Hands typing on keyboard showing fake tax refunds by scammers

Canada Revenue Agency Admits Paying Out $190 Million to Scammers, Fake Tax Refunds

The Canada Revenue Agency (CRA) has issued a statement indicating that it has lost about $190 million in payments made to scammers since 2020, with the highlight item being a $40 million tax refunds scam in which the perpetrator simply logged into an account and requested the astounding sum of money using false T4A income reporting slips.

That attempt was caught, but only after the agency had already paid out $10 million to the fraudster (and only because the Canadian Imperial Bank of Commerce (CIBC) flagged the transaction due to its size and unusual circumstances). While that is the single most embarrassing instance, the agency has lost most of the total money to scammers that have leveraged data from privacy breaches to commit fraud.

Canada tax refunds being successfully exploited by scammers

The CRA has tied its losses primarily to an explosion of privacy breaches since 2020. The agency has documented over 31,468 “material” privacy breaches from March 2020 to December 2023, impacting a total of about 62,000 Canadians. This comes after years of reporting only about 40 to 70 such privacy breaches to Parliament each year; the agency has yet to produce a full explanation for the underreporting.

The scammers are filing false tax refunds primarily on the back of financial information leaked from private companies. An anonymous source has told media outlets a recent breach that has fed numerous attempts is that of H&R Block Canada, not discovered until the midst of tax filing season earlier this year. Attackers reportedly obtained some sort of company login to access the personal information of hundreds of the tax prep firm’s customers, then used that to access CRA accounts and change direct deposit information and submit false returns. This incident led to about $6 million in losses. H&R Block maintains that its client information was not stolen or used in this way.

Whether or not the H&R Block reporting is accurate, that still leaves the vast majority of the $190 million confirmed by the agency unaccounted for. CRA has thus far only defended its lack of transparency by claiming the tens of privacy breaches reported in prior years were its best available information at the time, and that it did not discover that the number was actually in the tens of thousands until after the March 2024 reporting deadline for the current year.

CRA has not yet offered Parliament an explanation as to how it made this sudden discovery, only saying that it became aware in June 2024. However, it did claim that most of this number of false tax refunds was filed during the height of the Covid-19 pandemic and that there has been a “drastic reduction” in recent years. But the inside source that reported the H&R Block breach claims that the agency is sitting on a large backlog of suspicious cases that have yet to be properly investigated.

The story has been backed up by media and security researchers that have found dark web postings from around April of this year offering H&R Block data for sale, claiming that it came from an internal source at the company.

Source claims misplaced priorities contributing to CRA losses

The source ties the problem back to CRA’s “pay and chase” culture, which prioritizes making the agency look efficient by quickly issuing tax refunds. It is not necessarily doing thorough due diligence on these claims before issuing payments, instead preferring to audit and chase down fraudsters later. This extends to not always sharing indicators of potential fraud with financial institutions that receive and process these payments.

The breakdowns in the process are highlighted by a 2023 case of fraud that was only recently revealed. In the summer of that year, a Canadian taxpayer simply logged into their own CRA account and requested $40 million in tax refunds. The agency was $10 million into paying it out before it was alerted by CIBC, who initially thought the government had made some sort of error and followed up about it.

Had they not intervened the thief would have received another $10 million just three days later and the remaining $20 million the following week. The guilty party was caught, but had already transferred or spent $4 million by that time. This was another case of using forged T4A slips to amend prior tax returns, though the perpetrator reportedly did so under his own name.

The source has said that that incident prompted CRA to flag any tax refunds over $50,000 for review, though the agency has not announced a change in policy. This has not satisfied critics in the Canadian government, who have been calling for a parliamentary inquiry since the CBC reports were first published and for RCMP involvement. The federal privacy commissioner’s office has said that it is opening an investigation.