The Ontario Court of Appeal has ruled that a university student who fraudulently obtained more than CA$41 million in tax refunds should have been sentenced to 36 months' jail time, rather than the original 13 month-sentence he received, the Toronto Sun reports. Nonetheless, the court decided to spare the individual any further jail time, stating that it could not justify additional punishment.
The offender, now 30, pleaded guilty in 2018 to filing fraudulent tax forms, falsely representing himself as an official from various corporate entities in a scam that began in 2013. The multimillion-dollar refunds were deposited into his personal accounts, though bank diligence prevented him from accessing the bulk of the funds. The Ontario man managed to withdraw just CA$15,000, which he later paid back to the Canadian Revenue Agency (CRA).
Although there's room for debate on the severity of this fraudster's sentence, audit analysis should focus on how the fraud was committed and what might be done to prevent it from occurring in the future. The method used represents a unique form of phishing/mail fraud, and the ease with which the Ontario man perpetrated it against the CRA is somewhat alarming.
The offender simply downloaded publicly available forms from the CRA website to redirect direct deposits made to several large corporations — including Coca Cola Ltd. and Shell Canada Ltd. — to his own accounts. He placed his personal banking information on the form and mailed it to the CRA. Refunds amounting to more than CA$41 million relating to the Goods and Services/ Harmonized Sales Tax were then paid into his accounts. He apparently needed to make numerous phone calls, falsify information, and impersonate others to succeed, but it worked — until the banking institutions caught on to the scheme.
This case illustrates a variation of a newer form of phishing fraud, where fraudsters use emails/communications (increasingly well written, cordial, and free of misspellings and grammatical errors) purporting to come from CEOs, chief financial officers, or payroll directors. The fraudsters seek to convince officials to change the bank account and routing information used for direct deposit of checks. This kind of fraud is growing because it can more easily bypass many existing technical controls. Plus, if the perpetrator steals smaller sums, the victim organization may just fold it into the cost of doing business.
The CRA — and perhaps other tax agencies around the world — needs to review and strengthen controls over its direct deposit system, if it has not already done so. That could be accomplished simply by limiting the access to corporate direct deposit processes, such as requiring them to be managed via CRA's My Business Account process. My Business Account is more secure than public websites and forms, while still facilitating electronic transactions. Whether the agency prefers a secure electronic account process or continues to use a more public method, additional verification methods need to be applied — particularly where a new or changed set of banking information is involved. Some of the verification methods to prevent direct-deposit phishing scams include:
Finally, employee education should cover areas such as:
- Common social engineering and phishing techniques.
- Basic cybersecurity hygiene.
- Strategies for identifying phishing attacks, including new variations.
- Ways to safeguard personal and corporate information.
- Unsafe online behavior.