CRA management knew about major fraud-detection gaps when agency paid bogus refunds, records show

In early 2024, senior officials at the Canada Revenue Agency were so concerned that they had mistakenly authorized tens of millions of dollars in fraudulent refunds that they wrote confidential briefing notes stating that the agency was plagued by significant “gaps” in its ability to detect — and stop — fraudsters, records show.

The Fifth Estate/Radio-Canada has learned the agency knew of “major risks” in its fraud detection systems, including a previously undisclosed scheme that led to a potential loss of $100 million in fraudulent payments since last November.

According to sources, one of the most glaring weaknesses identified by senior executives was that fraudsters were able to pose as accountants or tax intermediaries and hack into taxpayers’ accounts.

“This affects the agency’s ability to detect suspicious activity both proactively and in a timely manner, resulting in undetected fraud, expanded unauthorized account access and/or changes to accounts,” said an internal memo written earlier this year.

“This gap leads to economic losses, affects the privacy of Canadians and may lead to media reports detailing a lack of action by the CRA.”

According to sources, these concerns were raised internally at the executive level in departments responsible for the security of taxpayers’ accounts.

The Fifth Estate/Radio-Canada is not identifying the sources because they are not authorized to speak to the media.

“The consensus is that these gaps pose major risks to the agency. While there are funding and (human) resource considerations, all agree that visibility is needed on the issue,” the CRA memo concluded.

Publicly, however, Tax Secretary Marie-Claude Bibeau and her agency continue to paint a very different picture of the CRA’s ability to detect fraudulent payments.

“Fraud is obviously unacceptable, but I believe the agency has a robust system,” the minister said three weeks ago in Ottawa. “The CRA’s systems are solid. We are able to deal with and block attempted fraud, inform those affected and ensure the necessary follow-up.”

The CRA recently said it had confirmed losses of just $3 million this year to fraudulent refunds of taxpayer accounts hacked by fraudsters – a figure it said was a “dramatic reduction” from previous years.

‘It does no one any good to hide the reality’

Today, those claims by the minister and her agency’s senior leadership are coming under increasing scrutiny as multiple insiders have told the CBC that the CRA knew the numbers it presented to the public about fraudulent refunds were underreported and misleading.

“Hiding reality literally does no one any good,” said a source.

In Parliament, Senate and House of Commons committees have called on the minister and CRA officials to testify about recent revelations that tens of thousands of taxpayer accounts have been hacked by fraudsters and hundreds of millions in bogus refunds have been wrongly paid out.

Bibeau and some of her top officials are scheduled to testify before the Senate National Finance Committee on Tuesday.

Basic information not verified

According to sources, agency employees raised concerns that several fraudulent schemes succeeded because no one at the CRA appeared to be tasked with verifying basic documentation before paying out millions.

When some of these frauds were discovered, it was often afterwards.

Numerous frauds would never have been discovered if it weren’t for banks contacting the CRA after noticing suspicious deposits in Government of Canada customer accounts, according to sources.

Other scams were discovered after taxpayers tried to file their returns, only to realize a fraudster had tricked them into doing so, changing direct deposit information and other personal details.

Several victims of hacked accounts have told CBC/Radio-Canada that they have been treated poorly by the agency, sometimes made to feel that they were not telling the truth about being hacked, and that the CRA is slow to return calls and provide them the repayments they are legally owed.

Several victims have said that it appeared that the CRA was not interested in pursuing the actual fraudsters.

Ottawa high school teacher AJ Blauer said he realized his account was hacked in 2020. He said he noticed the changes to his direct deposit information but couldn’t get through to alert the CRA because its fraud line wasn’t picking up call the weekend.

When he finally got through, he said the CRA didn’t seem to share his level of concern, nor did the agency follow up on information he provided that might have identified the fraudster.

“I’m a law-abiding citizen and I don’t like the idea of ​​people stealing public revenue,” Blauer said. “It took me two years to fully recover from this identity theft. What has the CRA done to straighten out its own affairs?”

The ‘Line 45600’ scheme

According to sources, agency employees repeatedly raised the alarm about how easy it was for fraudsters to change information in taxpayer accounts without those changes being verified by the legitimate owner of the account.

One such scam, involving false claims of tax deductions from income received from trusts, was first noticed by the CRA in November 2023. According to sources, the scheme grew exponentially until the end of April 2024, when fraudsters had requested $128 million in false refunds.

The CRA is making efforts to recover some of the fraudulent refunds it paid out in the scheme, estimated at potentially $100 million, according to sources.

Internally, agency officials noted that nothing prevented fraudsters from making multiple changes to the same tax returns on the same day, something that would rarely, if ever, happen under normal circumstances.

But according to sources, after fraudsters discovered this loophole, they repeatedly exploited it to obtain fraudulent refunds by filing false information on a particular line of their tax returns.

The CRA’s media relations office declined to answer specific questions about this particular scheme, known as the 45600 line.

However, agency spokesperson Nina Ioussoupova said “the vast majority of Canadians are honest and the CRA has effective systems in place to deal with the small percentage of people who file fraudulent claims.”

Fraudsters used third-party tax intermediaries

A major weakness in detecting fraud, according to sources, is what are known as third-party EFILE credentials — the special codes given to accounting firms that file taxes on behalf of Canadians.

The Fifth Estate/Radio-Canada investigation has revealed that fraudsters often hack into taxpayers’ accounts by obtaining the codes used by accounting firms, then changing the taxpayers’ direct deposit information and repeatedly duping the CRA into issuing those refunds.

One mistake, according to sources, was the fact that the agency allowed multiple users at the same accounting firm to use the same EFILE number and passwords.

That meant that whether the fraudster operated from within the accounting firm or was an external fraudster who obtained those passwords, it was often impossible to determine exactly who had used those credentials to hack into the taxpayer’s account, according to sources.

The Fifth Estate/Radio-Canada reported last week that sources now believe the CRA is on a “witch hunt” to find whistleblowers who may have told the media about millions paid out in bogus refunds and reported major weaknesses in fraud detection at the agency.

• If you have any tips on this story or if you have been the victim of a hacked CRA account, please call 416-526-4704 or confidentially email [email protected] or Daniel. [email protected]