A Security Guide to Surviving Tax Season in Canada

Posted on March 21, 2019 - by Amy MacNeil - in Building Your InfoSec Program

Tax season security is just one more thing to worry about.

All year round, scammers try to impersonate the Canada Revenue Agency – through phone, text, email phishing or paper mail – to gain access to taxpayers’ personal information and finances. Individuals are particularly vulnerable around tax time when the CRA is on everyone’s mind. The Canadian Anti-Fraud Centre has identified seven different types of common fraud, with new scams invented daily.

Tax time can be stressful, and dealing with the CRA equally so. The CRA, however, will never bully, harass, or intimidate you. The CRA wants to keep your personal information and finances secure, and they provide a number of resources to help you. We’ve compiled them here, along with advice on how to stay secure this tax season. (We also have more tips about how you can be proactive about security during tax season here.)

1. Know the current scams and ask critical questions.

Beyond the information found in the CAFC’s Little Black Book of Scams, there are telltale signs of scammers. Callers who insist you take immediate action are very likely to be scammers. Any caller who requests gift cards, Bitcoin, or other unusual payment methods are definitely scammers- the CRA does not want your iTunes card. The CRA will also not text message you, nor ask for personal information that does not pertain to your tax return. When in doubt, ask yourself these critical questions:

  • Why is the caller pressuring me to act immediately? Am I certain the caller is a CRA employee?
  • Did I file my tax return on time? Have I received a notice of assessment or reassessment saying I owe tax?
  • Have I received written communication from the CRA by email or mail about the subject of the call?
  • Is the caller asking for information I would not give in my tax return or that is not related to the money I owe the CRA?

2. Understand exactly what the CRA will and will not request by phone, email, or written letter. 

The CRA will never ask for information about your passport, health card, or driver’s license. They will never email you a link to your refund (nor any link you have not specifically requested). They will not be aggressive, nor threaten to arrest you or report you to the police. The CRA may:

  • Call you to begin an audit process.
  • Verify your identity by asking for personal information such as your full name, date of birth, address, and account, or social insurance number by phone.
  • Notify you via email when a new message or a document, such as a notice of assessment or reassessment, is available for you to view in secure CRA portals.

3. Prepare and send your tax return securely.

In 2018, about 90% of Canadians filed their tax returns online. Utilizing free tax software is easy and secure as long as you use a product that has been certified for the 2018 tax year; the CRA recently released the latest list containing ten approved software options.

  • Never work on your tax return using public wifi, as these connections are often unsecured and vulnerable to attacks.
  • Use strong passwords for all of your accounts, combining letters, numbers and special characters, while avoiding common words and phrases.
  • Install your computer updates before filing. Filing your taxes on a computer without the latest software updates can leave you vulnerable to attacks.
  • Verify the sites you visit use SSL (Secure Sockets Layer) encryption. Make sure the URL begins with “https,” not just “http.”
  • Backup your return and all the data you uploaded to an external drive and delete everything on the device you used to file with after you have completed. Some free tax software programs may make it difficult, or impossible, to access past returns.

4. Reject and report.

If you receive a suspicious communication from the CRA, their official stance is to reject it. Hang up the phone, and call the CRA back to verify the agent. Never download any files or accept money transfers sent via email or text message from the CRA, and never click any suspicious links. The CRA will only send you a link if you have specifically requested this with an agent. Similarly, you should never fill out or submit any unusual or suspicious forms.

If you’ve been scammed, don’t be embarrassed to admit what happened. The CRA itself fell victim to weak information security practices in 2014 when a 19-year-old computer whiz hacked into the CRA and stole 900 SIN numbers within six seconds. Police suggest that only a fraction of tax fraud is reported, with realistic estimates putting monetary losses at 10x the reported numbers.

To report scams, go to antifraudcentre.ca or call 1-888-495-8501. If you think you may be the victim of fraud or you unknowingly provided personal or financial information, contact your local police service, financial institution, and credit reporting agencies.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.

Try Securicy Free


About the author

Amy MacNeil is a sales professional.