What happened
Today a phishing message arrived, impersonating a Canadian government service. It claimed there was a problem with my account and steered me to a site that looked official enough to pass a quick glance. I entered sensitive information before the penny dropped.
I am not usually the person who falls for this kind of thing. Context lowered my guard. I had just filed my taxes and had a genuine CRA email about my return sitting unread while I was buried in finals. I had also sent the CRA material by fax, so some corner of my brain entertained the absurd idea that they might be “faxing” me in return. Hindsight makes that sound silly; in the moment, it nudged the message toward plausible.
Once I understood what I had done, I treated it as a possible identity-theft scenario and shifted from hesitation to containment. This post is a plain record of the steps that followed. Not every action may have been strictly required, but I wanted a dated trail for myself, and I will amend it if anything else comes of this.
What I did first
I changed the affected banking password first—immediately, and to something unrelated to the old one, not a light edit of it. The point was to retire the exposed credential as fast as I could.
Then I started on formal reports and alerts: an official footprint for investigators and creditors, and friction for anyone trying to reuse what might have leaked.
I reported the incident to the Canadian Anti-Fraud Centre so it would sit in the national fraud reporting system.
I contacted both major Canadian credit bureaus. With Equifax I requested an identity alert; with TransUnion I placed a fraud alert on my file. The aim was straightforward—if someone later tried to open new credit in my name, a flag should already be visible.
Because the lure touched government-style identity data, I also filed CRA’s identity theft and suspicious activity declaration. That added another government-side record and started protective handling on the tax account, not only on banking and credit.
Along the way I kept screenshots, confirmations, reference numbers, and anything else that might matter later. For this class of event, a paper trail is nearly as important as the first-hour response.
Checklist (end of the first response window)
- Banking password changed immediately
- Report filed with the Canadian Anti-Fraud Centre
- Identity alert submitted with Equifax
- Fraud alert placed with TransUnion
- Suspicious activity / identity theft declaration filed with the CRA
- Evidence and confirmations archived
Takeaway
The lesson I am taking away is blunt: the opening minutes count. When sensitive data may have left your control, acting before you have perfect clarity beats waiting for certainty that never arrives. Fast containment, credible reporting, credit-file warnings, and disciplined documentation separate a frightening day from a story that spirals without guardrails.
I still wish the world ran on fewer scams; until it does, the practical job is to defend the parts of your life you can. If this note helps someone else—or reminds future me not to step in the same hole twice—it will have earned its place here.