Chris Chezepock had the nasty shock last year of finding out he was one of the thousands of taxpayers whose online accounts with the Canada Revenue Agency had been accessed by hackers looking to fraudulently obtain pandemic benefits.
And this month, he got a second shock: a tax bill for fraudulent claims of $4,000 in Canada Emergency Response Benefit payments that were made in his name, but paid to someone else.
Mr. Chezepock was one of nearly 800,000 Canadians who have had their accounts locked by the CRA over security concerns from the fall of 2020 through to the early months of 2021. And he was among the more than 10,000 taxpayers whose accounts were illicitly accessed by hackers, using stolen log-in credentials to try to obtain CERB benefits.
Mr. Chezepock had thought he’d resolved the issue last spring, after extensive discussions with CRA agents that included assurances the agency realized he was a victim of fraud. There was no need to worry about a tax bill, he was told.
That turned out not to be true. “I’m beyond frustrated,” he said in an interview. A reassessment of his 2020 tax returns flipped from a refund of $2,095.35 to a debt of $1,817.39, including $80.80 in interest.
Luckily for Mr. Chezepock, that frustration turned out to be short-lived. Within a business day of a reporter mentioning his case to the CRA, the debt claim was reversed, although no explanation was given to him.
Why 1.7-million CERB recipients who did everything right may still owe up to $2,000
The CRA says it does not track how many taxpayers are in the same boat as Mr. Chezepock, but in an e-mail asserted that such cases are exceptional. And the agency stressed that taxpayers who are confirmed to be victims of identity theft won’t ultimately be on the hook for any resulting tax debt.
Mr. Chezepock’s conundrum dates back to last March, when he contacted the CRA to unlock his online taxpayer account, in what he thought was a simple administrative issue. Instead, the Toronto man found out that his identity had been hijacked.
His banking information had been changed, and two fraudulent applications for CERB payments had been made under his name.
The CRA’s security itself was not breached in such cases, the agency said last year. It said that it locked illicitly accessed accounts as a precautionary measure after its online monitoring indicated that unauthorized third parties had obtained log-in credentials from other websites that could match up with those taxpayers using the CRA’s portal. The accounts of 187,000 individuals were locked last February, and another 612,000 accounts in mid-March of last year.
In its statement, the CRA said it delayed sending T4A tax slips for CERB payments, which would trigger reassessments and generate a tax liability, to those who were suspected of being victims of identity fraud. The agency also said it tried several times to reach any affected taxpayer by telephone before deeming a file “unanswered” and issuing a T4A slip.
The agency said taxpayers who are confirmed to be victims of identify theft will not be responsible for repaying any funds paid out to fraudsters, and that it is committed to resolving any such incidents.
Mr. Chezepock said a CRA agent reassured him last year that he would not owe any taxes on the CERB payments taken out in his name. And he said he had not been contacted by the CRA this year, despite the agency’s statement that it attempts to do so multiple times before issuing a reassessment. “I didn’t receive a single call, nothing in the mail,” he said.
However, the CRA statement did acknowledge the possibility of cases such as that of Mr. Chezepock, saying that a taxpayer could be reassessed as owing payment for CERB benefits if there was a delay in the agency receiving requested information or in responding to correspondence.
Once the taxpayer’s identity can be confirmed, the reassessment will be rescinded and the resulting tax debt extinguished, the agency said.