Protect Your Money Online

Canadians lose hundreds of millions of dollars to fraud every year — and the number keeps climbing. From fake CRA calls to phishing emails that look exactly like your bank's login page, scammers are getting better. This guide covers how to protect your financial accounts, spot scams before you fall for them, and what to do if your identity is stolen.

8 sections

Last updated: March 2026

Identity Theft in Canada

Identity theft happens when someone uses your personal information — your Social Insurance Number (SIN), name, date of birth, or financial details — to open accounts, file taxes, or borrow money in your name. It's one of the fastest-growing crimes in Canada.

$530M+

Lost by Canadians to fraud in 2023, according to the Canadian Anti-Fraud Centre

The damage goes beyond money. Identity theft can take months to resolve. Fraudulent debts can destroy your credit score, prevent you from getting approved for a mortgage or car loan, and even affect employment — some employers run credit checks. The sooner you detect it, the easier it is to contain.

Someone files a tax return in your name and collects your refund.
Fraudulent credit cards or loans are opened using your SIN and personal details.
Your bank account is accessed and drained through stolen credentials.
Medical services are billed under your identity (less common in Canada but it happens).
Your social media accounts are compromised and used to scam your contacts.

WATCH OUT

Your SIN is the single most valuable piece of information for identity thieves. Never carry your SIN card in your wallet. Only provide your SIN when legally required: to your employer, your bank (for registered accounts), the CRA, and government programs. No landlord, doctor's office, or retail store needs your SIN.

The Most Common Scams Targeting Canadians

Scammers target Canadians with increasingly sophisticated methods. Here are the most common ones — knowing what they look like is your best defence.

Scam Type	How It Works	Red Flag
CRA Phone/Text Scam	"You owe taxes and will be arrested if you don't pay immediately." Caller demands payment by gift card, crypto, or wire transfer.	The CRA will NEVER threaten arrest, demand gift card payment, or call without first sending a written notice by mail.
Bank Phishing Email	Email that looks like it's from your bank with a link to a fake login page. You enter your credentials, and the scammer now has them.	Check the sender's email address carefully. Banks will never ask you to "verify your account" via email link.
Romance Scam	Someone you meet on a dating app builds a relationship over weeks/months, then asks for money — often for an "emergency" or "investment opportunity."	Anyone who asks for money before meeting in person. Any request for wire transfers, crypto, or gift cards.
Investment Scam	"Guaranteed returns" on crypto, forex, or other investments. Often promoted through social media or messaging apps.	No legitimate investment guarantees returns. If it sounds too good to be true, it is.
Employment Scam	Fake job offer requiring you to pay for "training materials" or "equipment" upfront, or asking you to deposit a cheque and send part of it back.	No real employer asks you to pay to work for them. Overpayment cheques are always fraudulent.
Rental Scam	Fake rental listing (often stolen photos from real listings) requiring a deposit before viewing. The "landlord" is overseas or unavailable to show the unit.	Never send money before seeing a unit in person and verifying the landlord's identity.

PRO TIP

If you receive a suspicious call claiming to be from the CRA or your bank, hang up and call them directly using the number on their official website or on the back of your bank card. Never call back a number provided by the caller.

How to Spot a Scam

Most scams share common characteristics. If you can recognize these red flags, you'll avoid the vast majority of fraud attempts.

5 Universal Red Flags

1Urgency or threats: "Act now or face arrest." "Your account will be closed in 24 hours." "This offer expires today." Legitimate organizations don't pressure you with artificial deadlines.
2Unusual payment methods: Gift cards, cryptocurrency, wire transfers, or e-Transfer to a personal account. No government agency or legitimate company accepts payment by gift card.
3Unsolicited contact: You didn't initiate the call, email, or message. The CRA, your bank, and legitimate employers don't cold-call or text out of the blue asking for personal information.
4Too good to be true: Guaranteed investment returns, a job that pays $5,000/week for minimal work, or a prize for a contest you never entered.
5Requests for sensitive information: Your SIN, passwords, banking login credentials, or PINs. No legitimate organization asks for these by phone, text, or email.

Key Terms

Phishing: Fraudulent emails, texts, or websites designed to look like legitimate organizations (your bank, the CRA, Amazon) to steal your login credentials or personal information.
Smishing: Phishing via SMS text message. Common examples: fake package delivery notifications, fake bank alerts, and fake CRA texts.
Vishing: Voice phishing — scam phone calls pretending to be from the CRA, your bank, or law enforcement.
Social Engineering: Manipulating people into revealing confidential information by exploiting trust, fear, or urgency. The scammer creates a scenario where you feel compelled to act without thinking.

WATCH OUT

AI-generated voice cloning is becoming more common. Scammers can now clone a family member's voice from social media clips and call you pretending to be in an emergency. If you receive a distressed call from a family member asking for money, hang up and call them directly on their known number.

Protecting Your CRA Account

Your CRA My Account contains your tax returns, SIN, income history, and benefit payments. If someone gains access, they can change your direct deposit information, file a fraudulent tax return, or steal your refund. This is one of the highest-value targets for identity thieves in Canada.

Checklist

Enable multi-factor authentication (MFA) on your CRA My Account — this requires a code from your phone in addition to your password.Sign up for email notifications so you are alerted when changes are made to your account.File your tax return as early as possible each year — this prevents someone from filing a fraudulent return in your name before you do.Review your Notice of Assessment carefully. If it shows income you did not earn, someone may have filed a return using your SIN.Use a strong, unique password for your CRA account. Do not reuse passwords from other sites.Check your CRA My Account periodically for any changes to your address, direct deposit, or marital status that you did not make.

PRO TIP

If you receive a Notice of Assessment for a tax return you didn't file, or if your legitimate return is rejected because "one was already filed," contact the CRA immediately at 1-800-959-8281. This is a sign someone has filed using your SIN.

Protecting Your Bank Accounts

Your banking credentials are a prime target for scammers. Canadian banks have strong security systems, but they rely on you to follow basic security practices. Most bank fraud succeeds because the customer was tricked into giving up their own credentials.

Checklist

Use a unique, strong password for each banking and financial account. Never reuse passwords across sites.Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on every financial account that offers it.Do not bank on public WiFi. Use your phone's cellular data or a reputable VPN if you need to access banking away from home.Set up transaction alerts — most banks let you get notified by text or email for transactions above a certain amount.Review your bank and credit card statements at least monthly. Report any unauthorized charges immediately.Enable Interac e-Transfer autodeposit — this eliminates the security question, which prevents interception of e-Transfers.Lock your credit and debit cards in your banking app when not in use (most major Canadian banks now offer this feature).

If your debit or credit card is compromised, call your bank immediately. Under the Canadian Code of Practice for Consumer Debit Card Services, you are generally not liable for unauthorized transactions if you report them promptly and haven't been negligent with your credentials.

PRO TIP

Set up a separate email address exclusively for banking and financial accounts. Don't use it for social media, shopping, or newsletters. This drastically reduces the chance of phishing emails reaching the inbox connected to your bank.

What to Do If Your Identity Is Stolen

If you discover unauthorized activity — accounts you didn't open, charges you didn't make, or a tax return you didn't file — act immediately. The faster you respond, the less damage is done.

Step-by-Step Response Plan

1Contact your bank immediately. Report the fraud, freeze compromised accounts, and request new cards. Most banks have a 24/7 fraud hotline.
2Place a fraud alert with both credit bureaus: Equifax Canada (1-800-465-7166) and TransUnion Canada (1-800-663-9980). This flags your file so lenders take extra verification steps before issuing credit in your name.
3Report to the Canadian Anti-Fraud Centre (CAFC): call 1-888-495-8501 or report online at antifraudcentre-centreantifraude.ca. They track fraud across Canada and coordinate with law enforcement.
4File a police report with your local police service. You may need the report number for disputes with creditors.
5Report to the CRA if tax fraud is involved: call 1-800-959-8281 to report identity theft related to your tax account.
6Check your credit reports from both Equifax and TransUnion for any accounts or inquiries you don't recognize. Dispute any fraudulent items in writing.
7Document everything: keep records of every call, email, and letter related to the fraud. Note dates, names of representatives, and reference numbers.

WATCH OUT

Do NOT delay reporting. Under most bank agreements, you must report unauthorized transactions within 30 days to avoid liability. The faster you report, the more likely you are to recover lost funds and prevent further damage.

Credit Freezing and Fraud Alerts

Fraud alerts and credit freezes are two tools available to protect your credit file after identity theft — or even proactively if you want extra security.

Protection	What It Does	How to Get It
Fraud Alert	Flags your credit file so lenders must take extra steps to verify your identity before issuing new credit. Doesn't prevent credit checks, but adds a layer of verification.	Contact Equifax Canada (1-800-465-7166) or TransUnion Canada (1-800-663-9980). You only need to contact one — they will notify the other.
Credit Freeze (Security Freeze)	Locks your credit file completely. No one — including you — can open new credit until you lift the freeze. More secure than a fraud alert.	Contact both Equifax and TransUnion directly to request a freeze. Less commonly used in Canada than in the US, but available.
Credit Monitoring	Alerts you when changes are made to your credit file — new accounts, inquiries, or address changes. Reactive, not preventive.	Available free through some banks (e.g., RBC, TD) or through paid services from Equifax and TransUnion ($15–$30/month).

PRO TIP

Equifax and TransUnion are required to provide you with a free copy of your credit report once per year (or anytime you've been denied credit). Request yours annually to check for unauthorized accounts. You can request your Equifax report online, and TransUnion allows requests by mail or phone.

If you place a credit freeze, remember that you'll need to temporarily lift it whenever you legitimately apply for credit — a new credit card, mortgage, car loan, or even a new phone plan. Keep the PIN or password you're given when you set up the freeze in a secure location.

Password and Account Security

Most people know they should use strong, unique passwords. Most people also don't actually do it. If you use the same password for your email and your bank account, a single data breach — at any company — gives attackers access to your financial life.

The Solution: Password Managers

A password manager generates, stores, and auto-fills unique, strong passwords for every account. You only need to remember one master password. This is the single most impactful thing you can do for your online security.

1Password: Canadian-founded (Toronto). Individual plan ~$4 CAD/month. Family plan ~$7 CAD/month for up to 5 people.
Bitwarden: Open-source, free for basic features. Premium plan ~$13 CAD/year. Great budget option.
Apple Passwords (built into iCloud Keychain): Free if you're in the Apple ecosystem. Works across iPhone, iPad, and Mac.
Google Password Manager: Free, built into Chrome and Android. Convenient but less feature-rich.

Additional Security Measures

Checklist

Enable biometric login (Face ID, fingerprint) on all banking apps.Use a unique email address for financial accounts (separate from social media and shopping).Enable 2FA/MFA on every account that supports it — banking, email, social media, CRA.Set a PIN with your mobile carrier to prevent SIM swapping (where attackers transfer your phone number to their SIM card to intercept 2FA codes).Never share passwords, PINs, or 2FA codes with anyone — your bank will never ask for these.Keep your phone and computer operating systems updated — security patches close vulnerabilities.

Key Terms

Two-Factor Authentication (2FA): A security method that requires two forms of verification: something you know (password) and something you have (your phone for a code). Even if your password is stolen, attackers cannot access your account without the second factor.
SIM Swapping: A fraud technique where attackers convince your mobile carrier to transfer your phone number to a new SIM card. This lets them receive your 2FA text codes and access your accounts. Prevent it by setting a PIN with your carrier.
Data Breach: When a company's systems are hacked and customer data (usernames, passwords, personal information) is stolen. If you reuse passwords across sites, one breach compromises all your accounts.

WATCH OUT

SIM swapping is on the rise in Canada. Call your mobile carrier (Rogers, Bell, Telus, Freedom, etc.) and ask to set a PIN or passphrase on your account. This prevents anyone from transferring your number without the PIN — protecting all your accounts that use text-based 2FA.

Continue learning

Related guides

Credit Scores Banking Credit Cards