The Canada Revenue Agency (CRA) has some explaining to do after suddenly admitting that it has been undercounting fake tax refunds it has paid out for at least several years now, and what appeared to be tens of incidents per year has actually been tens of thousands. An inside source has told the CBC that much of this is fed by personal information leaked in prior data breaches, but the agency also appears to have massive security holes that allow the average taxpayer to rather easily submit false claims and get paid.
CRA “pay and chase” resulting in a lot of chasing
The source told CBC that the root of the problem is a “pay and chase” culture that the CRA has had in place since at least the outset of the Covid-19 pandemic. The agency reportedly puts little scrutiny on tax refunds when submitted and looks to pay them out as quickly as possible, counting on later audits to detect them and recover the money.
This system had appeared to be working well enough. During its required annual reports, the agency had been telling the Canadian government it was only experiencing about 40 to 70 payouts to fake tax refunds each year. However, it then produced a stunning admission in June of this year; it had suddenly discovered over 31,468 additional cases of privacy breaches of this sort dating back to March 2020, none of which were previously disclosed.
The CRA seems to be suffering from two central problems: poor internal security that allows anyone to successfully alter prior filings and claim tax refunds by manipulating T4A income reporting slips, and criminals making use of data breach information to take over CRA accounts and exploit this process.
The first of those two elements is best highlighted by a $40 million case of fraud reported to the CRA. This one does not appear to have involved a hacker; a Canadian taxpayer logged into their own account, suddenly claimed $40 million in tax refunds, and almost $10 million was sent to them immediately. They were only about a week away from getting the full amount when the bank got CRA’s attention about the initial deposit, believing it to be a mistake of some sort.
The CRA has since admitted a total of $190 million in losses, but it is still unclear where exactly all of this has come from. It has only said that it has experienced a wave of fraud fed by stolen personal information. The inside source said that the agency has recently started flagging any tax returns over $50,000 for review as a result of these incidents, but it looks as if (at minimum) it will be facing an investigation from the federal privacy commissioner’s office.
Scammers use personal data from breaches to access CRA accounts
The CRA says that, since March 2020, about 62,000 Canadians have been impacted by privacy breaches that led to attempts on their CRA accounts. When scammers gain access to the accounts they use the forged T4A slips or other methods to file false retroactive tax returns, and change the deposit or mailing information on the account to receive the stolen money.
The inside source also indicates that there may have been a breach of H&R Block Canada earlier this year that has yet to be publicly disclosed. They indicate this breach may have directly fed $6 million in theft from CRA via false filings. H&R Block contests the claim and says that it has no information that hackers have used its clients’ information for tax refunds. Security researchers say the claim is supported by dark web postings from April of this year offering H&R Block information for sale.
Whether or not the breach is real, that only accounts for $6 million of the missing $190 million. CRA has thus far only said that the majority of the loss came in the early days of the Covid pandemic, with a “drastic reduction” in these incidents in recent years.