Introduction: When the Subject of Scams Becomes the Victim of Scams
Many Canadian taxpayers have encountered scams impersonating the Canada Revenue Agency (CRA), where scammers and fraudsters exploit the agency’s authority and Canadian taxpayers’ fear of tax and administrative penalties.
These scams, such as cryptocurrency scams, are crafted to appear legitimate, emulating CRA communications through bogus calls, emails (even though CRA never communicates by email), text messages (even though CRA never communicates by text), and online conversations. The fact that the CRA has been the subject of scams in Canada, usually based on overseas boiler shops, is neither surprising nor anything new. What shocks the public is that the CRA has now also become the victim of scams, as a result of the CRA’s own incompetence and mismanagement.
The Canada Revenue Agency (CRA), tasked with administration, enforcement, and collection of taxes, has been entangled in a troubling series of missteps and systemic failures in recent years. Many of these issues likely could have been avoided or minimized with better foresight and more proactive management practices.
However, the CRA has repeatedly failed to act appropriately and that has resulted in errors that provide opportunities for fraudsters and cybercriminals to exploit the system. The CRA has not only become a subject of scams, but also has often become the victim of a series of scams. A victim of its own incompetence, the CRA has yet to develop a comprehensive and functioning system to effectively combat any existing and potentially fraudulent activities.
This article examines some of the recent fraudulent activities that significantly impacted the CRA and Canadian taxpayers, and discusses what measures could have been taken for the CRA and the taxpayers to counter and prepare for these activities.
Tax-Refund Fraud: CRA Duped in a Multi-Million-Dollar Bogus Tax Refund Case
How does the CRA ensure the legitimacy of a $10 million tax refund issued to an individual? A recent case highlighted the CRA’s lack of verification systems and controls when the CRA issues substantial tax refunds.
As a result, the CRA only became aware of bogus tax refund claims after the Canadian Imperial Bank of Commerce (CIBC) contacted the CRA, inquiring about a suspicious $10 million payment made to an individual by the CRA. From the bank’s perspective, it is unusual for an individual taxpayer to receive such a large payment of tax refunds.
Following the bank’s protocol, the bank flagged the payment and subsequently contacted the CRA for verification. It is alleged that the CRA may have never discovered the scam but for the alert from the CIBC. Without the CIBC’s alert, the CRA would have continued to pay out millions of dollars of tax refunds that were claimed under the same scheme.
Following the incident and after the Parliament called for probes into the scheme, the Federal Privacy Commissioner’s Office initiated an investigation, which revealed that the CRA paid out over $190 million Canadian dollars in bogus tax refunds under the “fake T4A scheme”.
The scam is relatively straightforward and exploits the CRA online assessment system. When a taxpayer submits a tax return or amends a submitted tax return, the CRA assessment system quickly issues an Express Notice of Assessment and/or a Notice of Assessment, if there is no apparent issue with the return. Therefore, scammers can go online, file a T4A slip that includes no new income and large tax deductions, and then amend multiple past tax returns to claim a significant amount of tax refunds.
When the CRA online assessment system accepts the T4A slip and amended returns, the CRA system issues the tax refunds to the scammers without double-checking whether the T4A slip is genuine or whether the amount of taxes claimed to have been paid is actually paid. By the time an actual CRA officer gets to review the T4A slip or the amended returns, the scammers with the bogus tax refund are now untraceable.
Cyberattacks: Tens of Thousands of Taxpayers’ CRA Accounts Hacked
The CRA has been pushing for digitization of the Canadian tax system for the past years, since the Tax Filing Infrastructure Readiness program was initiated in 2008. By May 2017, close to 90% of Canadian tax returns were filed online.
The CRA’s electronic system, however, has also been under countless cyberattacks since its introduction, compromising thousands of taxpayers’ accounts. In 2020, after a forensic analysis, the CRA identified suspicious activities on approximately 48,500 accounts. The CRA subsequently locked these accounts and required affected taxpayers to take additional actions before reactivating the accounts.
In August 2022, the Federal Court in Sweet v Canada, 2022 FC 1228, while certifying the case as a class action lawsuit, noted that at least 48,110 online CRA accounts were impacted by the “unauthorized use of credentials.” In 12,700 of those accounts, the scammers changed the taxpayer’s direct deposit banking information and fraudulently applied for the Canadian Emergency Response Benefit (CERB). The lead plaintiff in Sweet v Canada, representing thousands of people whose online CRA accounts were vulnerable to hackers and were likely hacked, believed that the operational failures by the CRA to properly secure the online database resulted in this incident. The ongoing class action is yet to be heard by the Federal Court or to reach a settlement.
At the height of tax filing season in 2024, the Canada Revenue Agency discovered leaks of confidential data allegedly used by one of Canada’s largest tax preparation firms. An investigation by CBC and Radio-Canada found that the scammers were able to pocket at least $6 million in bogus tax refunds by illegally accessing taxpayers’ online CRA accounts. The public was never alerted to the scheme until news articles from CBC and Radio-Canada were released and discussed the scheme. The CRA has yet to identify the hackers.
Telecom “Carousel Scheme”: The CRA Allegedly Distributed $100 Million in Fraudulent Payments to Carousel Schemes
The CRA has publicly committed to “combating aggressive Income Tax and Goods and Services Tax/Harmonized Sales Tax arrangements” that the CRA referred to as the “Carousel Scheme.” The CRA alleges that the Carousel Scheme usually involves a group of entities, including a “missing trader” and a “zero-rater,” who work together to sell goods to each other, or, at times, provide the appearance of selling goods to each other.
The missing trader charges GST/HST without remitting the collected GST/HST, while the zero-rater, whose business activities change the taxable status of goods by claiming to sell the goods offshore, can claim input tax credit without charging and remitting GST/HST. The CRA further claims that the scheme can be very difficult to detect and counter since the books and records of these entities are often meticulously fabricated and involve numerous entities.
In April 2024, a previously sealed affidavit from a CRA officer was released, which detailed how alleged scammers, including a Toronto company, Gold Line Telemanagement, managed to trick the CRA into paying out $37 million in sales tax refunds.
Prior to the release of the affidavit, the CRA also admitted to the media that more than $63 million had been paid out in the same type of scheme involving another group of entities, some of which are related to Gold Line Telemanagement.
Experts suspect that the CRA has yet to discover the scale of the carousel schemes that involve different groups of entities. Gold Line Telemanagement and the other involved entities all deny the CRA’s allegations. The Tax Court of Canada has yet to rule on the Carousel Scheme cases, and the CRA’s claim that these entities engaged in sham transactions has yet to be proven. It is estimated, if such a scheme is indeed fraudulent, that the CRA likely has been involved in more cases beyond the two ongoing cases.
Pro Tax Tips – Be Vigilant And Critical About Your Tax Matters!
It is very difficult for individual taxpayers to protect themselves from any of CRA’s incompetence or mistakes. Typically, a taxpayer will only be notified of the incident often after the CRA has managed to contain the issue and after the damage has been done, if the taxpayer is notified at all.
Few recourses are available to affected taxpayers, especially when the CRA cannot even identify the scammers’ identity or the source of the problem. The CRA may also wrongfully accuse a taxpayer of engaging in certain schemes, which can result in prolonged legal disputes and significant legal costs for the taxpayer to fight the CRA’s false accusations. It is, therefore, important to stay critical and alert regarding your tax matters before any problem gets out of hand.
If you suspect that the CRA has made mistakes in relation to your tax matters, you should engage with one of our expert Canadian tax lawyers. Our expert Canadian tax lawyers can provide legal advice, identify any potential issues and areas of concern, and assist you with understanding your rights and obligations when you are dealing with the CRA.
FAQ
How Did The CRA Lose Millions Of Dollars By Issuing Tax Refunds?
The CRA was defrauded in a scheme involving fake T4A slips and amended income tax returns. As part of the scheme, scammers submit fraudulent T4A slips and amend prior tax returns to the CRA to claim refunds for taxes that were never paid.
The CRA’s online assessment system can approve and then issue the refunds without alerting the CRA, even as some refunds were as high as $10 million Canadian dollars per payment. As a result, the bogus tax refunds were issued to the scammers, without the CRA ever verifying the validity and genuineness of the T4A slips. By the time the CRA starts looking into the tax returns, the scammers are nowhere to be found.
How Can I Protect Myself From Cyberattacks On CRA Accounts?
A data breach is extremely dangerous when hackers obtain taxpayers’ identification and tax-related information. Hackers with this information can pose as taxpayers to fraudulently claim tax refunds, open credit cards or borrow money, and even engage in criminal activities. Therefore, it is important to make sure that you are well protected from any potential cyberattacks.
If you have access to an online CRA account, make sure you review your account activities on a regular basis. You should contact the CRA or seek legal assistance if you notice any unusual activities. If you receive notices and letters that may have come from the CRA, you can verify the validity of the notices and letters by calling the CRA. It is also important to avoid disclosing personal information to others who should not have access to such information.
Disclaimer: This article just provides broad information. It is only up to date as of the posting date. It has not been updated and may be out of date. It does not give legal advice and should not be relied on. Every tax scenario is unique to its circumstances and will differ from the instances described in the article. If you have specific legal questions, you should seek the advice of a Canadian tax lawyer.