The Canada Emergency Response Benefit (CERB) is the financial support from the Government of Canada for Canadians who are directly affected by COVID-19. The Canada Revenue Agency (CRA) is responsible for managing applications and payments for the CERB to Canadians. As of August 30, 2020, the CRA received 24.68 million applications from 8.70 million unique applicants for a total value of $72.55 billion (CAD).
Unfortunately, there are also many fraudulent applications. Some people claim the CERB twice through different platforms or are just not eligible. The Government of Canada seems to have faith, and hope that most of them are honest mistakes. It’s then possible for Canadians to refund any amounts on the CRA website.
In my opinion, many people tried to request the CERB, mostly at the beginning, and see if they would receive “free” money deposited in their bank account. Most of them probably thought that was it with no more verification after the initial deposit. After a few weeks, the Government mentioned that more verification would be done in the upcoming months, and people would have to refund any amounts that should not have been paid by the CRA. After all, CERB applications are normally tied to a Social Insurance Number (SIN).
The fraud triangle is a common concept used to explain why someone decides to commit fraud with three elements. The CERB and COVID-19 situation answer all these elements:
- Opportunity: weak controls implemented by the Government when requesting the CERB;
- Pressure: financial difficulties during uncertain times;
- Rationalization: 1) the gain is more important than the possibility that someone might be caught by the Government, or 2) someone could convince itself that the Government already has billions, and one more application would not make a difference.
However, there is also the claim made by criminals, with identity theft, where they would request the CERB on behalf of someone else with stolen personal information. It’s easier to perform identity theft these days with all the security breaches, and all the information available online.
This happened to me. Someone, criminals, used my personal information to apply 3 times for the CERB. I still don’t have all the details. So, it’s my current understanding of the situation. But I wanted to share my experience since it could help other people too.
Last April, I received a prepaid Visa card from KOHO. A few weeks before, I had a look at KOHO website since I’m always curious about new fintech companies. I thought, maybe, I finally opened up an account with them, and since I was moving during this chaotic time, I did not think too much about that card for 2-3 weeks. When finally moved to the new place, I had a chat with the customer support at KOHO since I was not able to figure out my account with them. It was not so much a conversation since I had to wait many hours between some responses. They were not able to confirm my identity to retrieve access to the account. Some mismatch information, mostly on the occupation. On the third day, someone called me from the fraud department at KOHO. She confirmed that someone used my identity to open up this account to receive two payments for the CERB. They closed the account since they were able to detect, and confirm, the fraud. I, fortunately, did not have to prove anything else. But I was not able to obtain more information either on the situation from them.
After that, I went on the CRA website, and log in to my account. I was really surprised to see 3 applications for CERB. Someone used my SIN to make 3 different applications. At the same time, I discovered that my bank information was not the right one. The financial institution was the Peoples Trust of Canada. At first, to be honest, I thought it was related to the Government of Canada, and it was somehow a mistake with the system. So, I simply updated my information. A few days later, I received a deposit in my current chequing account for the third CERB application. The application made by criminals was still in progress when I updated my information. So, I was able to refund that amount to the Government.
Peoples Trust of Canada is the financial institution used by KOHO to hold money for KOHO clients. But, how someone could update my bank information with the CRA? This is the most troubling event in all this situation. Could someone have logged into my CRA account? No, I have a random string of more than 20 characters as my password in a vault secured with a physical key. Someone could have called the CRA phone line, and requested to update the bank information? I hope not, that would be too easy. My last guess is through KOHO and the Peoples Trust of Canada. They have a feature where someone could have access to the CERB payments faster, with a KOHO account. Someone would have first to apply with the CRA for the CERB, and after that, it’s mostly to provide the full name, date of birth, and Social Insurance Number (SIN) on a specific page on their website.
It seems that the CRA has a partnership with some financial institutions. In this case, Peoples Trust of Canada, to update the bank account information on the CRA file. This is my understanding when on the KOHO Help Center, there is the question, “Do I need to provide the CRA with my direct deposit form?” with the answer, “No, KOHO will handle the set up of receiving direct deposits from the CRA to your KOHO account for you.” In summary, “It’s really easy, we will update the information on your behalf even if it’s not really you.”
So, it seems that our bank account information filled with the CRA also depends on financial institutions and fintech companies. I would have thought the Canada Revenue Agency would have been enough. I guess we have to hope that they all have the right security and fraud controls implemented. Even more, I never received any emails from the CRA for the bank account information update or about the 3 CERB applications. Absolutely nothing.
When I recently had a look at my TransUnion credit report, I saw a request by the motusbank in April or May. So, again something that I don’t recognize. In Quebec, Equifax is more popular, so I don’t look at TransUnion as often. After a call with motusbank, they were able to quickly confirm that someone else opened this account on my behalf to move money related to the CERB payments, and they closed the account. I was not able to get too much information but it seems that someone used this account only for 2 payments related to the CERB. I guess, and hope, this account was used only to transfer money out from KOHO/Peoples Trust of Canada to the motusbank account. After that, criminals probably moved money around from this account to other accounts not related to my name to blur more and more traces.
After 2 calls to the CRA, close to 2 hours waiting time each time, there is a note in my CRA file about the situation, and someone, someday, will investigate these applications. But, apparently, there is nothing else to do. However, there are still 3 payments for the CERB, $2000 each, for a total of $6000 showing in my CRA account. Even if I refunded the last payment.
Of course, with these unprecedented times, the Government of Canada had to provide emergency funds quickly to the population. And, security and fraud measures were not, at first, the highest priority in this situation. But, after a few months, it could have been possible to fix a few things. I understand that the CRA had to provide different channels to make a request for the CERB e.g. on the CRA website, the automated phone line, etc. It’s simply not possible to assume that everyone has a CRA online account, or could open one.
However, if someone already had a CRA online account, this person is already able to use the website. Why this person would use the automated phone line? It doesn’t make sense. It would have been simple enough to make it mandatory for everyone with an existing CRA online account to go through the process there.
Finally, be careful. A quick check on your CRA account could help to identify possible fraudulent CERB applications. Also, everyone should regularly look at their credit reports i.e. Equifax and TransUnion. Don’t always trust alerts with these companies.
Here is a summary of these events:
- Someone opened an account with KOHO with my information;
- Someone make requests for the CERB with the automated phone line;
- Someone provided my SIN on KOHO for a faster deposit into the KOHO account;
- With that faster deposit service, and KOHO using Peoples Trust Company (PTC) for bank accounts, my bank account information is somehow updated within my CRA file with a bank account from PTC;
- Someone transferred money from the KOHO account to the motusbank account;
- I updated my bank account information with the correct one;
- I received a deposit for the third CERB application since I updated my bank information just in time;
- I refunded that last payment;
- There are still 3 CERB applications mentioned in my CRA account and someone stole 2 payments.