CRA leadership knew of major gaps in fraud detection as agency paid out bogus refunds, records show

In early 2024, senior officials at the Canada Revenue Agency (CRA) expressed concern that the agency had authorized fraudulent refunds amounting to tens of millions of dollars. Confidential briefing notes revealed that the CRA was struggling with significant "gaps" in its ability to detect and prevent fraud, including a previously undisclosed scheme that potentially led to $100 million in fake payouts since November 2023.

The CRA was aware of "major risks" in its fraud detection systems, and one of the most serious weaknesses identified was the ability of imposters to pose as accountants or tax preparers and hack into taxpayer accounts. An internal memo stated that these gaps impaired the agency’s ability to detect suspicious activity in a timely manner, leading to undetected fraud, unauthorized access, and alterations to accounts. This situation not only resulted in financial losses but also jeopardized Canadians' privacy and could damage the CRA’s public image, the memo warned.

Although concerns were raised internally about the risks, including resource limitations, the CRA continued to publicly assure that its fraud detection systems were robust. Revenue Minister Marie-Claude Bibeau maintained that the agency had strong systems in place to handle fraud, claiming that the CRA could effectively block fraud attempts, inform those affected, and ensure proper follow-up.

However, sources familiar with the situation indicated that the CRA had understated the scale of the fraud. These insiders revealed that the figures presented to the public about bogus refunds were misleading, with one source stating, "It literally benefits nobody to hide the reality."

In response to these revelations, parliamentary committees have called for Minister Bibeau and senior CRA officials to testify about the failures in fraud detection, particularly after reports of hackers accessing tens of thousands of taxpayer accounts and causing the CRA to pay out millions in fraudulent refunds.

One major issue identified by insiders was the CRA’s failure to verify basic documentation before approving refunds. Fraud was often detected only after the fact, with banks sometimes notifying the CRA of suspicious deposits. Other frauds came to light when taxpayers attempted to file their returns only to discover that a scammer had already filed and altered personal details, including direct deposit information.

Several victims of hacked accounts have reported poor treatment by the CRA, with some feeling that the agency did not take their concerns seriously. One individual, A.J. Blauer, a high school teacher in Ottawa, said he struggled to get through to the CRA when he noticed suspicious changes to his account. He described how the CRA showed little concern and failed to follow up on the information he provided that might have helped identify the scammer.

In November 2023, the CRA detected a scam involving false claims of tax deductions linked to income from trusts. By late April 2024, the scheme had led to $128 million in fraudulent refund requests. Despite efforts to recover some of these payments, sources estimate the losses from this scheme at $100 million.

A critical flaw in the CRA’s fraud detection was the exploitation of third-party EFILE credentials, which are special codes given to tax preparers. Fraudsters were able to obtain these codes, hack into taxpayer accounts, and change direct deposit information, leading to numerous fraudulent refunds. One of the key issues was that multiple users within an accounting firm could access the same EFILE number and password, making it difficult to trace the source of the fraud.

The CRA has also been accused of trying to identify whistleblowers who may have spoken to the media about these issues. Some sources believe that the agency is engaged in a "witch hunt" against those who exposed the vulnerabilities in its fraud detection systems.