The Canada Revenue Agency warned that threats to CRA account security continue after the main tax-filing season ends.
CRA said scammers operate year-round and often time scams around tax season or pre-published payment dates for CRA-administered benefits and credits.
The agency said it uses security measures including multi-factor authentication and revocation of user IDs and passwords obtained through sources outside CRA, such as phishing schemes or third-party data breaches.
CRA said it proactively revoked more than 50,000 CRA user IDs and passwords in 2025 after identifying them as potentially available to threat actors.
The warning matters because account access can affect more than one tax return. A compromised account may expose personal information, direct-deposit details, benefit applications, or changes to a return.
CRA told taxpayers to monitor accounts for unexpected changes, including changes to personal information, benefit applications made on their behalf, or changes to a tax return.
Tax administration increasingly depends on digital accounts, so account security is now part of protecting refunds, benefits, and identity information.