Chris Chezepock is belatedly scrambling to inform his financial institutions and others about the possible vulnerability of his online credentials.Tijana Martin/The Globe and Mail
Chris Chezepock thought he was making a simple call to unlock his online taxpayer account when he rang up the Canada Revenue Agency on Wednesday morning.
Instead, the 31-year-old Toronto man discovered that his identity had been hijacked, with a CRA agent informing him that his banking information changed, and two fraudulent applications had been made under his name for the Canada Emergency Response Benefit.
“It was quite a stressful morning, because I’m thinking what about my credit cards, what about everything?” Mr. Chezepock said.
He is one of nearly 800,000 Canadians who have had their accounts locked by the CRA over security concerns in recent months. And he is also part of an unhappy and growing subset: the more than 10,000 taxpayers whose accounts have been illicitly accessed by hackers, using stolen log-in credentials to try to obtain CERB benefits.
It’s not yet clear how successful those fraudulent efforts were in obtaining CERB benefits, worth $2,000 a month for a maximum payout of $14,000. In a statement, the CRA did not directly respond to a question about how many fraudulent CERB payments had been obtained. But the agency did note in a statement that taxpayers who fall prey to these identity theft attacks will not be responsible for any unauthorized claims, and that it is strengthening security protocols for user log-ins.
Mr. Chezepock said the CRA agent he spoke to wasn’t sure whether the two claims submitted under his name resulted in any payments being made – or whether a tax slip is headed his way that would require him to pay income tax on any benefits. CRA agents told him repeatedly not to worry, and that he could disregard any tax slip; he’s finding it hard to take the advice not to fret.
Part of his frustration comes from the CRA’s lack of clarity, and part comes from the subdued wording in a warning letter the agency sent to affected Canadians. The letter does not mention the phrase “identity theft.” Instead, it states that “user IDs and passwords may have been acquired and used by external actors to gain access to the personal information included in your CRA My Account.” The letter later notes that recipients should check their accounts for “any suspicious activity, such as changes to your direct deposit and address information.”
That wasn’t enough to set off alarm bells for Mr. Chezepock when he received an initial letter from the CRA in the fall. Earlier this month, he called to obtain a second letter, with a verification code allowing him to unlock his accounts.
Now, Mr. Chezepock is belatedly scrambling to inform his financial institutions and others about the possible vulnerability of his online credentials. He would have acted much more quickly if the CRA had issued a stronger warning, he said. “I would have hoped they would have been far more up front.”
Cybersecurity expert David Shipley said the push to pay out tens of billions in pandemic support benefits by electronic deposit has made agencies such as the CRA an obvious target for hacker attacks. “They’ve become banks as well as a tax agency,” said Mr. Shipley, chief executive officer and co-founder of Fredericton-based Beauceron Security Inc. (The company supplies cybersecurity services to Canadian government entities, but not to the CRA.)
But government agencies devote far fewer resources to cybersecurity than do private financial institutions, he said.
According to the federal government’s Canadian Anti-Fraud Centre, complaints of identity fraud nearly doubled in 2020 over 2019, rising to 17,032 reported cases from 8,641. CERB-specific complaints accounted for more than four-fifths of the increase.
Jeff Thomson, senior RCMP intelligence analyst at the centre, said the surge in CERB-related identity theft complaints has continued into 2021, with total cases logged since March hitting 10,237, including preliminary data for February.
There has been a pattern of persistent cyberattacks on the federal government that has stretched over months, including a fresh warning from the Treasury Board of Canada Secretariat last Friday.
The first news of cyber incursions came in August, when the Treasury Board Secretariat said thousands of accounts that individuals used to access services (including CRA accounts) had been compromised through credential-stuffing attacks, which attempt to use passwords and user names harvested by hackers elsewhere to illicitly log on.
In February, the CRA locked the accounts of 187,000 individuals after an analysis indicated that unauthorized third parties might have obtained user names and passwords.
The agency stressed that the security of its own site had not been breached but that it locked the accounts as a precautionary measure after its online monitoring indicated that unauthorized third parties had obtained log-in credentials from other websites that could match up with those taxpayers using the CRA’s portal.
On March 12, the CRA warned that it was locking an additional 612,000 accounts over the same concerns and noted that such preventative measures might become more frequent.
And on Friday, the Treasury Board disclosed a separate threat involving an attack on a private-sector company that does business with the federal government. The CRA was not among the affected government departments, according to an e-mail from the Treasury Board.
Mr. Shipley said more attacks should be expected, in Canada and elsewhere. “There is obviously a well-organized criminal group, or a series of criminal groups, now targeting governments.”
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.