @CanRevAgency
• Follow the CRA on LinkedIn
• Follow the CRA on Instagram
• Subscribe to a CRA electronic mailing list
• Add our RSS feeds to your feed reader
• Watch our tax-related videos on YouTube
• Listen to our Taxology podcast

SOURCE Canada Revenue Agency