Around this time every year, scammers start sending out emails to Canadians claiming to be from the Canada Revenue Agency. As with most phishing schemes, recognition is the key to protecting yourself. The bottom line is this: ANY EMAIL PURPORTING TO BE FROM THE CANADA REVENUE AGENCY IS A SCAM. There are no exceptions.
CRA has always had to be extra careful about security, which is one of the reasons it can be so difficult to get your own private tax information from them over the phone. But another aspect of their security guidelines results in the following iron-clad rule: CRA never sends individual emails. Their position has always been that email is not secure enough. CRA only communicates by letter or by phone.
Even by phone, they tend to be cautious. If you have ever called them to ask about your personal tax situation, you have experienced their authentication process, where they ask you a series of questions about yourself and/or your last filed tax return in order to confirm your identity. If you call them back the questions change, to prevent people who shouldn’t have access to your account from just boning up on the answers and trying to fool CRA on the second pass.
It is also harder to get an online account with CRA than with other organizations, though they always encouraging people to do it in order to minimize their own need for postage and paper.
During the recent Heartbleed bug scare, the Canada Revenue Agency responded by shutting down all online access to their systems. For nearly a week neither individuals nor tax offices like ours had any way to transmit or read information from their computers.
To make up for the lost time, regular tax filers (i.e., salaried employees with no self-employment income) have been granted an additional 5 days’ amnesty, both for filing their returns and for paying their tax bills. No late filing penalties or interest for 2013 T1 Individual returns will apply before May 5, 2014.
Self-employed individuals and their spouses always have until June 15 to file, and to our knowledge no extension has been offered for that deadline (beyond the fact that when it falls on a weekend, the effective deadline is the next business day).
As for the security breach which may have resulted in the theft of 900 Social Insurance Numbers (SINs), CRA will be contacting the holders of the affected SINs via letter. Again, any email informing you that you have been compromised is a scam, and it appears that CRA will not be phoning about this issue either. If CRA has your current address on file and you don’t receive a letter, yours was not one of the compromised numbers.