It’s been more than two weeks since someone hacked into Tara McWilliams’s online account with the Canada Revenue Agency, applied for COVID-19 emergency benefits and arranged for the payments to be deposited into a bank account on the other side of the country.
Since then, the single mom from Port Coquitlam, B.C., has been working the phones, reporting the fraud to the CRA, police in two provinces, the B.C. government and TD Canada Trust, feeling like she was getting the runaround at every turn.
“I’ve reported to a lot of people. It’s been a lot of hours, I’ve missed two full days of work over it and still it’s not resolved,” McWilliams told CBC last week.
Despite her best efforts, two Canada Emergency Response Benefit (CERB) payments totalling $4,000 were issued in McWilliams’s name. She managed to change the banking information on her account just in time, but is now at a loss over what to do with the cheques that arrived in the mail last week.
“I just want this resolved and I don’t want this to happen to anybody else,” McWilliams said.
Statistics gathered by the federal government suggest something similar has happened to hundreds of other Canadians. By June 30, the Canadian Anti-Fraud Centre had received 713 reports of ID fraud linked to CERB, including 52 in B.C.
‘A tug of war all night’
For McWilliams, the ordeal began on July 24 when someone managed to access her CRA account. She learned about the breach three days later when she received an alert saying that her email address had been removed from the account.
When she logged in, she discovered that someone had filed an application for two CERB payments and set up direct deposit with an unfamiliar TD account in Toronto.
“My heart dropped because I knew I had not done it and I could also foresee a huge issue trying to get this sorted,” McWilliams said.
She tracked down a phone number to report the fraud, but discovered that the CRA office was closed for the day. She spent that night obsessively checking her online account, fixing the banking information every time she saw the fraudster change it.
“It was basically like a tug of war all night,” McWilliams said.
When she finally managed to get someone on the phone, they froze the account for her.
But it wasn’t until last Friday afternoon, two weeks after the fraudster first accessed her account, that McWilliams finally spoke with someone at CRA about opening an investigation.
Her account was still frozen, and she worried about how that would affect her Canada child benefit payments.
“That’s money you count on every month,” she said.
In an email, CRA communications officer Gurm Kundan acknowledged there has been an uptick in scams targeting taxpayer information in recent years, and said the agency is prioritizing calls from people like McWilliams who have been victims of fraud.
“We want to assure all confirmed victims of identity fraud that they will not be held responsible for any money paid out to scammers using their identity,” Kundan said.
“We will work with them to ensure that they are not negatively affected during the next tax filing season as a result of the fraudulent activities on their account.”
Passed back and forth between 2 police departments
After she first discovered the fraud, McWilliams called Coquitlam RCMP to report what had happened, but says she was told to contact Ontario Provincial Police because the new bank account was opened within their jurisdiction.
She then filed an online report with the OPP, who responded with an email informing her that, “Since you live in Coquitlam, this must be reported to the police in your jurisdiction.”
After CBC reached out to Coquitlam RCMP for comment on Friday, the detachment agreed to open a case.
Const. Deanna Law explained that in general, fraud should be investigated in the jurisdiction where it happens.
“Learning today that Ontario police … declined taking the file due to the complainant’s residential address being here in our jurisdiction and directed her back to Coquitlam RCMP, we will be happy to address the fraud that has taken place and contact the appropriate partner agencies,” Law wrote in an email.
While McWilliams was waiting for action from police and the federal government, she also tried to sort out the fraudulent banking information that had been connected to her account.
She said she visited her local TD branch three times to report what had happened and ask for an update on the fraudster’s account. The only concrete action she managed to get was freezing her own bank accounts in case they had been breached as well, McWilliams said.
On Friday, a TD spokesperson told CBC that the bank had reviewed the matter with the owner of the Toronto account and “taken action” on it, but couldn’t provide more details about what action was taken.
Questions still unanswered
How the scammer accessed McWilliams’s account remains a mystery.
“The CRA account is pretty secure… I’ve never used that password for anything else,” McWilliams said.
She worries it may have happened using the information on her B.C. Services Card, which can now be used to log into a CRA account.
But Minister of Citizens’ Services Anne Kang said the B.C. Services Card has “robust security features” that prevent something like this from happening.
“Ministry staff have looked into this matter and determined there is no evidence of B.C. Services Cards being compromised and used to access Canada Revenue Agency accounts fraudulently,” Kang said in an emailed statement.
In order for someone to use one of these cards to log into a CRA account, they need to create a mobile version of their card, which requires video verification of identity that is reviewed by trained staff.
Nonetheless, the ministry does investigate reports of possible fraud related to mobile cards, and has the power to freeze someone’s account while that happens.
McWilliams said that when she called the citizens’ services ministry to report her suspicions, none of that happened, and she was told it was CRA’s issue to deal with.
For now, her advice to fellow Canadians is to check your online CRA account obsessively, though she worries that isn’t an option for everyone.
“What about the people that don’t have the resources to deal with this? Some people don’t even have Internet access,” McWilliams said.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.