CRA leadership knew of major gaps in fraud detection as agency paid out bogus refunds, records show

In early 2024, senior officials at the Canada Revenue Agency were so concerned it had wrongly authorized bogus refunds of tens of millions of dollars that they wrote confidential briefing notes stating that the agency was plagued by significant “gaps” in its ability to spot — and stop — scammers, records show.

The Fifth Estate/Radio-Canada has learned that the agency knew of “major risks” in its fraud detection systems, including one previously undisclosed scheme that led to a potential loss of $100 million in bogus payouts since last November.

According to sources, one of the most glaring weaknesses identified by senior managers was that imposters were able to pose as accountants or tax preparers and hack into taxpayer accounts.

“This impacts the agency’s ability to detect suspicious activity both proactively and in a timely manner, resulting in undetected fraud, extended unauthorized account access and/or changes to accounts,” said one internal memo written earlier this year. 

“This gap leads to financial losses, impacts the privacy of Canadians and could lead to media reports outlining a lack of action by the CRA.”

According to sources, those concerns were raised internally, at the executive level in branches in charge of security of taxpayers’ accounts.

Revenue Minister Marie-Claude Bibeau and her agency continue to paint a far different picture of the CRA’s ability to detect fraudulent payouts, saying that the agency has a robust system.
Revenue Minister Marie-Claude Bibeau and her agency continue to paint a far different picture of the CRA’s ability to detect fraudulent payouts, saying that the agency has a robust system. (Justin Tang/The Canadian Press)

The Fifth Estate/Radio-Canada is not identifying the sources because they are not authorized to speak to the media.

“Consensus is that these gaps pose major risks to the agency. While there are funding and [human] resource considerations, all agree that visibility is needed on the issue,” the CRA memo concluded.

In public, however, Revenue Minister Marie-Claude Bibeau and her agency continue to paint a far different picture of the CRA’s ability to detect fraudulent payouts.

“Fraud is obviously unacceptable but I believe that the agency has a robust system,” the minister said three weeks ago in Ottawa. “The CRA’s systems are solid. We are able to deal with and block attempts at fraud, inform those affected and ensure the necessary followup.” 

The CRA recently said that it had confirmed losses of only $3 million this year to bogus refunds of taxpayer accounts hacked by fraudsters — a number it said was a “drastic reduction” from previous years.

‘Benefits nobody to hide the reality’

Today, those assertions by the minister and her agency’s senior leadership are coming under increasing scrutiny as multiple insiders have told CBC that the CRA knew that the numbers it presented to the public about bogus refunds were underreported and misleading.

“It literally benefits nobody to hide the reality,” said one source.

A blank T4A form, with a Canadian flag in the background
A Fifth Estate/Radio Canada investigation found that in one case alone, the Canada Revenue Agency mistakenly authorized bogus refunds of more than $40 million to a tax scammer. (CBC/Radio-Canada)

In Parliament, committees in the Senate and the House of Commons have called on the minister and CRA officials to testify about recent revelations that tens of thousands of taxpayer accounts have been hacked by scammers and hundreds of millions of bogus refunds wrongly paid out. 

Bibeau and some of her top officials are set to testify Tuesday in front of the Senate’s national finance committee.

Basic information not verified

According to sources, agency employees raised concerns that numerous fraudulent schemes succeeded because no one at the CRA seemed to be tasked with verifying basic documentation before paying out millions.

When some of those frauds were detected, it was often after the fact.

Numerous frauds would have never been discovered, according to sources, were it not for banks that contacted the CRA after noticing suspicious deposits into customer accounts from the government of Canada.   

Other frauds were detected after taxpayers tried to file their returns, only to realize a scammer had beaten them to it, changed direct deposit information and other personal details.

Multiple victims of hacked accounts have told CBC/Radio-Canada that they have been treated poorly by the agency, sometimes made to feel they were not telling the truth about being hacked and that the CRA is slow to return calls and to give them the refunds they are legitimately owed.

WATCH | Hackers gained access to thousands of CRA accounts: 

CRA paid millions in bogus tax refunds after hackers accessed thousands of accounts

21 days ago

Duration 3:29

A Fifth Estate/Radio-Canada investigation has uncovered that hackers accessed thousands of Canada Revenue Agency accounts, changed direct deposit information, submitted false returns and reportedly pocketed tens of millions in bogus refunds.

Numerous victims have said it appeared to them the CRA had little interest in pursuing the actual scammers. 

A high school teacher in Ottawa, A.J. Blauer, said he realized his account was hacked in 2020. He said he noticed the changes to his direct deposit information, but could not get through to alert the CRA because its fraud line did not take calls on the weekend.

When he finally did get through, he said the CRA did not seem to share his level of concern, nor did the agency follow up on information he provided that might have identified the scammer. 

“I’m a law-abiding citizen and I don’t like the thought of people stealing public revenues,” Blauer said. “It took me two years to fully extricate myself from this identity theft. What has CRA done to sort out its own affairs?”

The ‘line 45600’ scheme

According to sources, agency employees repeatedly raised alarm bells about how easy it was for scammers to alter information in taxpayers’ accounts without those changes being verified by the legitimate owner of the account.

One such scam, involving making bogus claims of tax deductions from income received from trusts, was first noticed inside the CRA in November 2023. According to sources, the scheme grew exponentially until late April 2024, by which time scammers had requested $128 million in bogus refunds.

The CRA is making efforts to recover some of the bogus refunds it paid out in the scheme, estimated at potentially $100 million, according to sources.

Internally, agency officials noted that nothing prevented scammers from making multiple amendments to the same tax returns on the same day, something that would rarely, if ever, happen in normal circumstances.

The CRA's media relations office declined to respond to specific questions about this particular scheme, known as line number 45600.
According to sources, fraudsters discovered a gap and exploited it repeatedly to obtain fraudulent refunds by filing false information on line 45600 on tax returns. (Canada Revenue Agency)

However, according to sources, after fraudsters discovered this gap, they exploited it repeatedly to obtain fraudulent refunds by filing false information on a specific line in their tax returns.

The CRA’s media relations office declined to respond to specific questions about this particular scheme, known as line number 45600. 

However, agency spokesperson Nina Ioussoupova said the “vast majority of Canadians are honest, and the CRA has effective systems in place to manage the small percentage of people who submit fraudulent claims.” 

Scammers took advantage of 3rd-party tax preparers

One major weakness in fraud detection, according to sources, is what’s known as third-party EFILE credentials — the special codes given to accounting firms who file taxes on behalf of Canadians.

The Fifth Estate/Radio-Canada investigation has revealed that scammers are frequently hacking into taxpayer accounts by obtaining the codes used by accounting firms, then changing taxpayers’ direct deposit information and repeatedly duping the CRA into paying out those refunds.

One flaw, according to sources, was the fact that the agency allowed multiple users at the same accounting firm to use the same EFILE number and passwords.  

That meant that whether the scammer was operating from within the accounting firm or was an outside scammer who had obtained those passwords, it was often impossible to determine exactly who had used those credentials to hack into the taxpayer’s account, according to sources.

The Fifth Estate/Radio-Canada reported last week that sources now believe CRA is on a “witch hunt” to find whistleblowers who may have spoken to the media about millions paid out in bogus refunds and reported major weaknesses in fraud detection at the agency.

  • If you have any tips on this story, or were the victim of a hacked CRA account, please phone 416-526-4704 or email, in confidence, Harvey.Cashore@cbc.ca or Daniel.Leblanc@cbc.ca
     

Source