​The Refund Cheat

A scheming university student siphons tax refunds from several large corporations.

Comments Views

The Ontario Court of Appeal has ruled that a university student who fraudulently obtained more than CA$41 million in tax refunds should have been sentenced to 36 months' jail time, rather than the original 13 month-sentence he received, the Toronto Sun reports. Nonetheless, the court decided to spare the individual any further jail time, stating that it could not justify additional punishment.

The offender, now 30, pleaded guilty in 2018 to filing fraudulent tax forms, falsely representing himself as an official from various corporate entities in a scam that began in 2013. The multimillion-dollar refunds were deposited into his personal accounts, though bank diligence prevented him from accessing the bulk of the funds. The Ontario man managed to withdraw just CA$15,000, which he later paid back to the Canadian Revenue Agency (CRA).

Lessons Learned

Although there's room for debate on the severity of this fraudster's sentence, audit analysis should focus on how the fraud was committed and what might be done to prevent it from occurring in the future. The method used represents a unique form of phishing/mail fraud, and the ease with which the Ontario man perpetrated it against the CRA is somewhat alarming.

The offender simply downloaded publicly available forms from the CRA website to redirect direct deposits made to several large corporations — including Coca Cola Ltd. and Shell Canada Ltd. — to his own accounts. He placed his personal banking information on the form and mailed it to the CRA. Refunds amounting to more than CA$41 million relating to the Goods and Services/ Harmonized Sales Tax were then paid into his accounts. He apparently needed to make numerous phone calls, falsify information, and impersonate others to succeed, but it worked — until the banking institutions caught on to the scheme.

This case illustrates a variation of a newer form of phishing fraud, where fraudsters use emails/communications (increasingly well written, cordial, and free of misspellings and grammatical errors) purporting to come from CEOs, chief financial officers, or payroll directors. The fraudsters seek to convince officials to change the bank account and routing information used for direct deposit of checks. This kind of fraud is growing because it can more easily bypass many existing technical controls. Plus, if the perpetrator steals smaller sums, the victim organization may just fold it into the cost of doing business.

The CRA — and perhaps other tax agencies around the world — needs to review and strengthen controls over its direct deposit system, if it has not already done so. That could be accomplished simply by limiting the access to corporate direct deposit processes, such as requiring them to be managed via CRA's My Business Account process. My Business Account is more secure than public websites and forms, while still facilitating electronic transactions. Whether the agency prefers a secure electronic account process or continues to use a more public method, additional verification methods need to be applied — particularly where a new or changed set of banking information is involved. Some of the verification methods to prevent direct-deposit phishing scams include:

  • Implement a two-step or multifactor verification process.
  • Require administrators, including IT, to monitor unusual activity, such as changes made to contact and banking information on a large number of accounts over a short period.
  • Create a policy that, after a change to banking information, requires a temporary reversion to paper check and/or direct contact with the requestor or bank involved.
  • Ensure that login credentials required for changes in account/banking information are different from credentials used for other purposes.

Finally, employee education should cover areas such as:

  • Common social engineering and phishing techniques.
  • Basic cybersecurity hygiene.
  • Strategies for identifying phishing attacks, including new variations.
  • Ways to safeguard personal and corporate information.
  • Unsafe online behavior.
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx

 

Comment on this article

comments powered by Disqus
  • GEICO_September 2019_Premium 1__
  • Chartered Prof Acct Canada_Sept2019_Preimum 2
  • IIA CERT CIA_September 2019_Premium 3