CRA leadership knew of major gaps in fraud detection as agency paid out bogus refunds, records show

In early 2024, senior officials at the Canada Revenue Agency (CRA) were alarmed by the discovery of significant gaps in their fraud detection systems, leading to the unauthorized authorization of tens of millions of dollars in bogus refunds. Confidential briefing notes revealed that the agency was struggling to spot and stop scammers who were exploiting vulnerabilities in the system.

One undisclosed scheme, identified by sources, resulted in a potential loss of $100 million in fraudulent payouts since November. Imposters were able to pose as accountants or tax preparers, hacking into taxpayer accounts and making unauthorized changes. This lack of proactive detection led to financial losses, privacy breaches, and a risk of negative media attention for the CRA.

Despite internal concerns, Revenue Minister Marie-Claude Bibeau and CRA leadership continued to assert that the agency had a robust system for detecting and preventing fraud. However, multiple insiders revealed that the numbers presented to the public were misleading and underreported.

Reports indicated that basic documentation was not verified before millions were paid out in refunds, and fraudulent schemes often went undetected until after the fact. Victims of hacked accounts shared their frustration with the agency’s slow response and lack of interest in pursuing scammers.

One specific scam known as “line 45600” allowed fraudsters to exploit a gap in the system, resulting in $128 million in bogus refunds requested. The CRA is now working to recover some of the potentially $100 million lost in this scheme.

Another vulnerability highlighted by sources was the misuse of third-party EFILE credentials, where scammers obtained codes from accounting firms to access taxpayer accounts and change direct deposit information. The agency’s allowance for multiple users to use the same credentials made it difficult to identify the perpetrators.

The Fifth Estate/Radio-Canada investigation also revealed that the CRA may be targeting whistleblowers who spoke out about the weaknesses in fraud detection within the agency. If you have any tips on this story or were a victim of a hacked CRA account, please contact the reporters in confidence.

As the CRA faces scrutiny and calls for accountability from parliamentary committees, the agency must address these gaps in its fraud detection systems to protect taxpayers and prevent further losses due to fraudulent schemes.