'It went to a different bank altogether': Sask. woman one of thousands hit by CRA cyberattack
Jenn Fink says someone applied for CERB on her behalf using her Canada Revenue Agency Account
You may want to pay extra attention to any email you're getting from the Canada Revenue Agency.
That's after the federal government confirmed on Saturday the CRA was the target of at least two recent cyber attacks that saw more than 5,500 accounts linked to the agency's services compromised.
The CRA's My Account, My Business Account and Represent a Client were all affected by the incidents.
"The CRA quickly identified the impacted accounts and disabled access to these accounts to ensure the safety and security of the taxpayer's information," CRA spokesperson Christopher Doody wrote in an email to CBC News.
"The CRA is continuing to analyze both incidents. Law enforcement assistance has been requested from RCMP and an investigation has been initiated."
It appears some of the compromised accounts belong to people in Saskatchewan. Jenn Fink, a Regina resident, was one of the thousands of people who had their account compromised.
"On Tuesday, I was just checking my email and I got a legitimate email from CRA saying that my email address had essentially been removed from my account and that I wouldn't be getting any more notifications through this email address," she said.
"It was a legit email from CRA, I had recently received the same sort of style of email that told me my notice of assessment was ready when I did my taxes."
Changing devices, Fink began looking through her CRA account on her computer, and that's when she noticed changes on her account, including her direct deposit information.
"It went to a different bank altogether," said Fink.
Thinking the situation was weird, Fink then put a stop to the direct deposit options on the account, noting she was able to do so within an hour of getting the email.
"It all happened pretty quick, I just happened to check my email at the right time," she said.
She says whoever changed her direct deposit information changed it throughout her account, meaning any money she would be getting from the federal government would then be going into a mystery account.
Fink said she noticed some information about COVID-19, but initially thought it was just the federal government pushing information to the public. After feeling uneasy later in the day, she went back to her account, and that's when she realized someone had applied for the Canadian Emergency Response Benefit on her behalf.
"They changed my email first so I wouldn't get notification of the direct deposit changing or notification of the applications to CERB, so when I realized that they had made that application, I called CRA and they confirmed that, yeah, my account had been hacked."
Fink said neither she or the CRA knew how the account was hacked, but noted the file has been forwarded onto the CRA's investigation unit, with Service Canada advising her to flag her account with major credit unions, as information like her social insurance number may also have been compromised.
She's still waiting for a response from the CRA on how the account was compromised.
Credential stuffing
The incidents are a type of attack known as "credential stuffing," the Treasury Board's Office of the Chief Information Officer shared in a statement with CBC.
"These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts," the statement said.
Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.
"Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity," the statement said.
1/5 The GC has taken action in response to credential stuffing attacks mounted on the GCKey service and the CRA. <a href="https://t.co/KZhvFKFQot">pic.twitter.com/KZhvFKFQot</a>
—@DigitalCDN
Fink, however, says she has her CRA account set up through her bank, noting there have been no other suspect transactions and the sign in information she uses for that institution is not duplicated anywhere else.
"Nothing is out of the ordinary there, and it was just that one incident," she said.
Fink has also reported the incident to the Canadian Anti-Fraud Centre and the Regina Police Service, noting the person who took her report said they've had three other incidents of this nature.
COVID-19 fraud has become a growing issue in Canada. The Canadian Anti-Fraud Centre indicates there have been 2,770 Canadian reports of COVID-19 fraud, consisting of 1,729 Canadian victims between March 6 and July 31.
The RCMP has confirmed that its National Division, which investigates "sensitive, high-profile cases that threaten Canada's political, economic and social integrity," is actively looking into the attacks. The Office of the Privacy Commissioner of Canada is also monitoring the situation.
The CRA said it's sending letters to those affected by the incidents, explaining how to confirm their identity to regain control of their accounts. Individuals phoning the agency for help can select the "report suspected fraud or identity theft" option to fast-track their call.
The Canadian Anti-Fraud Centre estimates more than $5.5 million has been lost as a result of COVID-19 fraud.
With files from Raisa Patel and Bonnie Allen