I ranted about something similar when it came how the US Internal Revenue Service was implementing authentication for their free-filing service.

They're training taxpayers to put in large amounts of extremely sensitive personal information into a third-party domain called "id.me". Even if you trust the private company, I think it's insane they didn't at least whitelabel the process through a *.irs.gov domain!

(For those curious, the .me TLD is run by the country of Montenegro. Control over DNS has some security implications for phishing and man in the middle attacks.)

Do business with business that have local offices. That way anytime something needs verification or seems off, go into the businesses building.

If you live in Canada you can't really opt out of doing business with the CRA.

When a Canadian gov agency calls, a good reverse verification method is to test their French.

« Êtes-vous une pamplemousse? »

Just curious, how did you confirm it was The Canada Revenue Agency and not scammers?

I logged into the CRA website and found something.

"Contact the suspicious person back through the official number or website" is always a good heuristic, especially since it works pretty well as advice for non-technical relatives.